File ImageMagick-CVE-2016-10064.patch of Package ImageMagick.7150
From f8877abac8e568b2f339cca70c2c3c1b6eaec288 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 6 Jul 2016 08:15:57 -0400
Subject: [PATCH] Improve buffer flow sanity check
---
coders/tiff.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
Index: ImageMagick-6.8.8-1/coders/tiff.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/tiff.c 2017-01-25 11:29:58.133899384 +0100
+++ ImageMagick-6.8.8-1/coders/tiff.c 2017-01-25 11:32:11.787754923 +0100
@@ -204,6 +205,23 @@ static MagickBooleanType
WriteTIFFImage(const ImageInfo *,Image *);
#endif
+
+static MagickBooleanType CheckMemoryOverflow(const size_t count,
+ const size_t quantum)
+{
+ size_t
+ size;
+
+ size=count*quantum;
+ if ((count == 0) || (quantum != (size/count)))
+ {
+ errno=ENOMEM;
+ return(MagickTrue);
+ }
+ return(MagickFalse);
+}
+
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -1630,14 +1648,13 @@ RestoreMSCWarning
}
(void) SetImageStorageClass(image,DirectClass);
number_pixels=(MagickSizeType) columns*rows;
- if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
- (number_pixels*sizeof(uint32))))
+ if (CheckMemoryOverflow(rows,sizeof(*tile_pixels)) != MagickFalse)
{
TIFFClose(tiff);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
}
- tile_pixels=(uint32 *) AcquireQuantumMemory(number_pixels,
- sizeof(*tile_pixels));
+ tile_pixels=(uint32 *) AcquireQuantumMemory(columns,
+ rows*sizeof(*tile_pixels));
if (tile_pixels == (uint32 *) NULL)
{
TIFFClose(tiff);
@@ -1739,14 +1756,13 @@ RestoreMSCWarning
Convert TIFF image to DirectClass MIFF image.
*/
number_pixels=(MagickSizeType) image->columns*image->rows;
- if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
- (number_pixels*sizeof(uint32))))
+ if (CheckMemoryOverflow(image->rows,sizeof(*pixels)) != MagickFalse)
{
TIFFClose(tiff);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
}
pixel_info=AcquireVirtualMemory(image->columns,image->rows*
- sizeof(uint32));
+ sizeof(*pixels));
if (pixel_info == (MemoryInfo *) NULL)
{
TIFFClose(tiff);