File GraphicsMagick-CVE-2017-15930.patch of Package GraphicsMagick.7893
Index: GraphicsMagick-1.3.25/coders/png.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/png.c 2017-11-06 13:01:24.251142530 +0100
+++ GraphicsMagick-1.3.25/coders/png.c 2017-11-06 13:02:15.284022071 +0100
@@ -2837,7 +2837,7 @@ static Image *ReadOneJNGImage(MngInfo *m
reading_idat,
status;
- unsigned long
+ size_t
length;
jng_alpha_compression_method=0;
@@ -2901,7 +2901,7 @@ static Image *ReadOneJNGImage(MngInfo *m
type[0]='\0';
(void) strcat(type,"errr");
- length=ReadBlobMSBLong(image);
+ length=(size_t) ReadBlobMSBLong(image);
count=(unsigned int) ReadBlob(image,4,type);
if (logging)
@@ -3012,6 +3012,30 @@ static Image *ReadOneJNGImage(MngInfo *m
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
}
+ /* Rationalize dimensions with blob size if it is available */
+ if (BlobIsSeekable(image))
+ {
+ magick_off_t
+ blob_size;
+
+ blob_size = GetBlobSize(image);
+ if ((blob_size == 0) ||
+ ((((double) jng_width*jng_height)/blob_size) > 512.0))
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Unreasonable dimensions: "
+ "geometry = %lux%lu, "
+ "blob size = %" MAGICK_OFF_F "d",
+ jng_width, jng_height, blob_size);
+
+ ThrowException(exception,CorruptImageError,
+ InsufficientImageDataInFile,image->filename);
+ MagickFreeMemory(chunk);
+ DestroyJNGInfo(color_image_info,alpha_image_info);
+ return ((Image *)NULL);
+ }
+ }
+
continue;
}
@@ -3363,17 +3387,37 @@ static Image *ReadOneJNGImage(MngInfo *m
" Copying jng_image pixels to main image.");
image->rows=jng_height;
image->columns=jng_width;
- length=image->columns*sizeof(PixelPacket);
+ length=MagickArraySize(image->columns,sizeof(PixelPacket));
+ if (jng_height == 0 || jng_width == 0 || length == 0)
+ {
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " jng_width=%lu jng_height=%lu",
+ (unsigned long)jng_width,(unsigned long)jng_height);
+ DestroyJNGInfo(color_image_info, &alpha_image_info);
+ DestroyImage(jng_image);
+ return ((Image *)NULL);
+ }
for (y=0; y < (long) image->rows; y++)
{
s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
q=SetImagePixels(image,0,y,image->columns,1);
+ if ((s == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
+ break;
(void) memcpy(q,s,length);
if (!SyncImagePixels(image))
break;
}
DestroyImage(jng_image);
jng_image = (Image *)NULL;
+ if ((unsigned long) y != image->rows)
+ {
+ if (logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Failed to transfer JPEG scanlines");
+ DestroyJNGInfo(&color_image_info, &alpha_image_info);
+ return ((Image *)NULL);
+ }
if (alpha_image != (Image *)NULL && !image_info->ping)
{
if (jng_color_type >= 12)
@@ -3405,12 +3449,16 @@ static Image *ReadOneJNGImage(MngInfo *m
if (image->matte)
{
q=SetImagePixels(image,0,y,image->columns,1);
+ if (q == (PixelPacket *) NULL)
+ break;
for (x=(long) image->columns; x > 0; x--,q++,s++)
q->opacity=(Quantum) MaxRGB-s->red;
}
else
{
q=SetImagePixels(image,0,y,image->columns,1);
+ if (q == (PixelPacket *) NULL)
+ break;
for (x=(long) image->columns; x > 0; x--,q++,s++)
{
q->opacity=(Quantum) MaxRGB-s->red;
