File GraphicsMagick-CVE-2018-6799.patch of Package GraphicsMagick.9388
Index: GraphicsMagick-1.3.25/magick/pixel_cache.c
===================================================================
--- GraphicsMagick-1.3.25.orig/magick/pixel_cache.c 2018-04-24 18:31:17.659666370 +0200
+++ GraphicsMagick-1.3.25/magick/pixel_cache.c 2018-04-24 18:40:28.527663346 +0200
@@ -4166,7 +4169,7 @@ SetImageVirtualPixelMethod(const Image *
%
*/
static PixelPacket *
-SetNexus(const Image *image,const RectangleInfo *region,
+SetNexus(const Image *image,const RectangleInfo * restrict region,
NexusInfo *nexus_info,ExceptionInfo *exception)
{
const CacheInfo
@@ -4183,38 +4186,47 @@ SetNexus(const Image *image,const Rectan
assert(image != (const Image *) NULL);
cache_info=(const CacheInfo *) image->cache;
assert(cache_info->signature == MagickSignature);
- nexus_info->region=*region;
- if ((cache_info->type != PingCache) && (cache_info->type != DiskCache) &&
- (image->clip_mask == (const Image *) NULL))
- {
- magick_off_t
- offset;
+ if ((cache_info->type != PingCache) &&
+ (cache_info->type != DiskCache) &&
+ (image->clip_mask == (const Image *) NULL) &&
+ (region->x >=0) &&
+ (region->y >= 0))
+ {
+ if ((/* All/part of one row */
+ (region->height == 1) &&
+ ((region->x+region->width) <= cache_info->columns)
+ )
+ ||
+ (/* One or more full rows */
+ (region->x == 0) &&
+ (region->width == cache_info->columns) &&
+ (region->y+region->height <= cache_info->rows)
+ )
+ )
+ {
+ /*
+ Pixels are accessed directly from memory.
+ */
+ size_t
+ offset;
- offset=nexus_info->region.y*(magick_off_t) cache_info->columns+nexus_info->region.x;
- length=(nexus_info->region.height-1)*cache_info->columns+nexus_info->region.width-1;
- number_pixels=(magick_uint64_t) cache_info->columns*cache_info->rows;
- if ((offset >= 0) && (((magick_uint64_t) offset+length) < number_pixels))
- if ((((nexus_info->region.x+nexus_info->region.width) <= cache_info->columns) &&
- (nexus_info->region.height == 1)) ||
- ((nexus_info->region.x == 0) &&
- ((nexus_info->region.width % cache_info->columns) == 0)))
- {
- /*
- Pixels are accessed directly from memory.
- */
- nexus_info->pixels=cache_info->pixels+offset;
- nexus_info->indexes=(IndexPacket *) NULL;
- if (cache_info->indexes_valid)
- nexus_info->indexes=cache_info->indexes+offset;
- nexus_info->in_core=IsNexusInCore(cache_info,nexus_info);
- return(nexus_info->pixels);
- }
+ offset=((size_t) region->y)*cache_info->columns+((size_t) region->x);
+
+ nexus_info->pixels=cache_info->pixels+offset;
+ nexus_info->indexes=(IndexPacket *) NULL;
+ if (cache_info->indexes_valid)
+ nexus_info->indexes=cache_info->indexes+offset;
+ nexus_info->in_core=MagickTrue;
+ nexus_info->region=*region;
+ /* fprintf(stderr,"Pixels in core\n"); */
+ return(nexus_info->pixels);
+ }
}
/*
Pixels are stored in a staging area until they are synced to the cache.
*/
- number_pixels=(magick_uint64_t)
- Max(nexus_info->region.width*nexus_info->region.height,cache_info->columns);
+ number_pixels=
+ (magick_uint64_t) Max(region->width*region->height,cache_info->columns);
packet_size=sizeof(PixelPacket);
if (cache_info->indexes_valid)
packet_size+=sizeof(IndexPacket);
@@ -4248,13 +4260,22 @@ SetNexus(const Image *image,const Rectan
"region height=%lu, cache columns=%lu)!",
(MAGICK_SIZE_T) length,
number_pixels,
- nexus_info->region.width,
- nexus_info->region.height,
+ region->width,
+ region->height,
cache_info->columns);
ThrowException(exception,ResourceLimitError,MemoryAllocationFailed,
image->filename);
+ nexus_info->region.width=0;
+ nexus_info->region.height=0;
+ nexus_info->region.x=0;
+ nexus_info->region.y=0;
+ nexus_info->in_core=MagickFalse;
+ }
+ else
+ {
+ nexus_info->region=*region;
+ nexus_info->in_core=IsNexusInCore(cache_info,nexus_info);
}
- nexus_info->in_core=IsNexusInCore(cache_info,nexus_info);
return(nexus_info->pixels);
}
