File ImageMagick-CVE-2014-9811.patch of Package ImageMagick.8768
Index: ImageMagick-6.8.8-1/coders/xwd.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/xwd.c 2016-06-14 12:37:01.544787045 +0200
+++ ImageMagick-6.8.8-1/coders/xwd.c 2016-06-14 12:37:01.576787569 +0200
@@ -223,11 +223,8 @@ static Image *ReadXWDImage(const ImageIn
Read in header information.
*/
count=ReadBlob(image,sz_XWDheader,(unsigned char *) &header);
- if (count == 0)
+ if (count != sz_XWDheader)
ThrowReaderException(CorruptImageError,"UnableToReadImageHeader");
- image->columns=header.pixmap_width;
- image->rows=header.pixmap_height;
- image->depth=8;
/*
Ensure the header byte-order is most-significant byte first.
*/
@@ -241,6 +238,25 @@ static Image *ReadXWDImage(const ImageIn
ThrowReaderException(CorruptImageError,"FileFormatVersionMismatch");
if (header.header_size < sz_XWDheader)
ThrowReaderException(CorruptImageError,"CorruptImage");
+ switch (header.visual_class) {
+ case StaticGray:
+ case GrayScale:
+ case StaticColor:
+ case PseudoColor:
+ case TrueColor:
+ case DirectColor:
+ break;
+ default:
+ ThrowReaderException(CorruptImageError,"CorruptImage");
+ }
+ switch (header.pixmap_format) {
+ case XYBitmap:
+ case XYPixmap:
+ case ZPixmap:
+ break;
+ default:
+ ThrowReaderException(CorruptImageError,"CorruptImage");
+ }
length=(size_t) header.header_size-sz_XWDheader;
comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
if (comment == (char *) NULL)
@@ -272,16 +288,30 @@ static Image *ReadXWDImage(const ImageIn
ximage->red_mask=header.red_mask;
ximage->green_mask=header.green_mask;
ximage->blue_mask=header.blue_mask;
- if ((ximage->depth < 0) || (ximage->width < 0) || (ximage->height < 0) ||
- (ximage->bitmap_pad < 0) || (ximage->bytes_per_line < 0))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((ximage->width < 0) || (ximage->height < 0) || (ximage->depth < 0) ||
+ (ximage->format < 0) || (ximage->byte_order < 0) ||
+ (ximage->bitmap_bit_order < 0) || (ximage->bitmap_pad < 0) ||
+ (ximage->bytes_per_line < 0))
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
if ((ximage->width > 65535) || (ximage->height > 65535))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
if ((ximage->bits_per_pixel > 32) || (ximage->bitmap_unit > 32))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
x_status=XInitImage(ximage);
if (x_status == 0)
- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ }
/*
Read colormap.
*/
@@ -295,12 +325,18 @@ static Image *ReadXWDImage(const ImageIn
length=(size_t) header.ncolors;
colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
if (colors == (XColor *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
for (i=0; i < (ssize_t) header.ncolors; i++)
{
count=ReadBlob(image,sz_XWDColor,(unsigned char *) &color);
if (count == 0)
- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ }
colors[i].pixel=color.pixel;
colors[i].red=color.red;
colors[i].green=color.green;
@@ -327,7 +363,10 @@ static Image *ReadXWDImage(const ImageIn
*/
length=(size_t) ximage->bytes_per_line*ximage->height;
if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
if (ximage->format != ZPixmap)
{
size_t
@@ -336,20 +375,31 @@ static Image *ReadXWDImage(const ImageIn
extent=length;
length*=ximage->depth;
if (CheckOverflowException(length,extent,ximage->depth))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
}
ximage->data=(char *) AcquireQuantumMemory(length,sizeof(*ximage->data));
if (ximage->data == (char *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ {
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
count=ReadBlob(image,length,(unsigned char *) ximage->data);
if (count == 0)
- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ {
+ ximage->data=DestroyString(ximage->data);
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ }
/*
Convert image to MIFF format.
*/
image->columns=(size_t) ximage->width;
image->rows=(size_t) ximage->height;
- if ((colors == (XColor *) NULL) || (ximage->red_mask != 0) ||
+ image->depth=8;
+ if ((header.ncolors == 0U) || (ximage->red_mask != 0) ||
(ximage->green_mask != 0) || (ximage->blue_mask != 0))
image->storage_class=DirectClass;
else
@@ -464,7 +514,11 @@ static Image *ReadXWDImage(const ImageIn
Convert X image to PseudoClass packets.
*/
if (AcquireImageColormap(image,image->colors) == MagickFalse)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ {
+ ximage->data=DestroyString(ximage->data);
+ ximage=(XImage *) RelinquishMagickMemory(ximage);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
for (i=0; i < (ssize_t) image->colors; i++)
{
image->colormap[i].red=ScaleShortToQuantum(colors[i].red);
@@ -705,7 +759,7 @@ static MagickBooleanType WriteXWDImage(c
(void) WriteBlob(image,1,(const unsigned char *) "\0");
if (image->storage_class == PseudoClass)
{
- register unsigned int
+ register ssize_t
i;
XColor
@@ -724,7 +778,7 @@ static MagickBooleanType WriteXWDImage(c
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (ssize_t) image->colors; i++)
{
- colors[i].pixel=i;
+ colors[i].pixel=(unsigned long) i;
colors[i].red=ScaleQuantumToShort(image->colormap[i].red);
colors[i].green=ScaleQuantumToShort(image->colormap[i].green);
colors[i].blue=ScaleQuantumToShort(image->colormap[i].blue);