File ImageMagick-CVE-2016-8707.patch of Package ImageMagick.8768

From e5dc6d628a1c6049dc95adcea5e49aaa7ef2c778 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 2 Dec 2016 11:07:56 -0500
Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS

---
 coders/tiff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Index: ImageMagick-6.8.9-8/coders/tiff.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/tiff.c	2016-12-13 11:20:21.303182880 +0100
+++ ImageMagick-6.8.9-8/coders/tiff.c	2016-12-13 11:29:56.260977266 +0100
@@ -1340,9 +1340,9 @@ RestoreMSCWarning
           rows_per_strip);
         (void) SetImageProperty(image,"tiff:rows-per-strip",value);
       }
-    if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_CONTIG))
+    if ((samples_per_pixel >= 3) && (interlace == PLANARCONFIG_CONTIG))
       method=ReadRGBAMethod;
-    if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_SEPARATE))
+    if ((samples_per_pixel >= 4) && (interlace == PLANARCONFIG_SEPARATE))
       method=ReadCMYKAMethod;
     if ((photometric != PHOTOMETRIC_RGB) &&
         (photometric != PHOTOMETRIC_CIELAB) &&
@@ -1362,7 +1362,12 @@ RestoreMSCWarning
       method=ReadTileMethod;
     quantum_info->endian=LSBEndian;
     quantum_type=RGBQuantum;
-    pixels=GetQuantumPixels(quantum_info);
+    pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+sizeof(uint32));
+    if (pixels == (unsigned char *) NULL)
+    {
+      TIFFClose(tiff);
+      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+    }
     switch (method)
     {
       case ReadSingleSampleMethod:
@@ -1445,7 +1450,6 @@ RestoreMSCWarning
             TIFFClose(tiff);
             ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           }
-        pixels=GetQuantumPixels(quantum_info);
         for (y=0; y < (ssize_t) image->rows; y++)
         {
           int
@@ -1503,7 +1507,6 @@ RestoreMSCWarning
             TIFFClose(tiff);
             ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
           }
-        pixels=GetQuantumPixels(quantum_info);
         for (y=0; y < (ssize_t) image->rows; y++)
         {
           int
@@ -1827,6 +1830,7 @@ RestoreMSCWarning
         break;
       }
     }
+    pixels=(unsigned char *) RelinquishMagickMemory(pixels);
     SetQuantumImageType(image,quantum_type);
   next_tiff_frame:
     if (quantum_info != (QuantumInfo *) NULL)
@@ -3408,7 +3412,6 @@ RestoreMSCWarning
     if (GetTIFFInfo(image_info,tiff,&tiff_info) == MagickFalse)
       ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
     quantum_info->endian=LSBEndian;
-    pixels=GetQuantumPixels(quantum_info);
     tiff_info.scanline=GetQuantumPixels(quantum_info);
     switch (photometric)
     {