Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:10208
GraphicsMagick.openSUSE_Leap_42.3_Update
GraphicsMagick-CVE-2017-18229.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File GraphicsMagick-CVE-2017-18229.patch of Package GraphicsMagick.openSUSE_Leap_42.3_Update
diff -r fb09ca6dd22c -r 752c0b41fa32 coders/tiff.c --- a/coders/tiff.c Sat Sep 16 12:57:44 2017 -0500 +++ b/coders/tiff.c Sat Sep 16 15:57:58 2017 -0500 @@ -1648,6 +1648,10 @@ TIFF *tiff; + magick_off_t + file_size, + max_compress_ratio=70; /* Maximum compression ratio */ + uint16 compress_tag, bits_per_sample, @@ -1703,6 +1707,7 @@ status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception); if (status == MagickFail) ThrowReaderException(FileOpenError,UnableToOpenFile,image); + file_size = GetBlobSize(image); (void) MagickTsdSetSpecific(tsd_key,(void *) exception); (void) TIFFSetErrorHandler((TIFFErrorHandler) TIFFErrors); (void) TIFFSetWarningHandler((TIFFErrorHandler) (CheckThrowWarnings(image_info) ? @@ -2266,8 +2271,23 @@ if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), - "Allocating scanline buffer of %lu bytes", - (unsigned long) scanline_size); + "Request to allocate scanline buffer of %" + MAGICK_SIZE_T_F "u bytes", + (MAGICK_SIZE_T) scanline_size); + + /* + Rationalize memory request based on file size + */ + if (scanline_size > file_size*max_compress_ratio) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Unreasonable allocation size " + "(ratio of alloc to file size %g)", + (double) scanline_size/file_size); + TIFFClose(tiff); + ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, + image); + } scanline=MagickAllocateMemory(unsigned char *,(size_t) scanline_size); if (scanline == (unsigned char *) NULL) @@ -2430,6 +2450,20 @@ break; } + /* + Rationalize memory request based on file size + */ + if (strip_size_max > file_size*max_compress_ratio) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Unreasonable allocation size " + "(ratio of alloc to file size %g)", + (double) strip_size_max/file_size); + TIFFClose(tiff); + ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, + image); + } + strip=MagickAllocateMemory(unsigned char *,(size_t) strip_size_max); if (strip == (unsigned char *) NULL) { @@ -2590,7 +2624,7 @@ QuantumType quantum_type; - unsigned long + size_t tile_total_pixels; if (logging) @@ -2622,15 +2656,33 @@ /* Compute the total number of pixels in one tile */ - tile_total_pixels=tile_columns*tile_rows; + tile_total_pixels=MagickArraySize(tile_columns,tile_rows); if (logging) { (void) LogMagickEvent(CoderEvent,GetMagickModule(), - "TIFF tile geometry %ux%u, %lu pixels", + "TIFF tile geometry %ux%u, " + "%" MAGICK_SIZE_T_F "u pixels" + " (%" MAGICK_SIZE_T_F "u bytes max)", (unsigned int)tile_columns, (unsigned int)tile_rows, - tile_total_pixels); + (MAGICK_SIZE_T) tile_total_pixels, + (MAGICK_SIZE_T) tile_size_max); } + + /* + Rationalize memory request based on file size + */ + if (tile_size_max > file_size*max_compress_ratio) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Unreasonable allocation size " + "(ratio of alloc to file size %g)", + (double) tile_size_max/file_size); + TIFFClose(tiff); + ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, + image); + } + /* Allocate tile buffer */ @@ -2819,6 +2871,20 @@ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, image); } + /* + Rationalize memory request based on file size + */ + if ((magick_off_t) (number_pixels*sizeof(uint32)) > + file_size*max_compress_ratio) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Unreasonable allocation size " + "(ratio of alloc to file size %g)", + (double) (number_pixels*sizeof(uint32))/file_size); + TIFFClose(tiff); + ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, + image); + } strip_pixels=MagickAllocateArray(uint32 *,number_pixels,sizeof(uint32)); if (strip_pixels == (uint32 *) NULL) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor