File ImageMagick-CVE-2014-9818,9826,9829.patch of Package ImageMagick.openSUSE_Leap_42.3_Update

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-CVE-2014-9818,9826,9829.patch of Package ImageMagick.openSUSE_Leap_42.3_Update

Index: ImageMagick-6.8.9-8/coders/sun.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/sun.c	2016-06-16 14:05:17.774611062 +0200
+++ ImageMagick-6.8.9-8/coders/sun.c	2016-06-16 14:10:57.324150699 +0200
@@ -309,13 +309,21 @@ static Image *ReadSUNImage(const ImageIn
     sun_info.type=ReadBlobMSBLong(image);
     sun_info.maptype=ReadBlobMSBLong(image);
     sun_info.maplength=ReadBlobMSBLong(image);
-    image->columns=sun_info.width;
-    image->rows=sun_info.height;
     extent=sun_info.height*sun_info.width;
     if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if ((sun_info.depth == 0) || (sun_info.depth > 32))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
+        (sun_info.type != RT_FORMAT_RGB))
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if ((sun_info.maptype == RMT_NONE) && (sun_info.maplength != 0))
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if ((sun_info.maptype != RMT_NONE) && (sun_info.maptype != RMT_EQUAL_RGB) &&
+        (sun_info.maptype != RMT_RAW))
+      ThrowReaderException(CoderError,"ColormapTypeNotSupported");
+    image->columns=sun_info.width;
+    image->rows=sun_info.height;
     image->depth=sun_info.depth <= 8 ? sun_info.depth :
       MAGICKCORE_QUANTUM_DEPTH;
     if (sun_info.depth < 24)
@@ -360,12 +368,18 @@ static Image *ReadSUNImage(const ImageIn
         if (sun_colormap == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
         count=ReadBlob(image,image->colors,sun_colormap);
+        if (count != (ssize_t) image->colors)
+          ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
         for (i=0; i < (ssize_t) image->colors; i++)
           image->colormap[i].red=ScaleCharToQuantum(sun_colormap[i]);
         count=ReadBlob(image,image->colors,sun_colormap);
+        if (count != (ssize_t) image->colors)
+          ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
         for (i=0; i < (ssize_t) image->colors; i++)
           image->colormap[i].green=ScaleCharToQuantum(sun_colormap[i]);
         count=ReadBlob(image,image->colors,sun_colormap);
+        if (count != (ssize_t) image->colors)
+          ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
         for (i=0; i < (ssize_t) image->colors; i++)
           image->colormap[i].blue=ScaleCharToQuantum(sun_colormap[i]);
         sun_colormap=(unsigned char *) RelinquishMagickMemory(sun_colormap);
@@ -384,11 +398,13 @@ static Image *ReadSUNImage(const ImageIn
         if (sun_colormap == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
         count=ReadBlob(image,sun_info.maplength,sun_colormap);
+        if (count != (ssize_t) sun_info.maplength)
+          ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
         sun_colormap=(unsigned char *) RelinquishMagickMemory(sun_colormap);
         break;
       }
       default:
-        ThrowReaderException(CoderError,"ColormapTypeNotSupported");
+        break;
     }
     image->matte=sun_info.depth == 32 ? MagickTrue : MagickFalse;
     image->columns=sun_info.width;
@@ -410,7 +426,7 @@ static Image *ReadSUNImage(const ImageIn
     if (sun_data == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     count=(ssize_t) ReadBlob(image,sun_info.length,sun_data);
-    if ((count == 0) && (sun_info.type != RT_ENCODED))
+    if (count != (ssize_t) sun_info.length)
       ThrowReaderException(CorruptImageError,"UnableToReadImageData");
     sun_pixels=sun_data;
     bytes_per_line=0;
@@ -436,8 +452,8 @@ static Image *ReadSUNImage(const ImageIn
           bytes_per_line*sizeof(*sun_pixels));
         if (sun_pixels == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        (void) DecodeImage(sun_data,sun_info.length,sun_pixels,
-          bytes_per_line*height);
+        (void) DecodeImage(sun_data,sun_info.length,sun_pixels,bytes_per_line*
+          height);
         sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
       }
     /*
@@ -454,15 +470,13 @@ static Image *ReadSUNImage(const ImageIn
         for (x=0; x < ((ssize_t) image->columns-7); x+=8)
         {
           for (bit=7; bit >= 0; bit--)
-            SetPixelIndex(indexes+x+7-bit,((*p) & (0x01 << bit) ?
-              0x00 : 0x01));
+            SetPixelIndex(indexes+x+7-bit,((*p) & (0x01 << bit) ? 0x00 : 0x01));
           p++;
         }
         if ((image->columns % 8) != 0)
           {
-            for (bit=7; bit >= (ssize_t) (8-(image->columns % 8)); bit--)
-              SetPixelIndex(indexes+x+7-bit,(*p) & (0x01 << bit) ?
-                0x00 : 0x01);
+            for (bit=7; bit >= (int) (8-(image->columns % 8)); bit--)
+              SetPixelIndex(indexes+x+7-bit,(*p) & (0x01 << bit) ? 0x00 : 0x01);
             p++;
           }
         if ((((image->columns/8)+(image->columns % 8 ? 1 : 0)) % 2) != 0)

Places

File ImageMagick-CVE-2014-9818,9826,9829.patch of Package ImageMagick.openSUSE_Leap_42.3_Update

Places