File ImageMagick-CVE-2016-8684.patch of Package ImageMagick.openSUSE_Leap_42.3_Update
%
Index: ImageMagick-6.8.9-8/coders/sgi.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/sgi.c 2016-10-18 13:52:30.912192191 +0200
+++ ImageMagick-6.8.9-8/coders/sgi.c 2016-10-18 13:52:46.616430395 +0200
@@ -302,6 +302,9 @@ static Image *ReadSGIImage(const ImageIn
unsigned char
*pixels;
+ off_t
+ file_size;
+
/*
Open image file.
*/
@@ -323,6 +326,7 @@ static Image *ReadSGIImage(const ImageIn
Read SGI raster header.
*/
iris_info.magic=ReadBlobMSBShort(image);
+ file_size=GetBlobSize(image);
do
{
/*
@@ -378,6 +382,31 @@ static Image *ReadSGIImage(const ImageIn
if (image->scene >= (image_info->scene+image_info->number_scenes-1))
break;
/*
+ Check that filesize is reasonable given header
+ */
+ {
+ double
+ uncompressed_size;
+
+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.depth : 1)*
+ image->columns*image->rows*iris_info.bytes_per_pixel);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Uncompressed size: %.0f", uncompressed_size);
+ if (iris_info.storage != 0x01)
+ {
+ /* Not compressed */
+ if (uncompressed_size > file_size)
+ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+ }
+ else
+ {
+ /* RLE compressed */
+ if (uncompressed_size > file_size*254.0)
+ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+ }
+ }
+
+ /*
Allocate SGI pixels.
*/
bytes_per_pixel=(size_t) iris_info.bytes_per_pixel;