File ImageMagick-CVE-2017-12565,12641.patch of Package ImageMagick.openSUSE_Leap_42.3_Update
Index: ImageMagick-6.8.8-1/coders/png.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/png.c 2018-01-15 14:05:55.507379063 +0100
+++ ImageMagick-6.8.8-1/coders/png.c 2018-01-16 07:25:56.575876637 +0100
@@ -4117,6 +4117,36 @@ static Image *ReadPNGImage(const ImageIn
% o exception: return any errors or warnings in this structure.
%
*/
+
+void
+DestroyJNG(unsigned char *chunk,Image **color_image,
+ ImageInfo **color_image_info,
+ Image **alpha_image,ImageInfo **alpha_image_info)
+
+{
+ if (chunk)
+ (void) RelinquishMagickMemory(chunk);
+ if (*color_image_info)
+ {
+ DestroyImageInfo(*color_image_info);
+ *color_image_info = (ImageInfo *)NULL;
+ }
+ if (*alpha_image_info)
+ {
+ DestroyImageInfo(*alpha_image_info);
+ *alpha_image_info = (ImageInfo *)NULL;
+ }
+ if (*color_image)
+ {
+ DestroyImage(*color_image);
+ *color_image = (Image *)NULL;
+ }
+ if (*alpha_image)
+ {
+ DestroyImage(*alpha_image);
+ *alpha_image = (Image *)NULL;
+ }
+}
static Image *ReadOneJNGImage(MngInfo *mng_info,
const ImageInfo *image_info, ExceptionInfo *exception)
{
@@ -4249,8 +4279,11 @@ static Image *ReadOneJNGImage(MngInfo *m
type[0],type[1],type[2],type[3],(double) length);
if (length > PNG_UINT_31_MAX || count == 0)
+ {
+ DestroyJNG(NULL,&color_image,&color_image_info,
+ &alpha_image,&alpha_image_info);
ThrowReaderException(CorruptImageError,"CorruptImage");
-
+ }
p=NULL;
chunk=(unsigned char *) NULL;
@@ -4350,6 +4383,16 @@ static Image *ReadOneJNGImage(MngInfo *m
if (length)
chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+ if (jng_width > 65535 || jng_height > 65535)
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " JNG width or height too large: (%lu x %lu)",
+ (long) jng_width, (long) jng_height);
+ DestroyJNG(chunk,&color_image,&color_image_info,
+ &alpha_image,&alpha_image_info);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+
/* Rationalize dimensions with blob size if it is available */
if (IsBlobSeekable(image))
{