Overview

File ImageMagick-CVE-2017-12565,12641.patch of Package ImageMagick.openSUSE_Leap_42.3_Update

Index: ImageMagick-6.8.8-1/coders/png.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/png.c	2018-01-15 14:05:55.507379063 +0100
+++ ImageMagick-6.8.8-1/coders/png.c	2018-01-16 07:25:56.575876637 +0100
@@ -4117,6 +4117,36 @@ static Image *ReadPNGImage(const ImageIn
 %    o exception: return any errors or warnings in this structure.
 %
 */
+
+void
+DestroyJNG(unsigned char *chunk,Image **color_image,
+   ImageInfo **color_image_info,
+   Image **alpha_image,ImageInfo **alpha_image_info)
+
+{
+  if (chunk)
+    (void) RelinquishMagickMemory(chunk);
+  if (*color_image_info)
+  {
+    DestroyImageInfo(*color_image_info);
+    *color_image_info = (ImageInfo *)NULL;
+  }
+  if (*alpha_image_info)
+  {
+    DestroyImageInfo(*alpha_image_info);
+    *alpha_image_info = (ImageInfo *)NULL;
+  }
+  if (*color_image)
+  {
+    DestroyImage(*color_image);
+    *color_image = (Image *)NULL;
+  }
+  if (*alpha_image)
+  {
+    DestroyImage(*alpha_image);
+    *alpha_image = (Image *)NULL;
+  }
+}
 static Image *ReadOneJNGImage(MngInfo *mng_info,
     const ImageInfo *image_info, ExceptionInfo *exception)
 {
@@ -4249,8 +4279,11 @@ static Image *ReadOneJNGImage(MngInfo *m
         type[0],type[1],type[2],type[3],(double) length);
 
     if (length > PNG_UINT_31_MAX || count == 0)
+    {
+      DestroyJNG(NULL,&color_image,&color_image_info,
+                 &alpha_image,&alpha_image_info);
       ThrowReaderException(CorruptImageError,"CorruptImage");
-
+    }    
     p=NULL;
     chunk=(unsigned char *) NULL;
 
@@ -4350,6 +4383,16 @@ static Image *ReadOneJNGImage(MngInfo *m
         if (length)
           chunk=(unsigned char *) RelinquishMagickMemory(chunk);
 
+        if (jng_width > 65535 || jng_height > 65535)
+          {
+            (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+               "    JNG width or height too large: (%lu x %lu)",
+                (long) jng_width, (long) jng_height);
+            DestroyJNG(chunk,&color_image,&color_image_info,
+              &alpha_image,&alpha_image_info);
+            ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+          }
+
         /* Rationalize dimensions with blob size if it is available */
         if (IsBlobSeekable(image))
           {
openSUSE Build Service is sponsored by
Places