File ImageMagick-CVE-2017-13769.patch of Package ImageMagick.openSUSE_Leap_42.3_Update
From 73e085bd8a77541fb9faf0584951783fdeac97f2 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 29 Aug 2017 07:02:24 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/705
---
coders/thumbnail.c | 2 ++
1 file changed, 2 insertions(+)
Index: ImageMagick-6.8.8-1/coders/thumbnail.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/thumbnail.c 2013-12-01 15:47:50.000000000 +0100
+++ ImageMagick-6.8.8-1/coders/thumbnail.c 2017-11-07 08:31:02.592817828 +0100
@@ -178,7 +178,7 @@ static MagickBooleanType WriteTHUMBNAILI
offset;
unsigned char
- magick[MaxTextExtent];
+ *q;
profile=GetImageProfile(image,"exif");
if (profile == (const StringInfo *) NULL)
@@ -187,21 +187,22 @@ static MagickBooleanType WriteTHUMBNAILI
if (property == (const char *) NULL)
ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
offset=(ssize_t) StringToLong(property);
+ if (offset < 0)
+ ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
property=GetImageProperty(image,"exif:JPEGInterchangeFormatLength");
if (property == (const char *) NULL)
ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
length=(size_t) StringToLong(property);
- (void) ResetMagickMemory(magick,0,sizeof(magick));
- for (i=0; i < (ssize_t) length; i++)
+ q=GetStringInfoDatum(profile)+offset;
+ for (i=offset; i < (ssize_t) GetStringInfoLength(profile) - 3; i++)
{
- magick[0]=magick[1];
- magick[1]=magick[2];
- magick[2]=GetStringInfoDatum(profile)[offset+i];
- if (memcmp(magick,"\377\330\377",3) == 0)
+ if (memcmp(q,"\377\330\377",3) == 0)
break;
+ q++;
}
- thumbnail_image=BlobToImage(image_info,GetStringInfoDatum(profile)+offset+i-2,
- length,&image->exception);
+ if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
+ ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+ thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
if (thumbnail_image == (Image *) NULL)
return(MagickFalse);
(void) SetImageType(thumbnail_image,thumbnail_image->matte == MagickFalse ?