SECURITY: CVE-2013-4298: Memory corruption while processing GIF comments Fix from upstream, via Debian Bug #721273.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721273 http://trac.imagemagick.org/changeset/8770/ImageMagick/trunk/coders/gif.c It's already fixed in GraphicsMagick. ok? Index: Makefile =================================================================== RCS file: /cvs/ports/graphics/ImageMagick/Makefile,v retrieving revision 1.130 diff -u -p -r1.130 Makefile --- Makefile 12 Aug 2013 10:03:00 -0000 1.130 +++ Makefile 4 Sep 2013 16:44:52 -0000 @@ -6,7 +6,7 @@ COMMENT= image processing tools VER= 6.7.7 DASHVER= 7 -REVISION= 4 +REVISION= 5 DISTNAME= ImageMagick-${VER}-${DASHVER} PKGNAME= ImageMagick-${VER}.${DASHVER} Index: patches/patch-coders_gif_c =================================================================== RCS file: patches/patch-coders_gif_c diff -N patches/patch-coders_gif_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-coders_gif_c 4 Sep 2013 16:44:52 -0000 @@ -0,0 +1,23 @@ +$OpenBSD$ + +CVE-2013-4298: Memory corruption while processing GIF comments +http://trac.imagemagick.org/changeset/8770/ImageMagick/trunk/coders/gif.c + +--- coders/gif.c.orig Fri Jun 1 18:36:24 2012 ++++ coders/gif.c Wed Sep 4 18:09:45 2013 +@@ -1098,14 +1098,8 @@ static Image *ReadGIFImage(const ImageInfo *image_info + if (count == 0) + break; + header[count]='\0'; +- comments=(char *) ResizeQuantumMemory(comments,length+count, +- sizeof(*comments)); +- if (comments == (char *) NULL) +- ThrowReaderException(ResourceLimitError, +- "MemoryAllocationFailed"); +- (void) CopyMagickMemory(comments+length,header,(size_t) count); ++ (void) ConcatenateString(&comments,(const char *) header); + } +- comments[length+count]='\0'; + (void) SetImageProperty(image,"comment",comments); + comments=DestroyString(comments); + break; -- Christian "naddy" Weisgerber [email protected]
