tags 444267 patch
thanks
Hi,
I've received these patches against 6.2.3 from a helpful third party.
These might be helpful to fix the Debian packages. Please credit Jonathan
Smith when using the patches. Thanks!
Thijs
diff -r 6e2f7c2469aa coders/dcm.c
--- a/coders/dcm.c Fri Sep 28 03:02:20 2007 -0800
+++ b/coders/dcm.c Fri Sep 28 03:35:00 2007 -0800
@@ -2899,12 +2899,10 @@ static Image *ReadDCMImage(const ImageIn
else
if ((quantum != 0) && (length != 0))
{
- /* new check for CVE-2007-1797 */
- if (length > ((~0UL)/quantum))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
-
- data=(unsigned char *)
- AcquireMagickMemory((size_t) quantum*(length+1));
+ data=(unsigned char *) NULL;
+ if (~length >= 1)
+ data=(unsigned char *) AcquireQuantumMemory(length+1,quantum*
+ sizeof(*data));
if (data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,
"MemoryAllocationFailed");
diff -r 6e2f7c2469aa coders/xcf.c
--- a/coders/xcf.c Fri Sep 28 03:02:20 2007 -0800
+++ b/coders/xcf.c Fri Sep 28 03:35:00 2007 -0800
@@ -944,6 +944,11 @@ static Image *ReadXCFImage(const ImageIn
else
if ( image_type == GIMP_INDEXED )
ThrowReaderException(CoderError,"ColormapTypeNotSupported");
+ if (SetImageExtent(image,0,0) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+ return(DestroyImageList(image));
+ }
SetImageBackgroundColor(image);
/*
Read properties.
diff -r 0b40602aff9a coders/dcm.c
--- a/coders/dcm.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/dcm.c Fri Sep 28 04:54:16 2007 -0800
@@ -3041,8 +3041,7 @@ static Image *ReadDCMImage(const ImageIn
break;
colors=(unsigned long) (length/bytes_per_pixel);
datum=(long) colors;
- graymap=(unsigned short *)
- AcquireMagickMemory((size_t) colors*sizeof(*graymap));
+ graymap=(unsigned short *) AcquireQuantumMemory((size_t) colors,sizeof(*graymap));
if (graymap == (unsigned short *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) colors; i++)
@@ -3202,8 +3201,7 @@ static Image *ReadDCMImage(const ImageIn
/*
Compute pixel scaling table.
*/
- scale=(Quantum *)
- AcquireMagickMemory((size_t) (max_value+1)*sizeof(*scale));
+ scale=(Quantum *) AcquireQuantumMemory(length,sizeof(*scale));
if (scale == (Quantum *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i <= (long) max_value; i++)
diff -r 0b40602aff9a coders/dib.c
--- a/coders/dib.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/dib.c Fri Sep 28 04:54:16 2007 -0800
@@ -581,8 +581,9 @@ static Image *ReadDIBImage(const ImageIn
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (AllocateImageColormap(image,image->colors) == MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- dib_colormap=(unsigned char *) AcquireMagickMemory(4*image->colors*
- sizeof(*dib_colormap));
+ length=(size_t) image->colors;
+ dib_colormap=(unsigned char *) AcquireQuantumMemory(length,
+ 4*sizeof(*dib_colormap));
if (dib_colormap == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
packet_size=4;
@@ -607,8 +608,8 @@ static Image *ReadDIBImage(const ImageIn
dib_info.bits_per_pixel<<=1;
bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32);
length=bytes_per_line*image->rows;
- pixels=(unsigned char *) AcquireMagickMemory((size_t)
- Max(bytes_per_line,image->columns+256)*image->rows*sizeof(*pixels));
+ pixels=(unsigned char *) AcquireQuantumMemory((size_t) image->rows,
+ MagickMax(bytes_per_line,image->columns+256)*sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
if ((dib_info.compression == 0) || (dib_info.compression == 3))
@@ -1059,7 +1060,8 @@ static MagickBooleanType WriteDIBImage(c
/*
Convert MIFF to DIB raster pixels.
*/
- pixels=(unsigned char *) AcquireMagickMemory(dib_info.image_size);
+ pixels=(unsigned char *) AcquireQuantumMemory(dib_info.image_size,
+ sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(pixels,0,dib_info.image_size);
@@ -1190,7 +1192,8 @@ static MagickBooleanType WriteDIBImage(c
Convert run-length encoded raster pixels.
*/
length=2*(bytes_per_line+2)*(image->rows+2)+2;
- dib_data=(unsigned char *) AcquireMagickMemory(length);
+ dib_data=(unsigned char *) AcquireQuantumMemory(length,
+ sizeof(*dib_data));
if (pixels == (unsigned char *) NULL)
{
pixels=(unsigned char *) RelinquishMagickMemory(pixels);
@@ -1223,8 +1226,8 @@ static MagickBooleanType WriteDIBImage(c
/*
Dump colormap to file.
*/
- dib_colormap=(unsigned char *)
- AcquireMagickMemory((size_t) (4*(1 << dib_info.bits_per_pixel)));
+ dib_colormap=(unsigned char *) AcquireQuantumMemory((size_t)
+ (1UL << dib_info.bits_per_pixel),4*sizeof(dib_colormap));
if (dib_colormap == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
q=dib_colormap;
diff -r 0b40602aff9a coders/xbm.c
--- a/coders/xbm.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/xbm.c Fri Sep 28 04:54:16 2007 -0800
@@ -185,6 +185,8 @@ static Image *ReadXBMImage(const ImageIn
short int
hex_digits[256];
+
+ size_t length;
unsigned char
*data;
@@ -261,15 +263,6 @@ static Image *ReadXBMImage(const ImageIn
Initialize image structure.
*/
if (AllocateImageColormap(image,image->colors) == MagickFalse)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- padding=0;
- if (((image->columns % 16) != 0) &&
- ((image->columns % 16) < 9) && (version == 10))
- padding=1;
- bytes_per_line=(image->columns+7)/8+padding;
- data=(unsigned char *)
- AcquireMagickMemory((size_t) bytes_per_line*image->rows);
- if (data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
/*
Initialize colormap.
@@ -319,6 +312,16 @@ static Image *ReadXBMImage(const ImageIn
/*
Read hex image data.
*/
+ padding=0;
+ if (((image->columns % 16) != 0) &&
+ ((image->columns % 16) < 9) && (version == 10))
+ padding=1;
+ bytes_per_line=(image->columns+7)/8+padding;
+ length=(size_t) image->rows;
+ data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
+ sizeof(*data));
+ if (data == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
p=data;
if (version == 10)
for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
diff -r 0b40602aff9a coders/xcf.c
--- a/coders/xcf.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/xcf.c Fri Sep 28 04:54:16 2007 -0800
@@ -305,7 +305,8 @@ static int load_tile (Image* image, Imag
XCFPixelPacket *xcfdata, *xcfodata;
unsigned char *graydata;
- xcfdata = xcfodata = (XCFPixelPacket *) AcquireMagickMemory(data_length);
+ xcfdata = xcfodata = (XCFPixelPacket *) AcquireQuantumMemory(data_length,
+ sizeof(*xcfdata));
graydata = (unsigned char *)xcfdata; /* used by gray and indexed */
nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
@@ -352,8 +353,8 @@ static int load_tile_rle (Image* image,
bpp = (int) inDocInfo->bpp;
- xcfdata = xcfodata = (unsigned char *)
- AcquireMagickMemory((size_t) data_length);
+ xcfdata = xcfodata = (unsigned char *) AcquireQuantumMemory((size_t)
+ data_length,sizeof(*xcfdata));
nmemb_read_successfully = ReadBlob(image, (size_t) data_length, xcfdata);
@@ -1154,8 +1155,9 @@ static Image *ReadXCFImage(const ImageIn
/* allocate our array of layer info blocks */
- layer_info=(XCFLayerInfo *)
- AcquireMagickMemory(number_layers*sizeof(XCFLayerInfo));
+ length=(size_t) number_layers;
+ layer_info=(XCFLayerInfo *) AcquireQuantumMemory(length,
+ sizeof(*layer_info));
if (layer_info == (XCFLayerInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
(void) ResetMagickMemory(layer_info,0,number_layers*sizeof(XCFLayerInfo));
diff -r 0b40602aff9a coders/xwd.c
--- a/coders/xwd.c Fri Sep 28 04:42:08 2007 -0800
+++ b/coders/xwd.c Fri Sep 28 04:54:16 2007 -0800
@@ -143,6 +143,9 @@ static MagickBooleanType IsXWD(const uns
*/
static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
+#define CheckOverflowException(length,width,height) \
+ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width)))
+
char
*comment;
@@ -235,7 +238,7 @@ static Image *ReadXWDImage(const ImageIn
if (length > ((~0UL)/sizeof(*comment)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+ comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -289,8 +292,7 @@ static Image *ReadXWDImage(const ImageIn
if (length > ((~0UL)/sizeof(*colors)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
- colors=(XColor *)
- AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) header.ncolors; i++)
@@ -325,7 +327,7 @@ static Image *ReadXWDImage(const ImageIn
length=(size_t) ximage->bytes_per_line*ximage->height;
else
length=(size_t) ximage->bytes_per_line*ximage->height*ximage->depth;
- ximage->data=(char *) AcquireMagickMemory(length);
+ ximage->data=(char *) AcquireQuantumMemory(length,sizeof(*ximage->data));
if (ximage->data == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) ximage->data);
@@ -341,6 +343,11 @@ static Image *ReadXWDImage(const ImageIn
image->storage_class=DirectClass;
else
image->storage_class=PseudoClass;
+ if (SetImageExtent(image,0,0) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+ return(DestroyImageList(image));
+ }
image->colors=header.ncolors;
if (image_info->ping == MagickFalse)
switch (image->storage_class)
@@ -710,8 +717,8 @@ static MagickBooleanType WriteXWDImage(c
/*
Dump colormap to file.
*/
- colors=(XColor *)
- AcquireMagickMemory((size_t) image->colors*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory((size_t) image->colors,
+ sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) image->colors; i++)
@@ -747,7 +754,7 @@ static MagickBooleanType WriteXWDImage(c
length=3*bytes_per_line;
if (image->storage_class == PseudoClass)
length=bytes_per_line;
- pixels=(unsigned char *) AcquireMagickMemory(length);
+ pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
/*
diff -r e2aaca0548dc -r de5c9530e964 magick/blob.c
--- a/magick/blob.c Tue Sep 25 13:08:40 2007 -0800
+++ b/magick/blob.c Tue Sep 25 13:15:28 2007 -0800
@@ -2876,7 +2876,7 @@ MagickExport char *ReadBlobString(Image
assert(image != (Image *) NULL);
assert(image->signature == MagickSignature);
- for (i=0; i < (long) MaxTextExtent; i++)
+ for (i=0; i < ((long) MaxTextExtent - 1L); i++)
{
p=ReadInlineBlobStream(image,1,buffer,&count);
if (count != 1)
diff -r b474881af7c5 coders/dib.c
--- a/coders/dib.c Fri Sep 28 02:40:55 2007 -0800
+++ b/coders/dib.c Fri Sep 28 02:45:58 2007 -0800
@@ -442,6 +442,14 @@ static MagickBooleanType IsDIB(const uns
%
%
*/
+
+static inline long MagickAbsoluteValue(const long x)
+{
+ if (x < 0)
+ return(-x);
+ return(x);
+}
+
static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
DIBInfo
@@ -532,7 +540,7 @@ static Image *ReadDIBImage(const ImageIn
dib_info.blue_mask=ReadBlobLSBShort(image);
}
image->matte=dib_info.bits_per_pixel == 32 ? MagickTrue : MagickFalse;
- image->columns=dib_info.width;
+ image->columns=(unsigned long) MagickAbsoluteValue(dib_info.width);
image->rows=AbsoluteValue(dib_info.height);
image->depth=8;
if ((dib_info.number_colors != 0) || (dib_info.bits_per_pixel < 16))
@@ -569,9 +577,12 @@ static Image *ReadDIBImage(const ImageIn
/*
Read DIB raster colormap.
*/
+ if ((4*image->colors) < image->colors)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (AllocateImageColormap(image,image->colors) == MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- dib_colormap=(unsigned char *) AcquireMagickMemory(4*image->colors);
+ dib_colormap=(unsigned char *) AcquireMagickMemory(4*image->colors*
+ sizeof(*dib_colormap));
if (dib_colormap == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
packet_size=4;
diff -r afaa74b998a6 magick/memory.c
--- a/magick/memory.c Fri Sep 28 03:44:24 2007 -0800
+++ b/magick/memory.c Fri Sep 28 03:47:01 2007 -0800
@@ -356,6 +356,48 @@ MagickExport void *AcquireMagickMemory(c
return(memory);
}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
+% A c q u i r e Q u a n t u m M e m o r y %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% AcquireQuantumMemory() returns a pointer to a block of memory at least
+% count * quantum bytes suitably aligned for any use.
+%
+% The format of the AcquireQuantumMemory method is:
+%
+% void *AcquireQuantumMemory(const size_t count,const size_t quantum)
+%
+% A description of each parameter follows:
+%
+% o count: The number of quantum elements to allocate.
+%
+% o quantum: The number of bytes in each quantum.
+%
+*/
+MagickExport void *AcquireQuantumMemory(const size_t count,const size_t quantum)
+{
+ size_t
+ size;
+
+ size=count*quantum;
+ if ((count == 0) || (quantum != (size/count)))
+ {
+ errno=ENOMEM;
+ return((void *) NULL);
+ }
+ return(AcquireMagickMemory(size));
+}
+
+
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -698,3 +740,47 @@ MagickExport void *ResizeMagickMemory(vo
memory=RelinquishMagickMemory(memory);
return(block);
}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
+% R e s i z e Q u a n t u m M e m o r y %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% ResizeQuantumMemory() changes the size of the memory and returns a pointer
+% to the (possibly moved) block. The contents will be unchanged up to the
+% lesser of the new and old sizes.
+%
+% The format of the ResizeQuantumMemory method is:
+%
+% void *ResizeQuantumMemory(void *memory,const size_t count,
+% const size_t quantum)
+%
+% A description of each parameter follows:
+%
+% o memory: A pointer to a memory allocation.
+%
+% o count: The number of quantum elements to allocate.
+%
+% o quantum: The number of bytes in each quantum.
+%
+*/
+MagickExport void *ResizeQuantumMemory(void *memory,const size_t count,
+ const size_t quantum)
+{
+ size_t
+ size;
+
+ size=count*quantum;
+ if ((count == 0) || (quantum != (size/count)))
+ {
+ errno=ENOMEM;
+ return((void *) NULL);
+ }
+ return(ResizeMagickMemory(memory,size));
+}
diff -r 60d0dc27683c magick/image.c
--- a/magick/image.c Fri Sep 28 03:58:36 2007 -0800
+++ b/magick/image.c Fri Sep 28 04:01:22 2007 -0800
@@ -2617,6 +2617,50 @@ MagickExport MagickBooleanType SetImageC
return(MagickTrue);
}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
+% S e t I m a g e E x t e n t %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% SetImageExtent() sets the image size (i.e. columns & rows).
+%
+% The format of the SetImageExtent method is:
+%
+% MagickBooleanType SetImageExtent(Image *image,
+% const unsigned long columns,const unsigned long rows)
+%
+% A description of each parameter follows:
+%
+% o image: The image.
+%
+% o columns: The image width in pixels.
+%
+% o rows: The image height in pixels.
+%
+*/
+MagickExport MagickBooleanType SetImageExtent(Image *image,
+ const unsigned long columns,const unsigned long rows)
+{
+ PixelPacket
+ *p;
+
+ if ((columns != 0) || (rows != 0))
+ {
+ image->columns=columns;
+ image->rows=rows;
+ }
+ p=SetImagePixels(image,0,0,image->columns,1);
+ return(p != (PixelPacket *) NULL ? MagickTrue : MagickFalse);
+}
+
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %