gnu: graphicsmagick: Update to 1.3.27.

* gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch,
gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/imagemagick.scm (graphicsmagick): Update to 1.3.27.
[source](patches): Remove.
This commit is contained in:
Marius Bakke 2017-12-10 19:15:44 +01:00
parent 4cb7794115
commit 0f4ab4a59f
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
11 changed files with 2 additions and 966 deletions

View File

@ -704,15 +704,6 @@ dist_patch_DATA = \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-14165.patch \
%D%/packages/patches/graphicsmagick-CVE-2017-14649.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
%D%/packages/patches/grep-gnulib-lock.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \

View File

@ -164,7 +164,7 @@ script.")
(define-public graphicsmagick
(package
(name "graphicsmagick")
(version "1.3.26")
(version "1.3.27")
(source (origin
(method url-fetch)
(uri
@ -176,17 +176,7 @@ script.")
"/GraphicsMagick-" version ".tar.xz")))
(sha256
(base32
"122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
(patches
(search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch"
"graphicsmagick-CVE-2017-12935.patch"
"graphicsmagick-CVE-2017-12936.patch"
"graphicsmagick-CVE-2017-12937.patch"
"graphicsmagick-CVE-2017-13775.patch"
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
"graphicsmagick-CVE-2017-14042.patch"
"graphicsmagick-CVE-2017-14165.patch"
"graphicsmagick-CVE-2017-14649.patch"))))
"0rq35p3rml10cxz2z4s7xcfsilhhk19mmy094g3ivz0fg797hcnh"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags

View File

@ -1,137 +0,0 @@
http://www.openwall.com/lists/oss-security/2017/09/01/6
CVE-2017-11403:
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
CVE-2017-14103:
http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
some changes were made to make the patch apply
# HG changeset patch
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
# Date 1503875721 14400
# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
Attempt to fix Issue 440.
diff -ru a/coders/png.c b/coders/png.c
--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
@@ -3106,7 +3106,9 @@
if (length > PNG_MAX_UINT || count == 0)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CorruptImageError,CorruptImage,image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "chunk length (%lu) > PNG_MAX_UINT",length);
+ return ((Image*)NULL);
}
chunk=(unsigned char *) NULL;
@@ -3117,13 +3119,16 @@
if (chunk == (unsigned char *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Could not allocate chunk memory");
+ return ((Image*)NULL);
}
if (ReadBlob(image,length,chunk) < length)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CorruptImageError,CorruptImage,image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " chunk reading was incomplete");
+ return ((Image*)NULL);
}
p=chunk;
}
@@ -3198,7 +3203,7 @@
jng_width, jng_height);
MagickFreeMemory(chunk);
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ return ((Image *)NULL);
}
/* Temporarily set width and height resources to match JHDR */
@@ -3233,8 +3238,9 @@
if (color_image == (Image *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not open color_image blob");
+ return ((Image *)NULL);
}
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3245,7 +3251,9 @@
if (status == MagickFalse)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not open color_image blob");
+ return ((Image *)NULL);
}
if (!image_info->ping && jng_color_type >= 12)
@@ -3255,17 +3263,18 @@
if (alpha_image_info == (ImageInfo *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,
- MemoryAllocationFailed, image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image_info",length);
+ return ((Image *)NULL);
}
GetImageInfo(alpha_image_info);
alpha_image=AllocateImage(alpha_image_info);
if (alpha_image == (Image *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,
- MemoryAllocationFailed,
- alpha_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image");
+ return ((Image *)NULL);
}
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3277,7 +3286,9 @@
{
DestroyJNGInfo(color_image_info,alpha_image_info);
DestroyImage(alpha_image);
- ThrowReaderException(CoderError,UnableToOpenBlob,image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image blob");
+ return ((Image *)NULL);
}
if (jng_alpha_compression_method == 0)
{
@@ -3613,6 +3624,8 @@
alpha_image = (Image *)NULL;
DestroyImageInfo(alpha_image_info);
alpha_image_info = (ImageInfo *)NULL;
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Destroy the JNG image");
DestroyImage(jng_image);
jng_image = (Image *)NULL;
}
@@ -5146,8 +5159,8 @@
if (image == (Image *) NULL)
{
- DestroyImageList(previous);
CloseBlob(previous);
+ DestroyImageList(previous);
MngInfoFreeStruct(mng_info,&have_mng_structure);
return((Image *) NULL);
}

View File

@ -1,28 +0,0 @@
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188.
diff -ur a/coders/png.c b/coders/png.c
--- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400
+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400
@@ -4101,11 +4101,17 @@
mng_info->image=image;
}
- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
- > 65535L))
- (void) ThrowException(&image->exception,ImageError,
- WidthOrHeightExceedsLimit,
- image->filename);
+ if ((mng_info->mng_width > 65535L) ||
+ (mng_info->mng_height > 65535L))
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " MNG width or height is too large: %lu, %lu",
+ mng_info->mng_width,mng_info->mng_height);
+ MagickFreeMemory(chunk);
+ ThrowReaderException(CorruptImageError,
+ ImproperImageHeader,image);
+ }
+
FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
mng_info->mng_height);
mng_info->frame.left=0;

View File

@ -1,16 +0,0 @@
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd.
diff -ur a/coders/wmf.c b/coders/wmf.c
--- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400
+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400
@@ -2719,8 +2719,8 @@
if(image->exception.severity != UndefinedException)
ThrowException2(exception,
CoderWarning,
- ddata->image->exception.reason,
- ddata->image->exception.description);
+ image->exception.reason,
+ image->exception.description);
if(logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()");

View File

@ -1,28 +0,0 @@
This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978.
diff -ur a/coders/sun.c b/coders/sun.c
--- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400
+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -577,6 +577,7 @@
for (bit=7; bit >= 0; bit--)
{
index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
+ VerifyColormapIndex(image,index);
indexes[x+7-bit]=index;
q[x+7-bit]=image->colormap[index];
}
@@ -587,6 +588,7 @@
for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--)
{
index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
+ VerifyColormapIndex(image,index);
indexes[x+7-bit]=index;
q[x+7-bit]=image->colormap[index];
}

View File

@ -1,195 +0,0 @@
http://openwall.com/lists/oss-security/2017/08/31/3
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd
some changes were made to make the patch apply
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503774853 18000
# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036
# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d
JNX: Fix DOS issues
diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
--- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2012-2015 GraphicsMagick Group
+% Copyright (C) 2012-2017 GraphicsMagick Group
%
% This program is covered by multiple licenses, which are described in
% Copyright.txt. You should have received a copy of Copyright.txt with this
@@ -100,6 +100,7 @@
char img_label_str[MaxTextExtent];
+
alloc_size = TileInfo->PicSize + 2;
if (image->logging)
@@ -242,6 +243,9 @@
total_tiles,
current_tile;
+ magick_off_t
+ file_size;
+
/* Open image file. */
assert(image_info != (const ImageInfo *) NULL);
assert(image_info->signature == MagickSignature);
@@ -254,9 +258,8 @@
if (status == False)
ThrowReaderException(FileOpenError, UnableToOpenFile, image);
- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
-
/* Read JNX image header. */
+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
JNXHeader.Version = ReadBlobLSBLong(image);
if (JNXHeader.Version > 4)
ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
@@ -266,8 +269,6 @@
JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
JNXHeader.Levels = ReadBlobLSBLong(image);
- if (JNXHeader.Levels > 20)
- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
JNXHeader.Expiration = ReadBlobLSBLong(image);
JNXHeader.ProductID = ReadBlobLSBLong(image);
JNXHeader.CRC = ReadBlobLSBLong(image);
@@ -279,7 +280,41 @@
if (EOFBlob(image))
ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ file_size = GetBlobSize(image);
+
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "JNX Header:\n"
+ " Version: %u\n"
+ " DeviceSN: %u\n"
+ " MapBounds:\n"
+ " NorthEast: lat = %u, lon = %u\n"
+ " SouthWest: lat = %u, lon = %u\n"
+ " Levels: %u\n"
+ " Expiration: %u\n"
+ " ProductID: %u\n"
+ " CRC: %u\n"
+ " SigVersion: %u\n"
+ " SigOffset: %u\n"
+ " ZOrder: %u",
+ JNXHeader.Version,
+ JNXHeader.DeviceSN,
+ JNXHeader.MapBounds.NorthEast.lat,
+ JNXHeader.MapBounds.NorthEast.lon,
+ JNXHeader.MapBounds.SouthWest.lat,
+ JNXHeader.MapBounds.SouthWest.lon,
+ JNXHeader.Levels,
+ JNXHeader.Expiration,
+ JNXHeader.ProductID,
+ JNXHeader.CRC,
+ JNXHeader.SigVersion,
+ JNXHeader.SigOffset,
+ JNXHeader.ZOrder);
+
+ if (JNXHeader.Levels > 20)
+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
+
/* Read JNX image level info. */
+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
total_tiles = 0;
current_tile = 0;
for (i = 0; i < JNXHeader.Levels; i++)
@@ -302,11 +337,23 @@
{
JNXLevelInfo[i].Copyright = NULL;
}
+
+ if (EOFBlob(image))
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Level[%u] Info:"
+ " TileCount: %4u"
+ " TilesOffset: %6u"
+ " Scale: %04u",
+ i,
+ JNXLevelInfo[i].TileCount,
+ JNXLevelInfo[i].TilesOffset,
+ JNXLevelInfo[i].Scale
+ );
}
- if (EOFBlob(image))
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-
/* Get the current limit */
SaveLimit = GetMagickResourceLimit(MapResource);
@@ -316,11 +363,32 @@
/* Read JNX image data. */
for (i = 0; i < JNXHeader.Levels; i++)
{
+ /*
+ Validate TileCount against remaining file data
+ */
+ const magick_off_t current_offset = TellBlob(image);
+ const size_t pos_list_entry_size =
+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
+ const magick_off_t remaining = file_size-current_offset;
+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
+
+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
+ {
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+
PositionList = MagickAllocateArray(TJNXTileInfo *,
JNXLevelInfo[i].TileCount,
sizeof(TJNXTileInfo));
if (PositionList == NULL)
- continue;
+ {
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
+ image);
+ }
(void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
@@ -333,12 +401,15 @@
PositionList[j].PicHeight = ReadBlobLSBShort(image);
PositionList[j].PicSize = ReadBlobLSBLong(image);
PositionList[j].PicOffset = ReadBlobLSBLong(image);
- }
- if (EOFBlob(image))
- {
- MagickFreeMemory(PositionList);
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ if (EOFBlob(image) ||
+ ((magick_off_t) PositionList[j].PicOffset +
+ PositionList[j].PicSize > file_size))
+ {
+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
+ MagickFreeMemory(PositionList);
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
}
for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
@@ -351,6 +422,9 @@
image = ExtractTileJPG(image, image_info, PositionList+j, exception);
(void) SetMonitorHandler(previous_handler);
+ if (exception->severity >= ErrorException)
+ break;
+
current_tile++;
if (QuantumTick(current_tile,total_tiles))
if (!MagickMonitorFormatted(current_tile,total_tiles,exception,

View File

@ -1,179 +0,0 @@
http://openwall.com/lists/oss-security/2017/08/31/1
http://openwall.com/lists/oss-security/2017/08/31/2
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e
some changes were made to make the patch apply
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503779175 18000
# Node ID 233a720bfd5efd378f133a776507ed41230da617
# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036
XBM: Fix DOS issues.
diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
--- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500
+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003 -2012 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -121,13 +121,15 @@
static int XBMInteger(Image *image,short int *hex_digits)
{
+ unsigned int
+ flag;
+
int
c,
- flag,
value;
value=0;
- flag=0;
+ flag=0U;
for ( ; ; )
{
c=ReadBlobByte(image);
@@ -158,18 +160,14 @@
Image
*image;
- int
- bit;
-
- long
- y;
-
register IndexPacket
*indexes;
- register long
+ register size_t
+ bytes_per_line,
i,
- x;
+ x,
+ y;
register PixelPacket
*q;
@@ -177,22 +175,24 @@
register unsigned char
*p;
- short int
- hex_digits[256];
-
unsigned char
*data;
unsigned int
+ bit,
+ byte,
+ padding,
+ version;
+
+ int
+ value;
+
+ short int
+ hex_digits[256];
+
+ MagickPassFail
status;
- unsigned long
- byte,
- bytes_per_line,
- padding,
- value,
- version;
-
/*
Open image file.
*/
@@ -207,6 +207,8 @@
/*
Read X bitmap header.
*/
+ (void) memset(buffer,0,sizeof(buffer));
+ name[0]='\0';
while (ReadBlobString(image,buffer) != (char *) NULL)
if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
if ((strlen(name) >= 6) &&
@@ -278,6 +280,8 @@
/*
Initialize hex values.
*/
+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
+ hex_digits[i]=(-1);
hex_digits['0']=0;
hex_digits['1']=1;
hex_digits['2']=2;
@@ -311,40 +315,50 @@
*/
p=data;
if (version == 10)
- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
+ for (i=0; i < (bytes_per_line*image->rows); (i+=2))
{
value=XBMInteger(image,hex_digits);
+ if (value < 0)
+ {
+ MagickFreeMemory(data);
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
*p++=(unsigned char) value;
if (!padding || ((i+2) % bytes_per_line))
*p++=(unsigned char) (value >> 8);
}
else
- for (i=0; i < (long) (bytes_per_line*image->rows); i++)
+ for (i=0; i < (bytes_per_line*image->rows); i++)
{
value=XBMInteger(image,hex_digits);
+ if (value < 0)
+ {
+ MagickFreeMemory(data);
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
*p++=(unsigned char) value;
}
/*
Convert X bitmap image to pixel packets.
*/
p=data;
- for (y=0; y < (long) image->rows; y++)
+ for (y=0; y < image->rows; y++)
{
q=SetImagePixels(image,0,y,image->columns,1);
if (q == (PixelPacket *) NULL)
break;
indexes=AccessMutableIndexes(image);
- bit=0;
- byte=0;
- for (x=0; x < (long) image->columns; x++)
+ bit=0U;
+ byte=0U;
+ for (x=0; x < image->columns; x++)
{
- if (bit == 0)
+ if (bit == 0U)
byte=(*p++);
indexes[x]=byte & 0x01 ? 0x01 : 0x00;
bit++;
- byte>>=1;
- if (bit == 8)
- bit=0;
+ byte>>=1U;
+ if (bit == 8U)
+ bit=0U;
}
if (!SyncImagePixels(image))
break;

View File

@ -1,80 +0,0 @@
http://openwall.com/lists/oss-security/2017/08/28/5
http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
some changes were made to make the patch apply
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503268616 18000
# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
PNM: For binary formats, verify sufficient backing file data before memory request.
diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
@@ -569,7 +569,7 @@
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
image->colors);
}
- number_pixels=image->columns*image->rows;
+ number_pixels=MagickArraySize(image->columns,image->rows);
if (number_pixels == 0)
ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
if (image->storage_class == PseudoClass)
@@ -858,14 +858,14 @@
if (1 == bits_per_sample)
{
/* PBM */
- bytes_per_row=((image->columns+7) >> 3);
+ bytes_per_row=((image->columns+7U) >> 3);
import_options.grayscale_miniswhite=MagickTrue;
quantum_type=GrayQuantum;
}
else
{
/* PGM & XV_332 */
- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
if (XV_332_Format == format)
{
quantum_type=IndexQuantum;
@@ -878,7 +878,8 @@
}
else
{
- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
+ image->columns);
if (3 == samples_per_pixel)
{
/* PPM */
@@ -915,6 +916,28 @@
is_monochrome=MagickFalse;
}
}
+
+ /* Validate file size before allocating memory */
+ if (BlobIsSeekable(image))
+ {
+ const magick_off_t file_size = GetBlobSize(image);
+ const magick_off_t current_offset = TellBlob(image);
+ if ((file_size > 0) &&
+ (current_offset > 0) &&
+ (file_size > current_offset))
+ {
+ const magick_off_t remaining = file_size-current_offset;
+ const magick_off_t needed = (magick_off_t) image->rows *
+ (magick_off_t) bytes_per_row;
+ if ((remaining < (magick_off_t) bytes_per_row) ||
+ (remaining < needed))
+ {
+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
+ image->filename);
+ break;
+ }
+ }
+ }
scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
if (scanline_set == (ThreadViewDataSet *) NULL)

View File

@ -1,72 +0,0 @@
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
http://openwall.com/lists/oss-security/2017/09/06/4
some changes were made to make the patch apply
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503257388 18000
# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
diff -r f87246749079 -r 493da54370aa coders/sun.c
--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
@@ -498,6 +498,12 @@
if (sun_info.depth < 8)
image->depth=sun_info.depth;
+ if (image_info->ping)
+ {
+ CloseBlob(image);
+ return(image);
+ }
+
/*
Compute bytes per line and bytes per image for an unencoded
image.
@@ -522,15 +528,37 @@
if (bytes_per_image > sun_info.length)
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
- if (image_info->ping)
- {
- CloseBlob(image);
- return(image);
- }
if (sun_info.type == RT_ENCODED)
sun_data_length=(size_t) sun_info.length;
else
sun_data_length=bytes_per_image;
+
+ /*
+ Verify that data length claimed by header is supported by file size
+ */
+ if (sun_info.type == RT_ENCODED)
+ {
+ if (sun_data_length < bytes_per_image/255U)
+ {
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ if (BlobIsSeekable(image))
+ {
+ const magick_off_t file_size = GetBlobSize(image);
+ const magick_off_t current_offset = TellBlob(image);
+ if ((file_size > 0) &&
+ (current_offset > 0) &&
+ (file_size > current_offset))
+ {
+ const magick_off_t remaining = file_size-current_offset;
+ if (remaining < (magick_off_t) sun_data_length)
+ {
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+ }
+ }
+
sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
if (sun_data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);

View File

@ -1,210 +0,0 @@
http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
http://www.openwall.com/lists/oss-security/2017/09/22/2
Some changes were made to make the patch apply.
Notably, the DestroyJNG() function in the upstream diff has been replaced by
its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
and DestroyImage(). See
http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
# HG changeset patch
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
# Date 1504014487 14400
# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2
Fix Issue 439
diff -ru a/coders/png.c b/coders/png.c
--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400
@@ -1176,15 +1176,15 @@
/* allocate space */
if (length == 0)
{
- (void) ThrowException2(&image->exception,CoderWarning,
- "invalid profile length",(char *) NULL);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "invalid profile length");
return (MagickFail);
}
info=MagickAllocateMemory(unsigned char *,length);
if (info == (unsigned char *) NULL)
{
- (void) ThrowException2(&image->exception,CoderWarning,
- "unable to copy profile",(char *) NULL);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Unable to copy profile");
return (MagickFail);
}
/* copy profile, skipping white space and column 1 "=" signs */
@@ -1197,8 +1197,8 @@
if (*sp == '\0')
{
MagickFreeMemory(info);
- (void) ThrowException2(&image->exception,CoderWarning,
- "ran out of profile data",(char *) NULL);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "ran out of profile data");
return (MagickFail);
}
sp++;
@@ -1234,8 +1234,9 @@
if(SetImageProfile(image,profile_name,info,length) == MagickFail)
{
MagickFreeMemory(info);
- (void) ThrowException(&image->exception,ResourceLimitError,
- MemoryAllocationFailed,"unable to copy profile");
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "unable to copy profile");
+ return MagickFail;
}
MagickFreeMemory(info);
return MagickTrue;
@@ -3285,7 +3286,6 @@
if (status == MagickFalse)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- DestroyImage(alpha_image);
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" could not allocate alpha_image blob");
return ((Image *)NULL);
@@ -3534,7 +3534,7 @@
CloseBlob(color_image);
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " Reading jng_image from color_blob.");
+ " Reading jng_image from color_blob.");
FormatString(color_image_info->filename,"%.1024s",color_image->filename);
@@ -3558,13 +3558,18 @@
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " Copying jng_image pixels to main image.");
+ " Copying jng_image pixels to main image.");
image->rows=jng_height;
image->columns=jng_width;
length=image->columns*sizeof(PixelPacket);
+ if ((jng_height == 0 || jng_width == 0) && logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " jng_width=%lu jng_height=%lu",
+ (unsigned long)jng_width,(unsigned long)jng_height);
for (y=0; y < (long) image->rows; y++)
{
- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+ &image->exception);
q=SetImagePixels(image,0,y,image->columns,1);
(void) memcpy(q,s,length);
if (!SyncImagePixels(image))
@@ -3589,45 +3594,79 @@
CloseBlob(alpha_image);
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " Reading opacity from alpha_blob.");
+ " Reading opacity from alpha_blob.");
FormatString(alpha_image_info->filename,"%.1024s",
alpha_image->filename);
jng_image=ReadImage(alpha_image_info,exception);
- for (y=0; y < (long) image->rows; y++)
+ if (jng_image == (Image *)NULL)
{
- s=AcquireImagePixels(jng_image,0,y,image->columns,1,
- &image->exception);
- if (image->matte)
- {
- q=SetImagePixels(image,0,y,image->columns,1);
- for (x=(long) image->columns; x > 0; x--,q++,s++)
- q->opacity=(Quantum) MaxRGB-s->red;
- }
- else
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " jng_image is NULL.");
+ if (color_image_info)
+ DestroyImageInfo(color_image_info);
+ if (alpha_image_info)
+ DestroyImageInfo(alpha_image_info);
+ if (color_image)
+ DestroyImage(color_image);
+ if (alpha_image)
+ DestroyImage(alpha_image);
+ }
+ else
+ {
+
+ if (logging)
{
- q=SetImagePixels(image,0,y,image->columns,1);
- for (x=(long) image->columns; x > 0; x--,q++,s++)
- {
- q->opacity=(Quantum) MaxRGB-s->red;
- if (q->opacity != OpaqueOpacity)
- image->matte=MagickTrue;
- }
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Read jng_image.");
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " jng_image->width=%lu, jng_image->height=%lu",
+ (unsigned long)jng_width,(unsigned long)jng_height);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " image->rows=%lu, image->columns=%lu",
+ (unsigned long)image->rows,
+ (unsigned long)image->columns);
}
- if (!SyncImagePixels(image))
- break;
- }
- (void) LiberateUniqueFileResource(alpha_image->filename);
- DestroyImage(alpha_image);
- alpha_image = (Image *)NULL;
- DestroyImageInfo(alpha_image_info);
- alpha_image_info = (ImageInfo *)NULL;
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " Destroy the JNG image");
- DestroyImage(jng_image);
- jng_image = (Image *)NULL;
+
+ for (y=0; y < (long) image->rows; y++)
+ {
+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
+ &image->exception);
+ if (image->matte)
+ {
+ q=SetImagePixels(image,0,y,image->columns,1);
+ for (x=(long) image->columns; x > 0; x--,q++,s++)
+ q->opacity=(Quantum) MaxRGB-s->red;
+ }
+ else
+ {
+ q=SetImagePixels(image,0,y,image->columns,1);
+ for (x=(long) image->columns; x > 0; x--,q++,s++)
+ {
+ q->opacity=(Quantum) MaxRGB-s->red;
+ if (q->opacity != OpaqueOpacity)
+ image->matte=MagickTrue;
+ }
+ }
+ if (!SyncImagePixels(image))
+ break;
+ }
+ (void) LiberateUniqueFileResource(alpha_image->filename);
+ if (color_image_info)
+ DestroyImageInfo(color_image_info);
+ if (alpha_image_info)
+ DestroyImageInfo(alpha_image_info);
+ if (color_image)
+ DestroyImage(color_image);
+ if (alpha_image)
+ DestroyImage(alpha_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Destroy the JNG image");
+ DestroyImage(jng_image);
+ jng_image = (Image *)NULL;
+ }
}
}