gnu: graphicsmagick: Fix CVE-2017-14042.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch. * gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them.
This commit is contained in:
parent
c2a59a92bb
commit
2cc752c0b0
|
@ -680,6 +680,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
|
||||
%D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
|
||||
%D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
|
||||
%D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
|
||||
%D%/packages/patches/graphite2-ffloat-store.patch \
|
||||
%D%/packages/patches/grep-gnulib-lock.patch \
|
||||
%D%/packages/patches/grep-timing-sensitive-test.patch \
|
||||
|
|
|
@ -182,7 +182,8 @@ script.")
|
|||
"graphicsmagick-CVE-2017-12936.patch"
|
||||
"graphicsmagick-CVE-2017-12937.patch"
|
||||
"graphicsmagick-CVE-2017-13775.patch"
|
||||
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"))))
|
||||
"graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
|
||||
"graphicsmagick-CVE-2017-14042.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
`(#:configure-flags
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
http://openwall.com/lists/oss-security/2017/08/28/5
|
||||
http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
|
||||
|
||||
some changes were made to make the patch apply
|
||||
|
||||
# HG changeset patch
|
||||
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
|
||||
# Date 1503268616 18000
|
||||
# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
|
||||
# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
|
||||
PNM: For binary formats, verify sufficient backing file data before memory request.
|
||||
|
||||
diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
|
||||
--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
|
||||
+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
|
||||
@@ -569,7 +569,7 @@
|
||||
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
|
||||
image->colors);
|
||||
}
|
||||
- number_pixels=image->columns*image->rows;
|
||||
+ number_pixels=MagickArraySize(image->columns,image->rows);
|
||||
if (number_pixels == 0)
|
||||
ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
|
||||
if (image->storage_class == PseudoClass)
|
||||
@@ -858,14 +858,14 @@
|
||||
if (1 == bits_per_sample)
|
||||
{
|
||||
/* PBM */
|
||||
- bytes_per_row=((image->columns+7) >> 3);
|
||||
+ bytes_per_row=((image->columns+7U) >> 3);
|
||||
import_options.grayscale_miniswhite=MagickTrue;
|
||||
quantum_type=GrayQuantum;
|
||||
}
|
||||
else
|
||||
{
|
||||
/* PGM & XV_332 */
|
||||
- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
|
||||
+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
|
||||
if (XV_332_Format == format)
|
||||
{
|
||||
quantum_type=IndexQuantum;
|
||||
@@ -878,7 +878,8 @@
|
||||
}
|
||||
else
|
||||
{
|
||||
- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
|
||||
+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
|
||||
+ image->columns);
|
||||
if (3 == samples_per_pixel)
|
||||
{
|
||||
/* PPM */
|
||||
@@ -915,6 +916,28 @@
|
||||
is_monochrome=MagickFalse;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* Validate file size before allocating memory */
|
||||
+ if (BlobIsSeekable(image))
|
||||
+ {
|
||||
+ const magick_off_t file_size = GetBlobSize(image);
|
||||
+ const magick_off_t current_offset = TellBlob(image);
|
||||
+ if ((file_size > 0) &&
|
||||
+ (current_offset > 0) &&
|
||||
+ (file_size > current_offset))
|
||||
+ {
|
||||
+ const magick_off_t remaining = file_size-current_offset;
|
||||
+ const magick_off_t needed = (magick_off_t) image->rows *
|
||||
+ (magick_off_t) bytes_per_row;
|
||||
+ if ((remaining < (magick_off_t) bytes_per_row) ||
|
||||
+ (remaining < needed))
|
||||
+ {
|
||||
+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
|
||||
+ image->filename);
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
|
||||
scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
|
||||
if (scanline_set == (ThreadViewDataSet *) NULL)
|
Loading…
Reference in New Issue