http://www.openwall.com/lists/oss-security/2017/09/01/6 CVE-2017-11403: http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 CVE-2017-14103: http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f some changes were made to make the patch apply # HG changeset patch # User Glenn Randers-Pehrson # Date 1503875721 14400 # Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 # Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad Attempt to fix Issue 440. diff -ru a/coders/png.c b/coders/png.c --- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 +++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 @@ -3106,7 +3106,9 @@ if (length > PNG_MAX_UINT || count == 0) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(CorruptImageError,CorruptImage,image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "chunk length (%lu) > PNG_MAX_UINT",length); + return ((Image*)NULL); } chunk=(unsigned char *) NULL; @@ -3117,13 +3119,16 @@ if (chunk == (unsigned char *) NULL) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, - image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Could not allocate chunk memory"); + return ((Image*)NULL); } if (ReadBlob(image,length,chunk) < length) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(CorruptImageError,CorruptImage,image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " chunk reading was incomplete"); + return ((Image*)NULL); } p=chunk; } @@ -3198,7 +3203,7 @@ jng_width, jng_height); MagickFreeMemory(chunk); DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + return ((Image *)NULL); } /* Temporarily set width and height resources to match JHDR */ @@ -3233,8 +3238,9 @@ if (color_image == (Image *) NULL) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, - image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " could not open color_image blob"); + return ((Image *)NULL); } if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), @@ -3245,7 +3251,9 @@ if (status == MagickFalse) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(CoderError,UnableToOpenBlob,color_image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " could not open color_image blob"); + return ((Image *)NULL); } if (!image_info->ping && jng_color_type >= 12) @@ -3255,17 +3263,18 @@ if (alpha_image_info == (ImageInfo *) NULL) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(ResourceLimitError, - MemoryAllocationFailed, image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " could not allocate alpha_image_info",length); + return ((Image *)NULL); } GetImageInfo(alpha_image_info); alpha_image=AllocateImage(alpha_image_info); if (alpha_image == (Image *) NULL) { DestroyJNGInfo(color_image_info,alpha_image_info); - ThrowReaderException(ResourceLimitError, - MemoryAllocationFailed, - alpha_image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " could not allocate alpha_image"); + return ((Image *)NULL); } if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), @@ -3277,7 +3286,9 @@ { DestroyJNGInfo(color_image_info,alpha_image_info); DestroyImage(alpha_image); - ThrowReaderException(CoderError,UnableToOpenBlob,image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " could not allocate alpha_image blob"); + return ((Image *)NULL); } if (jng_alpha_compression_method == 0) { @@ -3613,6 +3624,8 @@ alpha_image = (Image *)NULL; DestroyImageInfo(alpha_image_info); alpha_image_info = (ImageInfo *)NULL; + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Destroy the JNG image"); DestroyImage(jng_image); jng_image = (Image *)NULL; } @@ -5146,8 +5159,8 @@ if (image == (Image *) NULL) { - DestroyImageList(previous); CloseBlob(previous); + DestroyImageList(previous); MngInfoFreeStruct(mng_info,&have_mng_structure); return((Image *) NULL); }