http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a http://www.openwall.com/lists/oss-security/2017/09/22/2 Some changes were made to make the patch apply. Notably, the DestroyJNG() function in the upstream diff has been replaced by its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(), and DestroyImage(). See http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5. # HG changeset patch # User Glenn Randers-Pehrson # Date 1504014487 14400 # Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06 # Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2 Fix Issue 439 diff -ru a/coders/png.c b/coders/png.c --- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 +++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400 @@ -1176,15 +1176,15 @@ /* allocate space */ if (length == 0) { - (void) ThrowException2(&image->exception,CoderWarning, - "invalid profile length",(char *) NULL); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "invalid profile length"); return (MagickFail); } info=MagickAllocateMemory(unsigned char *,length); if (info == (unsigned char *) NULL) { - (void) ThrowException2(&image->exception,CoderWarning, - "unable to copy profile",(char *) NULL); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "Unable to copy profile"); return (MagickFail); } /* copy profile, skipping white space and column 1 "=" signs */ @@ -1197,8 +1197,8 @@ if (*sp == '\0') { MagickFreeMemory(info); - (void) ThrowException2(&image->exception,CoderWarning, - "ran out of profile data",(char *) NULL); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "ran out of profile data"); return (MagickFail); } sp++; @@ -1234,8 +1234,9 @@ if(SetImageProfile(image,profile_name,info,length) == MagickFail) { MagickFreeMemory(info); - (void) ThrowException(&image->exception,ResourceLimitError, - MemoryAllocationFailed,"unable to copy profile"); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "unable to copy profile"); + return MagickFail; } MagickFreeMemory(info); return MagickTrue; @@ -3285,7 +3286,6 @@ if (status == MagickFalse) { DestroyJNGInfo(color_image_info,alpha_image_info); - DestroyImage(alpha_image); (void) LogMagickEvent(CoderEvent,GetMagickModule(), " could not allocate alpha_image blob"); return ((Image *)NULL); @@ -3534,7 +3534,7 @@ CloseBlob(color_image); if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Reading jng_image from color_blob."); + " Reading jng_image from color_blob."); FormatString(color_image_info->filename,"%.1024s",color_image->filename); @@ -3558,13 +3558,18 @@ if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Copying jng_image pixels to main image."); + " Copying jng_image pixels to main image."); image->rows=jng_height; image->columns=jng_width; length=image->columns*sizeof(PixelPacket); + if ((jng_height == 0 || jng_width == 0) && logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " jng_width=%lu jng_height=%lu", + (unsigned long)jng_width,(unsigned long)jng_height); for (y=0; y < (long) image->rows; y++) { - s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception); + s=AcquireImagePixels(jng_image,0,y,image->columns,1, + &image->exception); q=SetImagePixels(image,0,y,image->columns,1); (void) memcpy(q,s,length); if (!SyncImagePixels(image)) @@ -3589,45 +3594,79 @@ CloseBlob(alpha_image); if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Reading opacity from alpha_blob."); + " Reading opacity from alpha_blob."); FormatString(alpha_image_info->filename,"%.1024s", alpha_image->filename); jng_image=ReadImage(alpha_image_info,exception); - for (y=0; y < (long) image->rows; y++) + if (jng_image == (Image *)NULL) { - s=AcquireImagePixels(jng_image,0,y,image->columns,1, - &image->exception); - if (image->matte) - { - q=SetImagePixels(image,0,y,image->columns,1); - for (x=(long) image->columns; x > 0; x--,q++,s++) - q->opacity=(Quantum) MaxRGB-s->red; - } - else + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " jng_image is NULL."); + if (color_image_info) + DestroyImageInfo(color_image_info); + if (alpha_image_info) + DestroyImageInfo(alpha_image_info); + if (color_image) + DestroyImage(color_image); + if (alpha_image) + DestroyImage(alpha_image); + } + else + { + + if (logging) { - q=SetImagePixels(image,0,y,image->columns,1); - for (x=(long) image->columns; x > 0; x--,q++,s++) - { - q->opacity=(Quantum) MaxRGB-s->red; - if (q->opacity != OpaqueOpacity) - image->matte=MagickTrue; - } + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Read jng_image."); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " jng_image->width=%lu, jng_image->height=%lu", + (unsigned long)jng_width,(unsigned long)jng_height); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " image->rows=%lu, image->columns=%lu", + (unsigned long)image->rows, + (unsigned long)image->columns); } - if (!SyncImagePixels(image)) - break; - } - (void) LiberateUniqueFileResource(alpha_image->filename); - DestroyImage(alpha_image); - alpha_image = (Image *)NULL; - DestroyImageInfo(alpha_image_info); - alpha_image_info = (ImageInfo *)NULL; - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Destroy the JNG image"); - DestroyImage(jng_image); - jng_image = (Image *)NULL; + + for (y=0; y < (long) image->rows; y++) + { + s=AcquireImagePixels(jng_image,0,y,image->columns,1, + &image->exception); + if (image->matte) + { + q=SetImagePixels(image,0,y,image->columns,1); + for (x=(long) image->columns; x > 0; x--,q++,s++) + q->opacity=(Quantum) MaxRGB-s->red; + } + else + { + q=SetImagePixels(image,0,y,image->columns,1); + for (x=(long) image->columns; x > 0; x--,q++,s++) + { + q->opacity=(Quantum) MaxRGB-s->red; + if (q->opacity != OpaqueOpacity) + image->matte=MagickTrue; + } + } + if (!SyncImagePixels(image)) + break; + } + (void) LiberateUniqueFileResource(alpha_image->filename); + if (color_image_info) + DestroyImageInfo(color_image_info); + if (alpha_image_info) + DestroyImageInfo(alpha_image_info); + if (color_image) + DestroyImage(color_image); + if (alpha_image) + DestroyImage(alpha_image); + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Destroy the JNG image"); + DestroyImage(jng_image); + jng_image = (Image *)NULL; + } } }