rpms/ImageMagick
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix several vulnerabilities

Browse Source
This commit is contained in:
Matthias Clasen 2006-08-23 07:05:22 +00:00
parent 4e79dd200e
commit 90930a610a
3 changed files with 138 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

112
ImageMagick-6.2.8-cve-2006-3743.patch Normal file
View File

@ -0,0 +1,112 @@
--- ImageMagick-6.2.2/coders/xcf.c.ormandy 2006-08-23 01:39:53.000000000 -0400
+++ ImageMagick-6.2.2/coders/xcf.c 2006-08-23 01:40:09.000000000 -0400
@@ -268,7 +268,7 @@
%
%
*/
-static char *ReadBlobStringWithLongSize(Image *image,char *string)
+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
{
int
c;
@@ -284,7 +284,7 @@
if (image->debug != MagickFalse)
(void) LogMagickEvent(TraceEvent,GetMagickModule(),image->filename);
length = ReadBlobMSBLong(image);
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, max); i++)
{
c=ReadBlobByte(image);
if (c == EOF)
@@ -693,7 +693,7 @@
outLayer->width = ReadBlobMSBLong(image);
outLayer->height = ReadBlobMSBLong(image);
outLayer->type = ReadBlobMSBLong(image);
- (void) ReadBlobStringWithLongSize(image, outLayer->name);
+ (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
/* allocate the image for this layer */
outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
@@ -1099,7 +1099,7 @@
/*float factor = (float) */ (void) ReadBlobMSBLong(image);
/* unsigned long digits = */ (void) ReadBlobMSBLong(image);
for (i=0; i<5; i++)
- (void) ReadBlobStringWithLongSize(image, unit_string);
+ (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
}
break;
--- ImageMagick-6.2.2/coders/sun.c.ormandy 2006-08-23 01:39:58.000000000 -0400
+++ ImageMagick-6.2.2/coders/sun.c 2006-08-23 01:40:09.000000000 -0400
@@ -133,10 +133,10 @@
%
*/
static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
- const size_t length,unsigned char *pixels)
+ const size_t length,unsigned char *pixels,size_t maxpixels)
{
register const unsigned char
- *p;
+ *p, *l;
register unsigned char
*q;
@@ -152,7 +152,8 @@
assert(pixels != (unsigned char *) NULL);
p=compressed_pixels;
q=pixels;
- while ((size_t) (p-compressed_pixels) < length)
+ l=q+maxpixels;
+ while ((size_t) (p-compressed_pixels) < length && q < l)
{
byte=(*p++);
if (byte != 128U)
@@ -165,7 +166,7 @@
count=(ssize_t) (*p++);
if (count > 0)
byte=(*p++);
- while (count >= 0)
+ while (count >= 0 && q < l)
{
*q++=byte;
count--;
@@ -376,6 +377,8 @@
CloseBlob(image);
return(GetFirstImageInList(image));
}
+ if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
sun_data=(unsigned char *)
AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
if (sun_data == (unsigned char *) NULL)
@@ -393,11 +396,28 @@
Read run-length encoded raster pixels.
*/
height=sun_info.height;
- bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
+
+ /* calculate bytes per line, verifying no overflow occurs */
+ bytes_per_line=sun_info.width*sun_info.depth;
+ if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ if ((ULONG_MAX - bytes_per_line) < 15)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ bytes_per_line += 15;
+ bytes_per_line <<= 1;
+ if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ bytes_per_line >>= 4;
+ if ((bytes_per_line * height) / height != bytes_per_line)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
if (sun_pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
+ (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
}
/*

14
ImageMagick-6.2.8-cve-2006-4144.patch Normal file
View File

@ -0,0 +1,14 @@
--- ImageMagick-6.2.8/coders/sgi.c.cve-2006-4144 2006-02-07 22:52:54.000000000 -0500
+++ ImageMagick-6.2.8/coders/sgi.c 2006-08-23 02:05:52.000000000 -0400
@@ -410,7 +410,11 @@
for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
offsets[i]=(ssize_t) ReadBlobMSBLong(image);
for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
+ {
runlength[i]=ReadBlobMSBLong(image);
+ if (runlength[i] >= (4*(size_t) iris_info.columns+10))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
/*
Check data order.
*/

13
ImageMagick.spec
View File

@ -9,7 +9,7 @@ Version: %{VER}.%{Patchlevel}
%else
Version: %{VER}
%endif
Release: 2
Release: 3%{?dist}
License: freeware
Group: Applications/Multimedia
%if "%{Patchlevel}" != ""
@ -20,6 +20,11 @@ Source: ftp://ftp.ImageMagick.org/pub/ImageMagick/ImageMagick-%{version}.tar.bz2
Source1: magick_small.png
Patch1: ImageMagick-6.2.1-local_doc.patch
Patch2: ImageMagick-6.2.8-multilib.patch
# 202193
Patch3: ImageMagick-6.2.8-cve-2006-3743.patch
# 202771
Patch4: ImageMagick-6.2.8-cve-2006-4144.patch
Url: http://www.imagemagick.org/
Buildroot: %{_tmppath}/%{name}-%{version}-root
@ -116,6 +121,8 @@ however.
%setup -q -n %{name}-%{VER}
%patch1 -p1 -b .local_doc
%patch2 -p1 -b .multilib
%patch3 -p1 -b .cve-2006-3743
%patch4 -p1 -b .cve-2006-4144
%build
%configure --enable-shared \
@ -251,6 +258,10 @@ rm -rf $RPM_BUILD_ROOT
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
* Wed Aug 23 2006 Matthias Clasen <mclasen@redhat.com> - 6.2.8.0-3.fc6
- fix several integer and buffer overflows (#202193, CVE-2006-3743)
- fix more integer overflows (#202771, CVE-2006-4144)
* Mon Jul 24 2006 Matthias Clasen <mclasen@redhat.com> - 6.2.8.0-2
- Add missing BRs