Resolves BZ235075

2007-04-05 12:18:29 +00:00 · 2007-04-05 12:18:29 +00:00 · b65014a0f8
parent 479b37a13f
commit b65014a0f8
2 changed files with 45 additions and 2 deletions
--- a/ImageMagick-6.2.8-CVE-2007-1797.patch
+++ b/ImageMagick-6.2.8-CVE-2007-1797.patch
@ -0,0 +1,37 @@
+--- ImageMagick/coders/dcm.c.orig	2007-04-03 18:27:57.000000000 +0200
+++ ImageMagick/coders/dcm.c	2007-04-03 18:31:16.000000000 +0200
+@@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn
+             {
+               data=(unsigned char *)
+                 AcquireMagickMemory((size_t) quantum*(length+1));
+              if (length > ((~0UL)/quantum))
+                ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+               if (data == (unsigned char *) NULL)
+                 ThrowReaderException(ResourceLimitError,
+                   "MemoryAllocationFailed");
+--- ImageMagick/coders/xwd.c.orig	2007-04-03 19:21:18.000000000 +0200
+++ ImageMagick/coders/xwd.c	2007-04-03 19:24:36.000000000 +0200
+@@ -236,7 +236,9 @@ static Image *ReadXWDImage(const ImageIn
+   if (header.header_size < sz_XWDheader)
+     ThrowReaderException(CorruptImageError,"CorruptImage");
+   length=(size_t) header.header_size-sz_XWDheader;
+-  comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+  if (length > ((~0UL)/sizeof(*comment)))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
+   if (comment == (char *) NULL)
+     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+   count=ReadBlob(image,length,(unsigned char *) comment);
+@@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn
+       XWDColor
+         color;
+ 
+-      colors=(XColor *)
+-        AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+      length=(size_t) header.ncolors;
+      if (length > ((~0UL)/sizeof(*colors)))
+        ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+      colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
+       if (colors == (XColor *) NULL)
+         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+       for (i=0; i < (long) header.ncolors; i++)
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -9,7 +9,7 @@ Version: %{VER}.%{Patchlevel}
 %else
 Version: %{VER}
 %endif
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: freeware
 Group: Applications/Multimedia
 %if "%{Patchlevel}" != ""
@ -22,6 +22,9 @@ Patch1: ImageMagick-6.2.1-local_doc.patch
 Patch2: ImageMagick-6.2.8-multilib.patch
 Patch3: ImageMagick-6.3.2-perl-parallel-build.patch
 Patch4: ImageMagick-6.3.2-perl-liblink.patch
+# 235075
+Patch5: ImageMagick-6.2.8-CVE-2007-1797.patch
+

 Url: http://www.imagemagick.org/
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@ -122,7 +125,7 @@ however.
 %patch2 -p1 -b .multilib
 %patch3 -p1 -b .perl-build
 %patch4 -p1 -b .perl-link
-
+%patch5 -p1 -b .cve-2007-1797

 %build
 %configure --enable-shared \
@ -258,6 +261,9 @@ rm -rf $RPM_BUILD_ROOT
 %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt

 %changelog
+* Thu Apr  5 2007 Norm Murray <nmurray@redhat.com> 6.3.2.9-3.fc7
+- heap overflows (#235075, CVE-2007-1797)
+
 * Fri Mar 30 2007 Norm Murray <nmurray@redhat.com> 6.3.2.9-2.fc7
 - perlmagick build fix (#231259)