Fix CVE-2012-3437 (bz#844101, 844103)

ImageMagick-6.7.5-6-CVE-2012-3437.patch

@@ -0,0 +1,56 @@
+--- coders/png.c	(revision 8733)
++++ coders/png.c	(revision 8732)
+@@ -1756,11 +1756,7 @@ 
+ }
+ 
+ #ifdef PNG_USER_MEM_SUPPORTED
+-#if PNG_LIBPNG_VER >= 14000
+-static png_voidp Magick_png_malloc(png_structp png_ptr,png_alloc_size_t size)
+-#else
+-static png_voidp Magick_png_malloc(png_structp png_ptr,png_size_t size)
+-#endif
++static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size)
+ {
+ #if (PNG_LIBPNG_VER < 10011)
+   png_voidp
+@@ -7462,22 +7458,12 @@ 
+          (char *) profile_type, (double) length);
+      }
+ 
+-#if PNG_LIBPNG_VER >= 14000
+-   text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
+-#else
+-   text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
+-#endif
++   text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
+    description_length=(png_uint_32) strlen((const char *) profile_description);
+    allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
+       + description_length);
+-#if PNG_LIBPNG_VER >= 14000
+-   text[0].text=(png_charp) png_malloc(ping,
+-      (png_alloc_size_t) allocated_length);
+-   text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
+-#else
+-   text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length);
+-   text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80);
+-#endif
++   text[0].text=(png_charp) png_malloc(ping,allocated_length);
++   text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
+    text[0].key[0]='\0';
+    (void) ConcatenateMagickString(text[0].key,
+       "Raw profile type ",MaxTextExtent);
+@@ -10796,13 +10782,7 @@ 
+         {
+         if (value != (const char *) NULL)
+           {
+-
+-#if PNG_LIBPNG_VER >= 14000
+-            text=(png_textp) png_malloc(ping,
+-                 (png_alloc_size_t) sizeof(png_text));
+-#else
+-            text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
+-#endif
++            text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
+             text[0].key=(char *) property;
+             text[0].text=(char *) value;
+             text[0].text_length=strlen(value);

ImageMagick.spec

@@ -3,7 +3,7 @@
 
 Name:		ImageMagick
 Version:		%{VER}.%{Patchlevel}
-Release:		3%{?dist}
+Release:		4%{?dist}
 Summary:		An X application for displaying and manipulating images
 Group:		Applications/Multimedia
 License:		ImageMagick
@@ -18,6 +18,9 @@ BuildRequires:	libwmf-devel, jasper-devel, libtool-ltdl-devel
 BuildRequires:	libX11-devel, libXext-devel, libXt-devel
 BuildRequires:	lcms-devel, libxml2-devel, librsvg2-devel, OpenEXR-devel
 
+# bz#844101, bz#844103
+Patch1:         ImageMagick-6.7.5-6-CVE-2012-3437.patch
+
 %description
 ImageMagick is an image display and manipulation tool for the X
 Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF,
@@ -126,6 +129,9 @@ however.
 
 %prep
 %setup -q -n %{name}-%{VER}-%{Patchlevel}
+
+%patch1 -p0 -R -b .CVE-2012-3437
+
 sed -i 's/libltdl.la/libltdl.so/g' configure
 iconv -f ISO-8859-1 -t UTF-8 README.txt > README.txt.tmp
 touch -r README.txt README.txt.tmp
@@ -303,6 +309,9 @@ rm -rf %{buildroot}
 %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
 
 %changelog
+* Sat Aug 11 2012 Pavel Alexeev <Pahan@Hubbitus.info> - 6.7.5.6-4
+- Fix CVE-2012-3437 (bz#844101, 844103)
+
 * Sat Feb 25 2012 Pavel Alexeev <Pahan@Hubbitus.info> - 6.7.5.6-1
 - Update by request https://bugzilla.redhat.com/show_bug.cgi?id=755827#c8
 - Delete multilib patch as it should be in main sources.