4d6801b735
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch. * gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
210 lines
8.9 KiB
Diff
210 lines
8.9 KiB
Diff
http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
|
|
http://www.openwall.com/lists/oss-security/2017/09/22/2
|
|
|
|
Some changes were made to make the patch apply.
|
|
|
|
Notably, the DestroyJNG() function in the upstream diff has been replaced by
|
|
its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
|
|
and DestroyImage(). See
|
|
http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
|
|
|
|
# HG changeset patch
|
|
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
|
|
# Date 1504014487 14400
|
|
# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
|
|
# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2
|
|
Fix Issue 439
|
|
|
|
diff -ru a/coders/png.c b/coders/png.c
|
|
--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
|
|
+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400
|
|
@@ -1176,15 +1176,15 @@
|
|
/* allocate space */
|
|
if (length == 0)
|
|
{
|
|
- (void) ThrowException2(&image->exception,CoderWarning,
|
|
- "invalid profile length",(char *) NULL);
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ "invalid profile length");
|
|
return (MagickFail);
|
|
}
|
|
info=MagickAllocateMemory(unsigned char *,length);
|
|
if (info == (unsigned char *) NULL)
|
|
{
|
|
- (void) ThrowException2(&image->exception,CoderWarning,
|
|
- "unable to copy profile",(char *) NULL);
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ "Unable to copy profile");
|
|
return (MagickFail);
|
|
}
|
|
/* copy profile, skipping white space and column 1 "=" signs */
|
|
@@ -1197,8 +1197,8 @@
|
|
if (*sp == '\0')
|
|
{
|
|
MagickFreeMemory(info);
|
|
- (void) ThrowException2(&image->exception,CoderWarning,
|
|
- "ran out of profile data",(char *) NULL);
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ "ran out of profile data");
|
|
return (MagickFail);
|
|
}
|
|
sp++;
|
|
@@ -1234,8 +1234,9 @@
|
|
if(SetImageProfile(image,profile_name,info,length) == MagickFail)
|
|
{
|
|
MagickFreeMemory(info);
|
|
- (void) ThrowException(&image->exception,ResourceLimitError,
|
|
- MemoryAllocationFailed,"unable to copy profile");
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ "unable to copy profile");
|
|
+ return MagickFail;
|
|
}
|
|
MagickFreeMemory(info);
|
|
return MagickTrue;
|
|
@@ -3285,7 +3286,6 @@
|
|
if (status == MagickFalse)
|
|
{
|
|
DestroyJNGInfo(color_image_info,alpha_image_info);
|
|
- DestroyImage(alpha_image);
|
|
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
" could not allocate alpha_image blob");
|
|
return ((Image *)NULL);
|
|
@@ -3534,7 +3534,7 @@
|
|
CloseBlob(color_image);
|
|
if (logging)
|
|
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
- " Reading jng_image from color_blob.");
|
|
+ " Reading jng_image from color_blob.");
|
|
|
|
FormatString(color_image_info->filename,"%.1024s",color_image->filename);
|
|
|
|
@@ -3558,13 +3558,18 @@
|
|
|
|
if (logging)
|
|
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
- " Copying jng_image pixels to main image.");
|
|
+ " Copying jng_image pixels to main image.");
|
|
image->rows=jng_height;
|
|
image->columns=jng_width;
|
|
length=image->columns*sizeof(PixelPacket);
|
|
+ if ((jng_height == 0 || jng_width == 0) && logging)
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ " jng_width=%lu jng_height=%lu",
|
|
+ (unsigned long)jng_width,(unsigned long)jng_height);
|
|
for (y=0; y < (long) image->rows; y++)
|
|
{
|
|
- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
|
|
+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
|
|
+ &image->exception);
|
|
q=SetImagePixels(image,0,y,image->columns,1);
|
|
(void) memcpy(q,s,length);
|
|
if (!SyncImagePixels(image))
|
|
@@ -3589,45 +3594,79 @@
|
|
CloseBlob(alpha_image);
|
|
if (logging)
|
|
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
- " Reading opacity from alpha_blob.");
|
|
+ " Reading opacity from alpha_blob.");
|
|
|
|
FormatString(alpha_image_info->filename,"%.1024s",
|
|
alpha_image->filename);
|
|
|
|
jng_image=ReadImage(alpha_image_info,exception);
|
|
|
|
- for (y=0; y < (long) image->rows; y++)
|
|
+ if (jng_image == (Image *)NULL)
|
|
{
|
|
- s=AcquireImagePixels(jng_image,0,y,image->columns,1,
|
|
- &image->exception);
|
|
- if (image->matte)
|
|
- {
|
|
- q=SetImagePixels(image,0,y,image->columns,1);
|
|
- for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|
- q->opacity=(Quantum) MaxRGB-s->red;
|
|
- }
|
|
- else
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ " jng_image is NULL.");
|
|
+ if (color_image_info)
|
|
+ DestroyImageInfo(color_image_info);
|
|
+ if (alpha_image_info)
|
|
+ DestroyImageInfo(alpha_image_info);
|
|
+ if (color_image)
|
|
+ DestroyImage(color_image);
|
|
+ if (alpha_image)
|
|
+ DestroyImage(alpha_image);
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+
|
|
+ if (logging)
|
|
{
|
|
- q=SetImagePixels(image,0,y,image->columns,1);
|
|
- for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|
- {
|
|
- q->opacity=(Quantum) MaxRGB-s->red;
|
|
- if (q->opacity != OpaqueOpacity)
|
|
- image->matte=MagickTrue;
|
|
- }
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ " Read jng_image.");
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ " jng_image->width=%lu, jng_image->height=%lu",
|
|
+ (unsigned long)jng_width,(unsigned long)jng_height);
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ " image->rows=%lu, image->columns=%lu",
|
|
+ (unsigned long)image->rows,
|
|
+ (unsigned long)image->columns);
|
|
}
|
|
- if (!SyncImagePixels(image))
|
|
- break;
|
|
- }
|
|
- (void) LiberateUniqueFileResource(alpha_image->filename);
|
|
- DestroyImage(alpha_image);
|
|
- alpha_image = (Image *)NULL;
|
|
- DestroyImageInfo(alpha_image_info);
|
|
- alpha_image_info = (ImageInfo *)NULL;
|
|
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
- " Destroy the JNG image");
|
|
- DestroyImage(jng_image);
|
|
- jng_image = (Image *)NULL;
|
|
+
|
|
+ for (y=0; y < (long) image->rows; y++)
|
|
+ {
|
|
+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
|
|
+ &image->exception);
|
|
+ if (image->matte)
|
|
+ {
|
|
+ q=SetImagePixels(image,0,y,image->columns,1);
|
|
+ for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|
+ q->opacity=(Quantum) MaxRGB-s->red;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ q=SetImagePixels(image,0,y,image->columns,1);
|
|
+ for (x=(long) image->columns; x > 0; x--,q++,s++)
|
|
+ {
|
|
+ q->opacity=(Quantum) MaxRGB-s->red;
|
|
+ if (q->opacity != OpaqueOpacity)
|
|
+ image->matte=MagickTrue;
|
|
+ }
|
|
+ }
|
|
+ if (!SyncImagePixels(image))
|
|
+ break;
|
|
+ }
|
|
+ (void) LiberateUniqueFileResource(alpha_image->filename);
|
|
+ if (color_image_info)
|
|
+ DestroyImageInfo(color_image_info);
|
|
+ if (alpha_image_info)
|
|
+ DestroyImageInfo(alpha_image_info);
|
|
+ if (color_image)
|
|
+ DestroyImage(color_image);
|
|
+ if (alpha_image)
|
|
+ DestroyImage(alpha_image);
|
|
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
|
|
+ " Destroy the JNG image");
|
|
+ DestroyImage(jng_image);
|
|
+ jng_image = (Image *)NULL;
|
|
+ }
|
|
}
|
|
}
|