Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2
ImageMagick
ImageMagick-security-dos.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-security-dos.patch of Package ImageMagick
--- ImageMagick-6.5.4-8/magick/profile.c.orig 2012-06-05 11:25:53.406802312 +0200 +++ ImageMagick-6.5.4-8/magick/profile.c 2012-06-06 17:54:50.010100732 +0200 @@ -1631,14 +1631,15 @@ EndianType endian; - long - id, - level; + SplayTreeInfo + *exif_resources; size_t length; ssize_t + id, + level, offset; static int @@ -1695,12 +1696,14 @@ /* This the offset to the first IFD. */ - offset=(ssize_t) ReadProfileLong(endian,exif+4); - if ((size_t) offset >= length) + offset=(ssize_t) ((int) ReadProfileLong(endian,exif+4)); + if ((offset < 0) || ((size_t) offset >= length)) return(MagickFalse); directory=exif+offset; level=0; entry=0; + exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL, + (void *(*)(void *)) NULL,(void *(*)(void *)) NULL); do { if (level > 0) @@ -1728,6 +1731,9 @@ number_bytes; q=(unsigned char *) (directory+2+(12*entry)); + if (GetValueFromSplayTree(exif_resources,q) == q) + break; + (void) AddValueToSplayTree(exif_resources,q,q); tag_value=(long) ReadProfileShort(endian,q); format=(long) ReadProfileShort(endian,q+2); if ((format-1) >= EXIF_NUM_FORMATS) @@ -1744,7 +1750,9 @@ /* The directory entry contains an offset. */ - offset=(ssize_t) ReadProfileLong(endian,q+8); + offset=(ssize_t) ((int) ReadProfileLong(endian,q+8)); + if ((offset+number_bytes) < offset) + continue; /* prevent overflow */ if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset); @@ -1783,11 +1791,11 @@ } if ((tag_value == TAG_EXIF_OFFSET) || (tag_value == TAG_INTEROP_OFFSET)) { - size_t + ssize_t offset; - offset=(size_t) ReadProfileLong(endian,p); - if ((offset < length) && (level < (MaxDirectoryStack-2))) + offset=(ssize_t) ((int) ReadProfileLong(endian,p)); + if (((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=directory; entry++; @@ -1798,9 +1806,9 @@ level++; if ((directory+2+(12*number_entries)) > (exif+length)) break; - offset=(size_t) ReadProfileLong(endian,directory+2+(12* - number_entries)); - if ((offset != 0) && (offset < length) && + offset=(ssize_t) ((int) ReadProfileLong(endian,directory+2+(12* + number_entries))); + if ((offset != 0) && ((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=exif+offset; @@ -1812,5 +1820,6 @@ } } } while (level > 0); + exif_resources=DestroySplayTree(exif_resources); return(MagickTrue); } --- ImageMagick-6.5.4-8/magick/property.c.orig 2012-06-05 11:25:53.406802312 +0200 +++ ImageMagick-6.5.4-8/magick/property.c 2012-06-06 18:07:50.194124299 +0200 @@ -453,6 +453,13 @@ return(y); } +static inline ssize_t MagickMin(const ssize_t x,const ssize_t y) +{ + if (x < y) + return(x); + return(y); +} + static inline int ReadPropertyByte(const unsigned char **p,size_t *length) { int @@ -587,7 +594,7 @@ continue; if (ReadPropertyByte(&info,&length) != (unsigned char) 'M') continue; - id=(long) ReadPropertyMSBShort(&info,&length); + id=(ssize_t) ((int) ReadPropertyMSBShort(&info,&length)); if (id < start) continue; if (id > stop) @@ -618,7 +625,7 @@ No name match, scroll forward and try next. */ info+=count; - length-=count; + length-=MagickMin(count,(ssize_t) length); continue; } if ((*name == '#') && (sub_number != 1)) @@ -628,7 +635,7 @@ */ sub_number--; info+=count; - length-=count; + length-=MagickMin(count,(ssize_t) length); continue; } /* @@ -643,7 +650,7 @@ (void) CopyMagickMemory(attribute,(char *) info,(size_t) count); attribute[count]='\0'; info+=count; - length-=count; + length-=MagickMin(count,(ssize_t) length); if ((id <= 1999) || (id >= 2999)) (void) SetImageProperty((Image *) image,key,(const char *) attribute); @@ -783,7 +790,9 @@ *directory; unsigned long - entry, + entry; + + ssize_t offset; } DirectoryInfo; @@ -1087,6 +1096,7 @@ all, id, level, + tag_offset, tag_value; register long @@ -1104,9 +1114,11 @@ unsigned long entry, number_entries, - tag_offset, tag; + SplayTreeInfo + *exif_resources; + /* If EXIF data exists, then try to parse the request for a tag. */ @@ -1217,7 +1229,7 @@ } if (length < 16) return(MagickFalse); - id=(long) ReadPropertyShort(LSBEndian,exif); + id=(ssize_t) ((int) ReadPropertyShort(LSBEndian,exif)); endian=LSBEndian; if (id == 0x4949) endian=LSBEndian; @@ -1232,7 +1244,7 @@ This the offset to the first IFD. */ offset=(ssize_t) ReadPropertyLong(endian,exif+4); - if ((size_t) offset >= length) + if ((offset < 0) || (size_t) offset >= length) return(MagickFalse); /* Set the pointer to the first IFD and follow it were it leads. @@ -1241,6 +1253,8 @@ level=0; entry=0; tag_offset=0; + exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL, + (void *(*)(void *)) NULL,(void *(*)(void *)) NULL); do { /* @@ -1256,7 +1270,7 @@ /* Determine how many entries there are in the current IFD. */ - number_entries=ReadPropertyShort(endian,directory); + number_entries=(size_t) ((int) ReadPropertyShort(endian,directory)); for ( ; entry < number_entries; entry++) { long @@ -1272,9 +1286,12 @@ unsigned long format; - q=(unsigned char *) (directory+2+(12*entry)); - tag_value=(long) ReadPropertyShort(endian,q)+tag_offset; - format=(unsigned long) ReadPropertyShort(endian,q+2); + q=(unsigned char *) (directory+(12*entry)+2); + if (GetValueFromSplayTree(exif_resources,q) == q) + break; + (void) AddValueToSplayTree(exif_resources,q,q); + tag_value=(ssize_t) ((int) ReadPropertyShort(endian,q)+tag_offset); + format=(size_t) ((int) ReadPropertyShort(endian,q+2)); if (format >= (sizeof(tag_bytes)/sizeof(*tag_bytes))) break; components=(long) ReadPropertyLong(endian,q+4); @@ -1290,6 +1307,8 @@ The directory entry contains an offset. */ offset=(ssize_t) ReadPropertyLong(endian,q+8); + if ((offset+number_bytes) < offset) + continue; /* prevent overflow */ if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset); @@ -1337,7 +1356,7 @@ case EXIF_FMT_URATIONAL: { EXIFMultipleFractions(8,"%ld/%ld",ReadPropertyLong(endian,p1), - ReadPropertyLong(endian,p1+4)); + ((int) ReadPropertyLong(endian,p1+4))); break; } case EXIF_FMT_SRATIONAL: @@ -1440,16 +1459,17 @@ (tag_value == TAG_INTEROP_OFFSET) || (tag_value == TAG_GPS_OFFSET)) { - size_t + ssize_t offset; - offset=(size_t) ReadPropertyLong(endian,p); - if ((offset < length) && (level < (MaxDirectoryStack-2))) + offset=(ssize_t) ((int) ReadPropertyLong(endian,p)); + if (((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { - unsigned long + ssize_t tag_offset1; - tag_offset1=(tag_value == TAG_GPS_OFFSET) ? 0x10000UL : 0UL; + tag_offset1=(ssize_t) ((tag_value == TAG_GPS_OFFSET) ? 0x10000 : + 0); directory_stack[level].directory=directory; entry++; directory_stack[level].entry=entry; @@ -1461,9 +1481,9 @@ level++; if ((directory+2+(12*number_entries)) > (exif+length)) break; - offset=(size_t) ReadPropertyLong(endian,directory+2+(12* - number_entries)); - if ((offset != 0) && (offset < length) && + offset=(ssize_t) ((int) ReadPropertyLong(endian,directory+2+(12* + number_entries))); + if ((offset != 0) && ((size_t) offset < length) && (level < (MaxDirectoryStack-2))) { directory_stack[level].directory=exif+offset; @@ -1476,6 +1496,7 @@ } } } while (level > 0); + exif_resources=DestroySplayTree(exif_resources); return(MagickTrue); } @@ -1617,7 +1638,7 @@ in_subpath=MagickFalse; while (length > 0) { - selector=(long) ReadPropertyMSBShort(&blob,&length); + selector=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); switch (selector) { case 0: @@ -1626,15 +1647,15 @@ if (knot_count != 0) { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* Expected subpath length record. */ - knot_count=(long) ReadPropertyMSBShort(&blob,&length); + knot_count=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); blob+=22; - length-=22; + length-=MagickMin(22,(ssize_t) length); break; } case 1: @@ -1648,7 +1669,7 @@ Unexpected subpath knot */ blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* @@ -1656,8 +1677,8 @@ */ for (i=0; i < 3; i++) { - y=(long) ReadPropertyMSBLong(&blob,&length); - x=(long) ReadPropertyMSBLong(&blob,&length); + y=(size_t) ((int) ReadPropertyMSBLong(&blob,&length)); + x=(size_t) ((int) ReadPropertyMSBLong(&blob,&length)); point[i].x=(double) x/4096/4096; point[i].y=1.0-(double) y/4096/4096; } @@ -1739,7 +1760,7 @@ default: { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } } @@ -1804,7 +1825,7 @@ in_subpath=MagickFalse; while (length != 0) { - selector=(long) ReadPropertyMSBShort(&blob,&length); + selector=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); switch (selector) { case 0: @@ -1813,15 +1834,15 @@ if (knot_count != 0) { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } /* Expected subpath length record. */ - knot_count=(long) ReadPropertyMSBShort(&blob,&length); + knot_count=(ssize_t) ((int) ReadPropertyMSBShort(&blob,&length)); blob+=22; - length-=22; + length-=MagickMin(22,(ssize_t) length); break; } case 1: @@ -1902,7 +1923,7 @@ default: { blob+=24; - length-=24; + length-=MagickMin(24,(ssize_t) length); break; } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor