rpms/ImageMagick/FC-4 ImageMagick-6.2.2-cve-2006-3743.patch, NONE, 1.1 ImageMagick-6.2.2-cve-2006-4144.patch, NONE, 1.1 ImageMagick.spec, 1.44, 1.45

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Aug 23 06:47:22 UTC 2006 

Author: mclasen

Update of /cvs/dist/rpms/ImageMagick/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv19982

Modified Files:
	ImageMagick.spec 
Added Files:
	ImageMagick-6.2.2-cve-2006-3743.patch 
	ImageMagick-6.2.2-cve-2006-4144.patch 
Log Message:
Fix several vulnerabilities


ImageMagick-6.2.2-cve-2006-3743.patch:
 sun.c |   32 ++++++++++++++++++++++++++------
 xcf.c |    8 ++++----
 2 files changed, 30 insertions(+), 10 deletions(-)

--- NEW FILE ImageMagick-6.2.2-cve-2006-3743.patch ---
--- ImageMagick-6.2.2/coders/xcf.c.ormandy	2006-08-23 01:39:53.000000000 -0400
+++ ImageMagick-6.2.2/coders/xcf.c	2006-08-23 01:40:09.000000000 -0400
@@ -268,7 +268,7 @@
 %
 %
 */
-static char *ReadBlobStringWithLongSize(Image *image,char *string)
+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
 {
   int
     c;
@@ -284,7 +284,7 @@
   if (image->debug != MagickFalse)
     (void) LogMagickEvent(TraceEvent,GetMagickModule(),image->filename);
   length = ReadBlobMSBLong(image);
-  for (i=0; i < (long) length; i++)
+  for (i=0; i < (long) Min(length, max); i++)
   {
     c=ReadBlobByte(image);
     if (c == EOF)
@@ -693,7 +693,7 @@
   outLayer->width = ReadBlobMSBLong(image);
   outLayer->height = ReadBlobMSBLong(image);
   outLayer->type = ReadBlobMSBLong(image);
-  (void) ReadBlobStringWithLongSize(image, outLayer->name);
+  (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
 
   /* allocate the image for this layer */
   outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
@@ -1099,7 +1099,7 @@
         /*float  factor = (float) */ (void) ReadBlobMSBLong(image);
         /* unsigned long digits =  */ (void) ReadBlobMSBLong(image);
         for (i=0; i<5; i++)
-         (void) ReadBlobStringWithLongSize(image, unit_string);
+         (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
       }
      break;
 
--- ImageMagick-6.2.2/coders/sun.c.ormandy	2006-08-23 01:39:58.000000000 -0400
+++ ImageMagick-6.2.2/coders/sun.c	2006-08-23 01:40:09.000000000 -0400
@@ -133,10 +133,10 @@
 %
 */
 static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
-  const size_t length,unsigned char *pixels)
+  const size_t length,unsigned char *pixels,size_t maxpixels)
 {
   register const unsigned char
-    *p;
+    *p, *l;
 
   register unsigned char
     *q;
@@ -152,7 +152,8 @@
   assert(pixels != (unsigned char *) NULL);
   p=compressed_pixels;
   q=pixels;
-  while ((size_t) (p-compressed_pixels) < length)
+  l=q+maxpixels;
+  while ((size_t) (p-compressed_pixels) < length && q < l)
   {
     byte=(*p++);
     if (byte != 128U)
@@ -165,7 +166,7 @@
         count=(ssize_t) (*p++);
         if (count > 0)
           byte=(*p++);
-        while (count >= 0)
+        while (count >= 0 && q < l)
         {
           *q++=byte;
           count--;
@@ -376,6 +377,8 @@
         CloseBlob(image);
         return(GetFirstImageInList(image));
       }
+    if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
+        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     sun_data=(unsigned char *)
       AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
     if (sun_data == (unsigned char *) NULL)
@@ -393,11 +396,28 @@
           Read run-length encoded raster pixels.
         */
         height=sun_info.height;
-        bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
+
+        /* calculate bytes per line, verifying no overflow occurs */
+        bytes_per_line=sun_info.width*sun_info.depth;
+        if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+        if ((ULONG_MAX - bytes_per_line) < 15)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+        bytes_per_line += 15;
+        bytes_per_line <<= 1;
+        if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+        bytes_per_line >>= 4;
+        if ((bytes_per_line * height) / height != bytes_per_line)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
         sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
         if (sun_pixels == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
+        (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
         sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
       }
     /*

ImageMagick-6.2.2-cve-2006-4144.patch:
 sgi.c |    4 ++++
 1 files changed, 4 insertions(+)

--- NEW FILE ImageMagick-6.2.2-cve-2006-4144.patch ---
--- ImageMagick-6.2.2/coders/sgi.c.ormandy	2006-08-23 01:44:20.000000000 -0400
+++ ImageMagick-6.2.2/coders/sgi.c	2006-08-23 01:48:05.000000000 -0400
@@ -395,7 +395,11 @@
         for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
           offsets[i]=(ssize_t) ReadBlobMSBLong(image);
         for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
+	{
           runlength[i]=ReadBlobMSBLong(image);
+          if (runlength[i] >= (4*(size_t) iris_info.columns+10))
+            ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+	}
         /*
           Check data order.
         */


Index: ImageMagick.spec
===================================================================
RCS file: /cvs/dist/rpms/ImageMagick/FC-4/ImageMagick.spec,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- ImageMagick.spec	24 May 2006 15:21:21 -0000	1.44
+++ ImageMagick.spec	23 Aug 2006 06:47:12 -0000	1.45
@@ -9,7 +9,7 @@
 %else
 Version: %{VER}
 %endif
-Release: 3.fc4.2
+Release: 3.fc4.3
 License: freeware
 Group: Applications/Multimedia
 %if "%{Patchlevel}" != ""
@@ -29,6 +29,10 @@
 Patch9: ImageMagick-6.2.2-format-string-again.patch
 # 192279
 Patch10: ImageMagick-6.2.2-yet-another-overflow.patch
+# 202193
+Patch11: ImageMagick-6.2.2-cve-2006-3743.patch
+# 202771
+Patch12: ImageMagick-6.2.2-cve-2006-4144.patch
 
 Url: http://www.imagemagick.org/
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -125,6 +129,8 @@
 %patch8 -p1 -b .mask
 %patch9 -p1 -b .format-string-again
 %patch10 -p1 -b .yet-another-overflow
+%patch11 -p1 -b .cve-2006-3743
+%patch12 -p1 -b .cve-2006-4144
 
 %build
 %configure --enable-shared \
@@ -234,6 +240,10 @@
 %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
 
 %changelog
+* Wed Aug 23 2006 Matthias Clasen <mclasen at redhat.com> - 6.2.2.0-3.fc4.3
+- fix several integer and buffer overflows (#202193, CVE-2006-3743)
+- fix more integer overflows (#202771, CVE-2006-4144)
+
 * Wed May 24 2006 Matthias Clasen <mclasen at redhat.com> - 6.2.2.0-3.fc4.2
 - Fix a heap overflow CVE-2006-2440 (#192279)

More information about the fedora-cvs-commits mailing list