rpms/ImageMagick/FC-4 ImageMagick-6.2.2-cve-2006-3743.patch, NONE, 1.1 ImageMagick-6.2.2-cve-2006-4144.patch, NONE, 1.1 ImageMagick.spec, 1.44, 1.45
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Aug 23 06:47:22 UTC 2006
Author: mclasen
Update of /cvs/dist/rpms/ImageMagick/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv19982
Modified Files:
ImageMagick.spec
Added Files:
ImageMagick-6.2.2-cve-2006-3743.patch
ImageMagick-6.2.2-cve-2006-4144.patch
Log Message:
Fix several vulnerabilities
ImageMagick-6.2.2-cve-2006-3743.patch:
sun.c | 32 ++++++++++++++++++++++++++------
xcf.c | 8 ++++----
2 files changed, 30 insertions(+), 10 deletions(-)
--- NEW FILE ImageMagick-6.2.2-cve-2006-3743.patch ---
--- ImageMagick-6.2.2/coders/xcf.c.ormandy 2006-08-23 01:39:53.000000000 -0400
+++ ImageMagick-6.2.2/coders/xcf.c 2006-08-23 01:40:09.000000000 -0400
@@ -268,7 +268,7 @@
%
%
*/
-static char *ReadBlobStringWithLongSize(Image *image,char *string)
+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
{
int
c;
@@ -284,7 +284,7 @@
if (image->debug != MagickFalse)
(void) LogMagickEvent(TraceEvent,GetMagickModule(),image->filename);
length = ReadBlobMSBLong(image);
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, max); i++)
{
c=ReadBlobByte(image);
if (c == EOF)
@@ -693,7 +693,7 @@
outLayer->width = ReadBlobMSBLong(image);
outLayer->height = ReadBlobMSBLong(image);
outLayer->type = ReadBlobMSBLong(image);
- (void) ReadBlobStringWithLongSize(image, outLayer->name);
+ (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
/* allocate the image for this layer */
outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
@@ -1099,7 +1099,7 @@
/*float factor = (float) */ (void) ReadBlobMSBLong(image);
/* unsigned long digits = */ (void) ReadBlobMSBLong(image);
for (i=0; i<5; i++)
- (void) ReadBlobStringWithLongSize(image, unit_string);
+ (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
}
break;
--- ImageMagick-6.2.2/coders/sun.c.ormandy 2006-08-23 01:39:58.000000000 -0400
+++ ImageMagick-6.2.2/coders/sun.c 2006-08-23 01:40:09.000000000 -0400
@@ -133,10 +133,10 @@
%
*/
static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
- const size_t length,unsigned char *pixels)
+ const size_t length,unsigned char *pixels,size_t maxpixels)
{
register const unsigned char
- *p;
+ *p, *l;
register unsigned char
*q;
@@ -152,7 +152,8 @@
assert(pixels != (unsigned char *) NULL);
p=compressed_pixels;
q=pixels;
- while ((size_t) (p-compressed_pixels) < length)
+ l=q+maxpixels;
+ while ((size_t) (p-compressed_pixels) < length && q < l)
{
byte=(*p++);
if (byte != 128U)
@@ -165,7 +166,7 @@
count=(ssize_t) (*p++);
if (count > 0)
byte=(*p++);
- while (count >= 0)
+ while (count >= 0 && q < l)
{
*q++=byte;
count--;
@@ -376,6 +377,8 @@
CloseBlob(image);
return(GetFirstImageInList(image));
}
+ if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
sun_data=(unsigned char *)
AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
if (sun_data == (unsigned char *) NULL)
@@ -393,11 +396,28 @@
Read run-length encoded raster pixels.
*/
height=sun_info.height;
- bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
+
+ /* calculate bytes per line, verifying no overflow occurs */
+ bytes_per_line=sun_info.width*sun_info.depth;
+ if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ if ((ULONG_MAX - bytes_per_line) < 15)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ bytes_per_line += 15;
+ bytes_per_line <<= 1;
+ if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ bytes_per_line >>= 4;
+ if ((bytes_per_line * height) / height != bytes_per_line)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
if (sun_pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
+ (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
}
/*
ImageMagick-6.2.2-cve-2006-4144.patch:
sgi.c | 4 ++++
1 files changed, 4 insertions(+)
--- NEW FILE ImageMagick-6.2.2-cve-2006-4144.patch ---
--- ImageMagick-6.2.2/coders/sgi.c.ormandy 2006-08-23 01:44:20.000000000 -0400
+++ ImageMagick-6.2.2/coders/sgi.c 2006-08-23 01:48:05.000000000 -0400
@@ -395,7 +395,11 @@
for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
offsets[i]=(ssize_t) ReadBlobMSBLong(image);
for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
+ {
runlength[i]=ReadBlobMSBLong(image);
+ if (runlength[i] >= (4*(size_t) iris_info.columns+10))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
/*
Check data order.
*/
Index: ImageMagick.spec
===================================================================
RCS file: /cvs/dist/rpms/ImageMagick/FC-4/ImageMagick.spec,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- ImageMagick.spec 24 May 2006 15:21:21 -0000 1.44
+++ ImageMagick.spec 23 Aug 2006 06:47:12 -0000 1.45
@@ -9,7 +9,7 @@
%else
Version: %{VER}
%endif
-Release: 3.fc4.2
+Release: 3.fc4.3
License: freeware
Group: Applications/Multimedia
%if "%{Patchlevel}" != ""
@@ -29,6 +29,10 @@
Patch9: ImageMagick-6.2.2-format-string-again.patch
# 192279
Patch10: ImageMagick-6.2.2-yet-another-overflow.patch
+# 202193
+Patch11: ImageMagick-6.2.2-cve-2006-3743.patch
+# 202771
+Patch12: ImageMagick-6.2.2-cve-2006-4144.patch
Url: http://www.imagemagick.org/
Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -125,6 +129,8 @@
%patch8 -p1 -b .mask
%patch9 -p1 -b .format-string-again
%patch10 -p1 -b .yet-another-overflow
+%patch11 -p1 -b .cve-2006-3743
+%patch12 -p1 -b .cve-2006-4144
%build
%configure --enable-shared \
@@ -234,6 +240,10 @@
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
+* Wed Aug 23 2006 Matthias Clasen <mclasen at redhat.com> - 6.2.2.0-3.fc4.3
+- fix several integer and buffer overflows (#202193, CVE-2006-3743)
+- fix more integer overflows (#202771, CVE-2006-4144)
+
* Wed May 24 2006 Matthias Clasen <mclasen at redhat.com> - 6.2.2.0-3.fc4.2
- Fix a heap overflow CVE-2006-2440 (#192279)
More information about the fedora-cvs-commits
mailing list