rpms/ImageMagick/devel ImageMagick-6.2.8-CVE-2007-1797.patch, NONE, 1.1 ImageMagick.spec, 1.69, 1.70

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Thu Apr 5 12:18:31 UTC 2007 

Author: nmurray

Update of /cvs/dist/rpms/ImageMagick/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv995

Modified Files:
	ImageMagick.spec 
Added Files:
	ImageMagick-6.2.8-CVE-2007-1797.patch 
Log Message:
Resolves BZ235075


ImageMagick-6.2.8-CVE-2007-1797.patch:
 dcm.c |    2 ++
 xwd.c |   10 +++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

--- NEW FILE ImageMagick-6.2.8-CVE-2007-1797.patch ---
--- ImageMagick/coders/dcm.c.orig	2007-04-03 18:27:57.000000000 +0200
+++ ImageMagick/coders/dcm.c	2007-04-03 18:31:16.000000000 +0200
@@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn
             {
               data=(unsigned char *)
                 AcquireMagickMemory((size_t) quantum*(length+1));
+              if (length > ((~0UL)/quantum))
+                ThrowReaderException(CorruptImageError,"ImproperImageHeader");
               if (data == (unsigned char *) NULL)
                 ThrowReaderException(ResourceLimitError,
                   "MemoryAllocationFailed");
--- ImageMagick/coders/xwd.c.orig	2007-04-03 19:21:18.000000000 +0200
+++ ImageMagick/coders/xwd.c	2007-04-03 19:24:36.000000000 +0200
@@ -236,7 +236,9 @@ static Image *ReadXWDImage(const ImageIn
   if (header.header_size < sz_XWDheader)
     ThrowReaderException(CorruptImageError,"CorruptImage");
   length=(size_t) header.header_size-sz_XWDheader;
-  comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+  if (length > ((~0UL)/sizeof(*comment)))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
   if (comment == (char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   count=ReadBlob(image,length,(unsigned char *) comment);
@@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn
       XWDColor
         color;
 
-      colors=(XColor *)
-        AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+      length=(size_t) header.ncolors;
+      if (length > ((~0UL)/sizeof(*colors)))
+        ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+      colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
       if (colors == (XColor *) NULL)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
       for (i=0; i < (long) header.ncolors; i++)


Index: ImageMagick.spec
===================================================================
RCS file: /cvs/dist/rpms/ImageMagick/devel/ImageMagick.spec,v
retrieving revision 1.69
retrieving revision 1.70
diff -u -r1.69 -r1.70
--- ImageMagick.spec	30 Mar 2007 04:41:40 -0000	1.69
+++ ImageMagick.spec	5 Apr 2007 12:18:29 -0000	1.70
@@ -9,7 +9,7 @@
 %else
 Version: %{VER}
 %endif
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: freeware
 Group: Applications/Multimedia
 %if "%{Patchlevel}" != ""
@@ -22,6 +22,9 @@
 Patch2: ImageMagick-6.2.8-multilib.patch
 Patch3: ImageMagick-6.3.2-perl-parallel-build.patch
 Patch4: ImageMagick-6.3.2-perl-liblink.patch
+# 235075
+Patch5: ImageMagick-6.2.8-CVE-2007-1797.patch
+
 
 Url: http://www.imagemagick.org/
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -122,7 +125,7 @@
 %patch2 -p1 -b .multilib
 %patch3 -p1 -b .perl-build
 %patch4 -p1 -b .perl-link
-
+%patch5 -p1 -b .cve-2007-1797
 
 %build
 %configure --enable-shared \
@@ -258,6 +261,9 @@
 %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
 
 %changelog
+* Thu Apr  5 2007 Norm Murray <nmurray at redhat.com> 6.3.2.9-3.fc7
+- heap overflows (#235075, CVE-2007-1797)
+
 * Fri Mar 30 2007 Norm Murray <nmurray at redhat.com> 6.3.2.9-2.fc7
 - perlmagick build fix (#231259)

More information about the fedora-cvs-commits mailing list