diff options
| author | Francesco Colista <fcolista@alpinelinux.org> | 2017-10-03 08:12:26 +0000 |
|---|---|---|
| committer | Francesco Colista <fcolista@alpinelinux.org> | 2017-10-03 08:12:26 +0000 |
| commit | a3156514cd10b8ec568649e64eb4f1ceb2879c39 (patch) | |
| tree | e9a9cdfd92f65b4cfda0e44616b0653a3fa32fb2 /community/graphicsmagick/CVE-2017-14165.patch | |
| parent | 7f29820b2245b38b761bebe248ccc12e474ef6cb (diff) | |
| download | aports-a3156514cd10b8ec568649e64eb4f1ceb2879c39.tar.bz2 aports-a3156514cd10b8ec568649e64eb4f1ceb2879c39.tar.xz | |
community/graphicsmagick: security fixes (CVE-2017-13065, CVE-2017-13648, CVE-2017-14042, CVE-2017-14103, CVE-2017-14165)
Diffstat (limited to 'community/graphicsmagick/CVE-2017-14165.patch')
| -rw-r--r-- | community/graphicsmagick/CVE-2017-14165.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/community/graphicsmagick/CVE-2017-14165.patch b/community/graphicsmagick/CVE-2017-14165.patch new file mode 100644 index 0000000000..67e6ef807e --- /dev/null +++ b/community/graphicsmagick/CVE-2017-14165.patch @@ -0,0 +1,68 @@ + +# HG changeset patch +# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> +# Date 1503257388 18000 +# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 +# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f +SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. + +diff -r f87246749079 -r 493da54370aa coders/sun.c +--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 ++++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 +@@ -498,6 +498,12 @@ + if (sun_info.depth < 8) + image->depth=sun_info.depth; + ++ if (image_info->ping) ++ { ++ CloseBlob(image); ++ return(image); ++ } ++ + /* + Compute bytes per line and bytes per image for an unencoded + image. +@@ -522,15 +528,37 @@ + if (bytes_per_image > sun_info.length) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + +- if (image_info->ping) +- { +- CloseBlob(image); +- return(image); +- } + if (sun_info.type == RT_ENCODED) + sun_data_length=(size_t) sun_info.length; + else + sun_data_length=bytes_per_image; ++ ++ /* ++ Verify that data length claimed by header is supported by file size ++ */ ++ if (sun_info.type == RT_ENCODED) ++ { ++ if (sun_data_length < bytes_per_image/255U) ++ { ++ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); ++ } ++ } ++ if (BlobIsSeekable(image)) ++ { ++ const magick_off_t file_size = GetBlobSize(image); ++ const magick_off_t current_offset = TellBlob(image); ++ if ((file_size > 0) && ++ (current_offset > 0) && ++ (file_size > current_offset)) ++ { ++ const magick_off_t remaining = file_size-current_offset; ++ if (remaining < (magick_off_t) sun_data_length) ++ { ++ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); ++ } ++ } ++ } ++ + sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); + if (sun_data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); + |