aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/graphicsmagick/CVE-2017-11403.patch14
-rw-r--r--community/graphicsmagick/CVE-2017-11642.patch43
-rw-r--r--community/graphicsmagick/CVE-2017-11722.patch33
-rw-r--r--community/graphicsmagick/CVE-2017-12935.patch35
-rw-r--r--community/graphicsmagick/CVE-2017-12936.patch23
-rw-r--r--community/graphicsmagick/CVE-2017-12937.patch34
-rw-r--r--community/graphicsmagick/CVE-2017-13063-13064-13065.patch96
-rw-r--r--community/graphicsmagick/CVE-2017-13648.patch23
-rw-r--r--community/graphicsmagick/CVE-2017-13775.patch182
-rw-r--r--community/graphicsmagick/CVE-2017-13776-13777.patch165
-rw-r--r--community/graphicsmagick/CVE-2017-14042.patch77
-rw-r--r--community/graphicsmagick/CVE-2017-14103.patch137
-rw-r--r--community/graphicsmagick/CVE-2017-14165.patch68
13 files changed, 0 insertions, 930 deletions
diff --git a/community/graphicsmagick/CVE-2017-11403.patch b/community/graphicsmagick/CVE-2017-11403.patch
deleted file mode 100644
index f3ae7b0298..0000000000
--- a/community/graphicsmagick/CVE-2017-11403.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -r b24f2a9b0dd7 -r d0a76868ca37 coders/png.c
---- a/coders/png.c Mon Jul 10 11:31:05 2017 -0400
-+++ b/coders/png.c Mon Jul 10 12:40:55 2017 -0400
-@@ -5161,8 +5161,8 @@
-
- if (image == (Image *) NULL)
- {
-+ CloseBlob(previous);
- DestroyImageList(previous);
-- CloseBlob(previous);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
-
diff --git a/community/graphicsmagick/CVE-2017-11642.patch b/community/graphicsmagick/CVE-2017-11642.patch
deleted file mode 100644
index 144ed78e7e..0000000000
--- a/community/graphicsmagick/CVE-2017-11642.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1500758975 18000
-# Node ID 29550606d8b9bf74f9aea0637d11d19fe706871b
-# Parent 30cd2b31f7e045de4861b102e3f8d83db579bc7a
-MAP: Fix null pointer dereference or SEGV if input is not colormapped.
-
-diff -r 30cd2b31f7e0 -r 29550606d8b9 coders/map.c
---- a/coders/map.c Sat Jul 22 15:40:00 2017 -0500
-+++ b/coders/map.c Sat Jul 22 16:29:35 2017 -0500
-@@ -18,7 +18,7 @@
- % M M A A P %
- % %
- % %
--% Read/Write Image Colormaps As An Image File %
-+% Read/Write Image Colormaps And Image File %
- % %
- % %
- % Software Design %
-@@ -349,16 +349,17 @@
- /*
- Allocate colormap.
- */
-- if (!IsPaletteImage(image,&image->exception))
-- (void) SetImageType(image,PaletteType);
-+ if (SetImageType(image,PaletteType) == MagickFail)
-+ ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image);
- packet_size=image->depth > 8 ? 2 : 1;
-- pixels=MagickAllocateMemory(unsigned char *,image->columns*packet_size);
-+ pixels=MagickAllocateArray(unsigned char *,image->columns,packet_size);
- if (pixels == (unsigned char *) NULL)
- ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image);
- packet_size=image->colors > 256 ? 6 : 3;
-- colormap=MagickAllocateMemory(unsigned char *,packet_size*image->colors);
-+ colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors);
- if (colormap == (unsigned char *) NULL)
- ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image);
-+
- /*
- Write colormap to file.
- */
-
diff --git a/community/graphicsmagick/CVE-2017-11722.patch b/community/graphicsmagick/CVE-2017-11722.patch
deleted file mode 100644
index f1ce0ad73f..0000000000
--- a/community/graphicsmagick/CVE-2017-11722.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1501028322 14400
-# Node ID f423ba88ca4ed01b7143520a7e00c360049aa823
-# Parent d1e56efb0162a836707d41182d6d658d1cad49e6
-coders/png.c: Fixed writer bug due to missing brackets
-
-diff -r d1e56efb0162 -r f423ba88ca4e coders/png.c
---- a/coders/png.c Tue Jul 25 19:38:39 2017 -0400
-+++ b/coders/png.c Tue Jul 25 20:18:42 2017 -0400
-@@ -7125,12 +7125,14 @@
- png_error(ping, "Could not allocate trans_alpha");
-
- for (i=0; i<(int) number_colors; i++)
-- if (trans_alpha[i] == 256)
-- ping_trans_alpha[i]=255;
-- else
-- ping_trans_alpha[i]=(png_byte) trans_alpha[i];
-- (void) LogMagickEvent(CoderEvent, GetMagickModule(),
-- " Alpha[%d]=%d",(int) i, (int) trans_alpha[i]);
-+ {
-+ if (trans_alpha[i] == 256)
-+ ping_trans_alpha[i]=255;
-+ else
-+ ping_trans_alpha[i]=(png_byte) trans_alpha[i];
-+ (void) LogMagickEvent(CoderEvent, GetMagickModule(),
-+ " Alpha[%d]=%d",(int) i, (int) trans_alpha[i]);
-+ }
- }
- }
-
-
diff --git a/community/graphicsmagick/CVE-2017-12935.patch b/community/graphicsmagick/CVE-2017-12935.patch
deleted file mode 100644
index 650c28d3df..0000000000
--- a/community/graphicsmagick/CVE-2017-12935.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1501123201 14400
-# Node ID cd699a44f188acf23493c969ef2d3f9fa7c8f8df
-# Parent be898b7c97bd855fc6fa0cef983faae916bd0c93
-Reject MNG with too-large dimensions (over 65535)
-
-diff -r be898b7c97bd -r cd699a44f188 coders/png.c
---- a/coders/png.c Wed Jul 26 19:47:56 2017 -0500
-+++ b/coders/png.c Wed Jul 26 22:40:01 2017 -0400
-@@ -4084,11 +4084,17 @@
- mng_info->image=image;
- }
-
-- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
-- > 65535L))
-- (void) ThrowException(&image->exception,ImageError,
-- WidthOrHeightExceedsLimit,
-- image->filename);
-+ if ((mng_info->mng_width > 65535L) ||
-+ (mng_info->mng_height > 65535L))
-+ {
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " MNG width or height is too large: %lu, %lu",
-+ mng_info->mng_width,mng_info->mng_height);
-+ MagickFreeMemory(chunk);
-+ ThrowReaderException(CorruptImageError,
-+ ImproperImageHeader,image);
-+ }
-+
- FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
- mng_info->mng_height);
- mng_info->frame.left=0;
-
diff --git a/community/graphicsmagick/CVE-2017-12936.patch b/community/graphicsmagick/CVE-2017-12936.patch
deleted file mode 100644
index 37a4e6be9c..0000000000
--- a/community/graphicsmagick/CVE-2017-12936.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1501116476 18000
-# Node ID be898b7c97bd855fc6fa0cef983faae916bd0c93
-# Parent 6a632982c866f36dbad87e4ab953e08a290eaa8b
-WMF: Eliminate use of already freed heap data in error reporting path.
-
-diff -r 6a632982c866 -r be898b7c97bd coders/wmf.c
---- a/coders/wmf.c Tue Jul 25 20:11:16 2017 -0500
-+++ b/coders/wmf.c Wed Jul 26 19:47:56 2017 -0500
-@@ -2719,8 +2719,8 @@
- if(image->exception.severity != UndefinedException)
- ThrowException2(exception,
- CoderWarning,
-- ddata->image->exception.reason,
-- ddata->image->exception.description);
-+ image->exception.reason,
-+ image->exception.description);
-
- if(logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()");
-
diff --git a/community/graphicsmagick/CVE-2017-12937.patch b/community/graphicsmagick/CVE-2017-12937.patch
deleted file mode 100644
index ee78a0ecda..0000000000
--- a/community/graphicsmagick/CVE-2017-12937.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1501555785 18000
-# Node ID 95d00d55e978dec3e1bb4c288dbc210b5cc8bea1
-# Parent 921a31d31ea85405b54771941e195782e50e589d
-SUN: Fix heap read overflow while indexing colormap in bilevel decoder
-
-diff -r 921a31d31ea8 -r 95d00d55e978 coders/sun.c
---- a/coders/sun.c Mon Jul 31 09:35:26 2017 -0400
-+++ b/coders/sun.c Mon Jul 31 21:49:45 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2003-2015 GraphicsMagick Group
-+% Copyright (C) 2003-2017 GraphicsMagick Group
- % Copyright (C) 2002 ImageMagick Studio
- % Copyright 1991-1999 E. I. du Pont de Nemours and Company
- %
-@@ -577,6 +577,7 @@
- for (bit=7; bit >= 0; bit--)
- {
- index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
-+ VerifyColormapIndex(image,index);
- indexes[x+7-bit]=index;
- q[x+7-bit]=image->colormap[index];
- }
-@@ -587,6 +588,7 @@
- for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--)
- {
- index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
-+ VerifyColormapIndex(image,index);
- indexes[x+7-bit]=index;
- q[x+7-bit]=image->colormap[index];
- }
diff --git a/community/graphicsmagick/CVE-2017-13063-13064-13065.patch b/community/graphicsmagick/CVE-2017-13063-13064-13065.patch
deleted file mode 100644
index ce35e0623c..0000000000
--- a/community/graphicsmagick/CVE-2017-13063-13064-13065.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1502890099 18000
-# Node ID 54f48ab2d52a2a4af99781057075d8ea9744a649
-# Parent 4970ea920a9388d6f08be1b35d58ef5efded4908
-SVG: Fix buffer-overflow and inconsistent behavior in GetStyleTokens().
-
-diff -r 4970ea920a93 -r 54f48ab2d52a coders/svg.c
---- a/coders/svg.c Tue Aug 15 08:05:00 2017 -0500
-+++ b/coders/svg.c Wed Aug 16 08:28:19 2017 -0500
-@@ -267,11 +267,12 @@
- char
- **tokens;
-
-- register const char
-+ const char
- *p,
- *q;
-
-- register size_t
-+ size_t
-+ alloc_tokens,
- i;
-
- SVGInfo
-@@ -279,21 +280,27 @@
-
- svg_info=(SVGInfo *) context;
- *number_tokens=0;
-+ alloc_tokens=0;
- if (text == (const char *) NULL)
- return((char **) NULL);
- /*
- Determine the number of arguments.
-+
-+ style="fill: red; stroke: blue; stroke-width: 3"
- */
- for (p=text; *p != '\0'; p++)
- if (*p == ':')
-- (*number_tokens)+=2;
-- tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens));
-+ alloc_tokens+=2;
-+ if (alloc_tokens == 0)
-+ return((char **) NULL);
-+ tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens));
- if (tokens == (char **) NULL)
- {
- ThrowException3(svg_info->exception,ResourceLimitError,
- MemoryAllocationFailed,UnableToConvertStringToTokens);
- return((char **) NULL);
- }
-+ (void) memset(tokens,0,(alloc_tokens+2)*sizeof(*tokens));
- /*
- Convert string to an ASCII list.
- */
-@@ -304,14 +311,36 @@
- if ((*q != ':') && (*q != ';') && (*q != '\0'))
- continue;
- tokens[i]=AllocateString(p);
-+ if (tokens[i] == NULL)
-+ {
-+ ThrowException3(svg_info->exception,ResourceLimitError,
-+ MemoryAllocationFailed,UnableToConvertStringToTokens);
-+ break;
-+ }
- (void) strlcpy(tokens[i],p,q-p+1);
-- Strip(tokens[i++]);
-+ Strip(tokens[i]);
-+ i++;
-+ if (i >= alloc_tokens)
-+ break;
- p=q+1;
- }
-- tokens[i]=AllocateString(p);
-- (void) strlcpy(tokens[i],p,q-p+1);
-- Strip(tokens[i++]);
-+ if (i < alloc_tokens)
-+ {
-+ tokens[i]=AllocateString(p);
-+ if (tokens[i] == NULL)
-+ {
-+ ThrowException3(svg_info->exception,ResourceLimitError,
-+ MemoryAllocationFailed,UnableToConvertStringToTokens);
-+ }
-+ else
-+ {
-+ (void) strlcpy(tokens[i],p,q-p+1);
-+ Strip(tokens[i]);
-+ i++;
-+ }
-+ }
- tokens[i]=(char *) NULL;
-+ *number_tokens=i;
- return(tokens);
- }
-
diff --git a/community/graphicsmagick/CVE-2017-13648.patch b/community/graphicsmagick/CVE-2017-13648.patch
deleted file mode 100644
index f27c313ce1..0000000000
--- a/community/graphicsmagick/CVE-2017-13648.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1505397055 18000
-# Node ID a0e598438aa970f237fa9b35edce0728cc144f29
-# Parent cadd4b0522fa8b6b6e8ea6a5a9b4a5baebc1b011
-MAT: Fix under-sized allocation leading to heap overflow.
-
-diff -r cadd4b0522fa -r a0e598438aa9 coders/mat.c
---- a/coders/mat.c Wed Sep 13 10:28:42 2017 -0400
-+++ b/coders/mat.c Thu Sep 14 08:50:55 2017 -0500
-@@ -1050,9 +1050,10 @@
- }
-
- /* ----- Load raster data ----- */
-- BImgBuff = MagickAllocateMemory(unsigned char *,(size_t) (ldblk)); /* Ldblk was set in the check phase */
-+ BImgBuff = MagickAllocateArray(unsigned char *,(size_t) (ldblk),sizeof(double)); /* Ldblk was set in the check phase */
- if (BImgBuff == NULL)
- goto NoMemory;
-+ (void) memset(BImgBuff,0,ldblk*sizeof(double));
-
- if (CellType==miDOUBLE) /* Find Min and Max Values for floats */
- {
diff --git a/community/graphicsmagick/CVE-2017-13775.patch b/community/graphicsmagick/CVE-2017-13775.patch
deleted file mode 100644
index d627db2743..0000000000
--- a/community/graphicsmagick/CVE-2017-13775.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
-+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2012-2015 GraphicsMagick Group
-+% Copyright (C) 2012-2017 GraphicsMagick Group
- %
- % This program is covered by multiple licenses, which are described in
- % Copyright.txt. You should have received a copy of Copyright.txt with this
-@@ -100,6 +100,7 @@
-
- char img_label_str[MaxTextExtent];
-
-+
- alloc_size = TileInfo->PicSize + 2;
-
- if (image->logging)
-@@ -242,6 +243,9 @@
- total_tiles,
- current_tile;
-
-+ magick_off_t
-+ file_size;
-+
- /* Open image file. */
- assert(image_info != (const ImageInfo *) NULL);
- assert(image_info->signature == MagickSignature);
-@@ -254,9 +258,8 @@
- if (status == False)
- ThrowReaderException(FileOpenError, UnableToOpenFile, image);
-
-- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
--
- /* Read JNX image header. */
-+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
- JNXHeader.Version = ReadBlobLSBLong(image);
- if (JNXHeader.Version > 4)
- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
-@@ -266,8 +269,6 @@
- JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
- JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
- JNXHeader.Levels = ReadBlobLSBLong(image);
-- if (JNXHeader.Levels > 20)
-- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
- JNXHeader.Expiration = ReadBlobLSBLong(image);
- JNXHeader.ProductID = ReadBlobLSBLong(image);
- JNXHeader.CRC = ReadBlobLSBLong(image);
-@@ -279,7 +280,41 @@
- if (EOFBlob(image))
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-
-+ file_size = GetBlobSize(image);
-+
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "JNX Header:\n"
-+ " Version: %u\n"
-+ " DeviceSN: %u\n"
-+ " MapBounds:\n"
-+ " NorthEast: lat = %u, lon = %u\n"
-+ " SouthWest: lat = %u, lon = %u\n"
-+ " Levels: %u\n"
-+ " Expiration: %u\n"
-+ " ProductID: %u\n"
-+ " CRC: %u\n"
-+ " SigVersion: %u\n"
-+ " SigOffset: %u\n"
-+ " ZOrder: %u",
-+ JNXHeader.Version,
-+ JNXHeader.DeviceSN,
-+ JNXHeader.MapBounds.NorthEast.lat,
-+ JNXHeader.MapBounds.NorthEast.lon,
-+ JNXHeader.MapBounds.SouthWest.lat,
-+ JNXHeader.MapBounds.SouthWest.lon,
-+ JNXHeader.Levels,
-+ JNXHeader.Expiration,
-+ JNXHeader.ProductID,
-+ JNXHeader.CRC,
-+ JNXHeader.SigVersion,
-+ JNXHeader.SigOffset,
-+ JNXHeader.ZOrder);
-+
-+ if (JNXHeader.Levels > 20)
-+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
-+
- /* Read JNX image level info. */
-+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
- total_tiles = 0;
- current_tile = 0;
- for (i = 0; i < JNXHeader.Levels; i++)
-@@ -302,11 +337,23 @@
- {
- JNXLevelInfo[i].Copyright = NULL;
- }
-+
-+ if (EOFBlob(image))
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+
-+ if (image->logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "Level[%u] Info:"
-+ " TileCount: %4u"
-+ " TilesOffset: %6u"
-+ " Scale: %04u",
-+ i,
-+ JNXLevelInfo[i].TileCount,
-+ JNXLevelInfo[i].TilesOffset,
-+ JNXLevelInfo[i].Scale
-+ );
- }
-
-- if (EOFBlob(image))
-- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
--
- /* Get the current limit */
- SaveLimit = GetMagickResourceLimit(MapResource);
-
-@@ -316,11 +363,32 @@
- /* Read JNX image data. */
- for (i = 0; i < JNXHeader.Levels; i++)
- {
-+ /*
-+ Validate TileCount against remaining file data
-+ */
-+ const magick_off_t current_offset = TellBlob(image);
-+ const size_t pos_list_entry_size =
-+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
-+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
-+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
-+ const magick_off_t remaining = file_size-current_offset;
-+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
-+
-+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
-+
- PositionList = MagickAllocateArray(TJNXTileInfo *,
- JNXLevelInfo[i].TileCount,
- sizeof(TJNXTileInfo));
- if (PositionList == NULL)
-- continue;
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-+ image);
-+ }
-
- (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
- for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
-@@ -333,12 +401,15 @@
- PositionList[j].PicHeight = ReadBlobLSBShort(image);
- PositionList[j].PicSize = ReadBlobLSBLong(image);
- PositionList[j].PicOffset = ReadBlobLSBLong(image);
-- }
-
-- if (EOFBlob(image))
-- {
-- MagickFreeMemory(PositionList);
-- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ if (EOFBlob(image) ||
-+ ((magick_off_t) PositionList[j].PicOffset +
-+ PositionList[j].PicSize > file_size))
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ MagickFreeMemory(PositionList);
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
- }
-
- for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
-@@ -351,6 +422,9 @@
- image = ExtractTileJPG(image, image_info, PositionList+j, exception);
- (void) SetMonitorHandler(previous_handler);
-
-+ if (exception->severity >= ErrorException)
-+ break;
-+
- current_tile++;
- if (QuantumTick(current_tile,total_tiles))
- if (!MagickMonitorFormatted(current_tile,total_tiles,exception,
diff --git a/community/graphicsmagick/CVE-2017-13776-13777.patch b/community/graphicsmagick/CVE-2017-13776-13777.patch
deleted file mode 100644
index d1ecbba678..0000000000
--- a/community/graphicsmagick/CVE-2017-13776-13777.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
---- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500
-+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2003 -2012 GraphicsMagick Group
-+% Copyright (C) 2003-2017 GraphicsMagick Group
- % Copyright (C) 2002 ImageMagick Studio
- % Copyright 1991-1999 E. I. du Pont de Nemours and Company
- %
-@@ -121,13 +121,15 @@
-
- static int XBMInteger(Image *image,short int *hex_digits)
- {
-+ unsigned int
-+ flag;
-+
- int
- c,
-- flag,
- value;
-
- value=0;
-- flag=0;
-+ flag=0U;
- for ( ; ; )
- {
- c=ReadBlobByte(image);
-@@ -158,18 +160,14 @@
- Image
- *image;
-
-- int
-- bit;
--
-- long
-- y;
--
- register IndexPacket
- *indexes;
-
-- register long
-+ register size_t
-+ bytes_per_line,
- i,
-- x;
-+ x,
-+ y;
-
- register PixelPacket
- *q;
-@@ -177,22 +175,24 @@
- register unsigned char
- *p;
-
-- short int
-- hex_digits[256];
--
- unsigned char
- *data;
-
- unsigned int
-+ bit,
-+ byte,
-+ padding,
-+ version;
-+
-+ int
-+ value;
-+
-+ short int
-+ hex_digits[256];
-+
-+ MagickPassFail
- status;
-
-- unsigned long
-- byte,
-- bytes_per_line,
-- padding,
-- value,
-- version;
--
- /*
- Open image file.
- */
-@@ -207,6 +207,8 @@
- /*
- Read X bitmap header.
- */
-+ (void) memset(buffer,0,sizeof(buffer));
-+ name[0]='\0';
- while (ReadBlobString(image,buffer) != (char *) NULL)
- if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
- if ((strlen(name) >= 6) &&
-@@ -278,6 +280,8 @@
- /*
- Initialize hex values.
- */
-+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
-+ hex_digits[i]=(-1);
- hex_digits['0']=0;
- hex_digits['1']=1;
- hex_digits['2']=2;
-@@ -311,40 +315,50 @@
- */
- p=data;
- if (version == 10)
-- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
-+ for (i=0; i < (bytes_per_line*image->rows); (i+=2))
- {
- value=XBMInteger(image,hex_digits);
-+ if (value < 0)
-+ {
-+ MagickFreeMemory(data);
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
- *p++=(unsigned char) value;
- if (!padding || ((i+2) % bytes_per_line))
- *p++=(unsigned char) (value >> 8);
- }
- else
-- for (i=0; i < (long) (bytes_per_line*image->rows); i++)
-+ for (i=0; i < (bytes_per_line*image->rows); i++)
- {
- value=XBMInteger(image,hex_digits);
-+ if (value < 0)
-+ {
-+ MagickFreeMemory(data);
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
- *p++=(unsigned char) value;
- }
- /*
- Convert X bitmap image to pixel packets.
- */
- p=data;
-- for (y=0; y < (long) image->rows; y++)
-+ for (y=0; y < image->rows; y++)
- {
- q=SetImagePixels(image,0,y,image->columns,1);
- if (q == (PixelPacket *) NULL)
- break;
- indexes=AccessMutableIndexes(image);
-- bit=0;
-- byte=0;
-- for (x=0; x < (long) image->columns; x++)
-+ bit=0U;
-+ byte=0U;
-+ for (x=0; x < image->columns; x++)
- {
-- if (bit == 0)
-+ if (bit == 0U)
- byte=(*p++);
- indexes[x]=byte & 0x01 ? 0x01 : 0x00;
- bit++;
-- byte>>=1;
-- if (bit == 8)
-- bit=0;
-+ byte>>=1U;
-+ if (bit == 8U)
-+ bit=0U;
- }
- if (!SyncImagePixels(image))
- break;
diff --git a/community/graphicsmagick/CVE-2017-14042.patch b/community/graphicsmagick/CVE-2017-14042.patch
deleted file mode 100644
index 524632a1ed..0000000000
--- a/community/graphicsmagick/CVE-2017-14042.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503268616 18000
-# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
-# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
-PNM: For binary formats, verify sufficient backing file data before memory request.
-
-diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
---- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
-+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
-@@ -569,7 +569,7 @@
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
- image->colors);
- }
-- number_pixels=image->columns*image->rows;
-+ number_pixels=MagickArraySize(image->columns,image->rows);
- if (number_pixels == 0)
- ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
- if (image->storage_class == PseudoClass)
-@@ -858,14 +858,14 @@
- if (1 == bits_per_sample)
- {
- /* PBM */
-- bytes_per_row=((image->columns+7) >> 3);
-+ bytes_per_row=((image->columns+7U) >> 3);
- import_options.grayscale_miniswhite=MagickTrue;
- quantum_type=GrayQuantum;
- }
- else
- {
- /* PGM & XV_332 */
-- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
-+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
- if (XV_332_Format == format)
- {
- quantum_type=IndexQuantum;
-@@ -878,7 +878,8 @@
- }
- else
- {
-- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
-+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
-+ image->columns);
- if (3 == samples_per_pixel)
- {
- /* PPM */
-@@ -915,6 +916,28 @@
- is_monochrome=MagickFalse;
- }
- }
-+
-+ /* Validate file size before allocating memory */
-+ if (BlobIsSeekable(image))
-+ {
-+ const magick_off_t file_size = GetBlobSize(image);
-+ const magick_off_t current_offset = TellBlob(image);
-+ if ((file_size > 0) &&
-+ (current_offset > 0) &&
-+ (file_size > current_offset))
-+ {
-+ const magick_off_t remaining = file_size-current_offset;
-+ const magick_off_t needed = (magick_off_t) image->rows *
-+ (magick_off_t) bytes_per_row;
-+ if ((remaining < (magick_off_t) bytes_per_row) ||
-+ (remaining < needed))
-+ {
-+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
-+ image->filename);
-+ break;
-+ }
-+ }
-+ }
-
- scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
- if (scanline_set == (ThreadViewDataSet *) NULL)
-
diff --git a/community/graphicsmagick/CVE-2017-14103.patch b/community/graphicsmagick/CVE-2017-14103.patch
deleted file mode 100644
index dbcaea1343..0000000000
--- a/community/graphicsmagick/CVE-2017-14103.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-http://www.openwall.com/lists/oss-security/2017/09/01/6
-
-CVE-2017-11403:
-http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
-
-CVE-2017-14103:
-http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1503875721 14400
-# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
-# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
-Attempt to fix Issue 440.
-
-diff -ru a/coders/png.c b/coders/png.c
---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
-+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
-@@ -3106,7 +3106,9 @@
- if (length > PNG_MAX_UINT || count == 0)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,CorruptImage,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "chunk length (%lu) > PNG_MAX_UINT",length);
-+ return ((Image*)NULL);
- }
-
- chunk=(unsigned char *) NULL;
-@@ -3117,13 +3119,16 @@
- if (chunk == (unsigned char *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-- image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Could not allocate chunk memory");
-+ return ((Image*)NULL);
- }
- if (ReadBlob(image,length,chunk) < length)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,CorruptImage,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " chunk reading was incomplete");
-+ return ((Image*)NULL);
- }
- p=chunk;
- }
-@@ -3198,7 +3203,7 @@
- jng_width, jng_height);
- MagickFreeMemory(chunk);
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ return ((Image *)NULL);
- }
-
- /* Temporarily set width and height resources to match JHDR */
-@@ -3233,8 +3238,9 @@
- if (color_image == (Image *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-- image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not open color_image blob");
-+ return ((Image *)NULL);
- }
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-@@ -3245,7 +3251,9 @@
- if (status == MagickFalse)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not open color_image blob");
-+ return ((Image *)NULL);
- }
-
- if (!image_info->ping && jng_color_type >= 12)
-@@ -3255,17 +3263,18 @@
- if (alpha_image_info == (ImageInfo *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,
-- MemoryAllocationFailed, image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image_info",length);
-+ return ((Image *)NULL);
- }
- GetImageInfo(alpha_image_info);
- alpha_image=AllocateImage(alpha_image_info);
- if (alpha_image == (Image *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,
-- MemoryAllocationFailed,
-- alpha_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image");
-+ return ((Image *)NULL);
- }
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-@@ -3277,7 +3286,9 @@
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
- DestroyImage(alpha_image);
-- ThrowReaderException(CoderError,UnableToOpenBlob,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image blob");
-+ return ((Image *)NULL);
- }
- if (jng_alpha_compression_method == 0)
- {
-@@ -3613,6 +3624,8 @@
- alpha_image = (Image *)NULL;
- DestroyImageInfo(alpha_image_info);
- alpha_image_info = (ImageInfo *)NULL;
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Destroy the JNG image");
- DestroyImage(jng_image);
- jng_image = (Image *)NULL;
- }
-@@ -5146,8 +5159,8 @@
-
- if (image == (Image *) NULL)
- {
-- DestroyImageList(previous);
- CloseBlob(previous);
-+ DestroyImageList(previous);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
diff --git a/community/graphicsmagick/CVE-2017-14165.patch b/community/graphicsmagick/CVE-2017-14165.patch
deleted file mode 100644
index 67e6ef807e..0000000000
--- a/community/graphicsmagick/CVE-2017-14165.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503257388 18000
-# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
-# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
-SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
-
-diff -r f87246749079 -r 493da54370aa coders/sun.c
---- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
-+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
-@@ -498,6 +498,12 @@
- if (sun_info.depth < 8)
- image->depth=sun_info.depth;
-
-+ if (image_info->ping)
-+ {
-+ CloseBlob(image);
-+ return(image);
-+ }
-+
- /*
- Compute bytes per line and bytes per image for an unencoded
- image.
-@@ -522,15 +528,37 @@
- if (bytes_per_image > sun_info.length)
- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-
-- if (image_info->ping)
-- {
-- CloseBlob(image);
-- return(image);
-- }
- if (sun_info.type == RT_ENCODED)
- sun_data_length=(size_t) sun_info.length;
- else
- sun_data_length=bytes_per_image;
-+
-+ /*
-+ Verify that data length claimed by header is supported by file size
-+ */
-+ if (sun_info.type == RT_ENCODED)
-+ {
-+ if (sun_data_length < bytes_per_image/255U)
-+ {
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
-+ }
-+ if (BlobIsSeekable(image))
-+ {
-+ const magick_off_t file_size = GetBlobSize(image);
-+ const magick_off_t current_offset = TellBlob(image);
-+ if ((file_size > 0) &&
-+ (current_offset > 0) &&
-+ (file_size > current_offset))
-+ {
-+ const magick_off_t remaining = file_size-current_offset;
-+ if (remaining < (magick_off_t) sun_data_length)
-+ {
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
-+ }
-+ }
-+
- sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
- if (sun_data == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
-