diff options
-rw-r--r-- | community/graphicsmagick/CVE-2017-11403.patch | 14 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-11642.patch | 43 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-11722.patch | 33 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-12935.patch | 35 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-12936.patch | 23 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-12937.patch | 34 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-13063-13064-13065.patch | 96 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-13648.patch | 23 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-13775.patch | 182 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-13776-13777.patch | 165 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-14042.patch | 77 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-14103.patch | 137 | ||||
-rw-r--r-- | community/graphicsmagick/CVE-2017-14165.patch | 68 |
13 files changed, 0 insertions, 930 deletions
diff --git a/community/graphicsmagick/CVE-2017-11403.patch b/community/graphicsmagick/CVE-2017-11403.patch deleted file mode 100644 index f3ae7b0298..0000000000 --- a/community/graphicsmagick/CVE-2017-11403.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -r b24f2a9b0dd7 -r d0a76868ca37 coders/png.c ---- a/coders/png.c Mon Jul 10 11:31:05 2017 -0400 -+++ b/coders/png.c Mon Jul 10 12:40:55 2017 -0400 -@@ -5161,8 +5161,8 @@ - - if (image == (Image *) NULL) - { -+ CloseBlob(previous); - DestroyImageList(previous); -- CloseBlob(previous); - MngInfoFreeStruct(mng_info,&have_mng_structure); - return((Image *) NULL); - } - diff --git a/community/graphicsmagick/CVE-2017-11642.patch b/community/graphicsmagick/CVE-2017-11642.patch deleted file mode 100644 index 144ed78e7e..0000000000 --- a/community/graphicsmagick/CVE-2017-11642.patch +++ /dev/null @@ -1,43 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1500758975 18000 -# Node ID 29550606d8b9bf74f9aea0637d11d19fe706871b -# Parent 30cd2b31f7e045de4861b102e3f8d83db579bc7a -MAP: Fix null pointer dereference or SEGV if input is not colormapped. - -diff -r 30cd2b31f7e0 -r 29550606d8b9 coders/map.c ---- a/coders/map.c Sat Jul 22 15:40:00 2017 -0500 -+++ b/coders/map.c Sat Jul 22 16:29:35 2017 -0500 -@@ -18,7 +18,7 @@ - % M M A A P % - % % - % % --% Read/Write Image Colormaps As An Image File % -+% Read/Write Image Colormaps And Image File % - % % - % % - % Software Design % -@@ -349,16 +349,17 @@ - /* - Allocate colormap. - */ -- if (!IsPaletteImage(image,&image->exception)) -- (void) SetImageType(image,PaletteType); -+ if (SetImageType(image,PaletteType) == MagickFail) -+ ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); - packet_size=image->depth > 8 ? 2 : 1; -- pixels=MagickAllocateMemory(unsigned char *,image->columns*packet_size); -+ pixels=MagickAllocateArray(unsigned char *,image->columns,packet_size); - if (pixels == (unsigned char *) NULL) - ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); - packet_size=image->colors > 256 ? 6 : 3; -- colormap=MagickAllocateMemory(unsigned char *,packet_size*image->colors); -+ colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors); - if (colormap == (unsigned char *) NULL) - ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); -+ - /* - Write colormap to file. - */ - diff --git a/community/graphicsmagick/CVE-2017-11722.patch b/community/graphicsmagick/CVE-2017-11722.patch deleted file mode 100644 index f1ce0ad73f..0000000000 --- a/community/graphicsmagick/CVE-2017-11722.patch +++ /dev/null @@ -1,33 +0,0 @@ - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1501028322 14400 -# Node ID f423ba88ca4ed01b7143520a7e00c360049aa823 -# Parent d1e56efb0162a836707d41182d6d658d1cad49e6 -coders/png.c: Fixed writer bug due to missing brackets - -diff -r d1e56efb0162 -r f423ba88ca4e coders/png.c ---- a/coders/png.c Tue Jul 25 19:38:39 2017 -0400 -+++ b/coders/png.c Tue Jul 25 20:18:42 2017 -0400 -@@ -7125,12 +7125,14 @@ - png_error(ping, "Could not allocate trans_alpha"); - - for (i=0; i<(int) number_colors; i++) -- if (trans_alpha[i] == 256) -- ping_trans_alpha[i]=255; -- else -- ping_trans_alpha[i]=(png_byte) trans_alpha[i]; -- (void) LogMagickEvent(CoderEvent, GetMagickModule(), -- " Alpha[%d]=%d",(int) i, (int) trans_alpha[i]); -+ { -+ if (trans_alpha[i] == 256) -+ ping_trans_alpha[i]=255; -+ else -+ ping_trans_alpha[i]=(png_byte) trans_alpha[i]; -+ (void) LogMagickEvent(CoderEvent, GetMagickModule(), -+ " Alpha[%d]=%d",(int) i, (int) trans_alpha[i]); -+ } - } - } - - diff --git a/community/graphicsmagick/CVE-2017-12935.patch b/community/graphicsmagick/CVE-2017-12935.patch deleted file mode 100644 index 650c28d3df..0000000000 --- a/community/graphicsmagick/CVE-2017-12935.patch +++ /dev/null @@ -1,35 +0,0 @@ - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1501123201 14400 -# Node ID cd699a44f188acf23493c969ef2d3f9fa7c8f8df -# Parent be898b7c97bd855fc6fa0cef983faae916bd0c93 -Reject MNG with too-large dimensions (over 65535) - -diff -r be898b7c97bd -r cd699a44f188 coders/png.c ---- a/coders/png.c Wed Jul 26 19:47:56 2017 -0500 -+++ b/coders/png.c Wed Jul 26 22:40:01 2017 -0400 -@@ -4084,11 +4084,17 @@ - mng_info->image=image; - } - -- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height -- > 65535L)) -- (void) ThrowException(&image->exception,ImageError, -- WidthOrHeightExceedsLimit, -- image->filename); -+ if ((mng_info->mng_width > 65535L) || -+ (mng_info->mng_height > 65535L)) -+ { -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " MNG width or height is too large: %lu, %lu", -+ mng_info->mng_width,mng_info->mng_height); -+ MagickFreeMemory(chunk); -+ ThrowReaderException(CorruptImageError, -+ ImproperImageHeader,image); -+ } -+ - FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width, - mng_info->mng_height); - mng_info->frame.left=0; - diff --git a/community/graphicsmagick/CVE-2017-12936.patch b/community/graphicsmagick/CVE-2017-12936.patch deleted file mode 100644 index 37a4e6be9c..0000000000 --- a/community/graphicsmagick/CVE-2017-12936.patch +++ /dev/null @@ -1,23 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1501116476 18000 -# Node ID be898b7c97bd855fc6fa0cef983faae916bd0c93 -# Parent 6a632982c866f36dbad87e4ab953e08a290eaa8b -WMF: Eliminate use of already freed heap data in error reporting path. - -diff -r 6a632982c866 -r be898b7c97bd coders/wmf.c ---- a/coders/wmf.c Tue Jul 25 20:11:16 2017 -0500 -+++ b/coders/wmf.c Wed Jul 26 19:47:56 2017 -0500 -@@ -2719,8 +2719,8 @@ - if(image->exception.severity != UndefinedException) - ThrowException2(exception, - CoderWarning, -- ddata->image->exception.reason, -- ddata->image->exception.description); -+ image->exception.reason, -+ image->exception.description); - - if(logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()"); - diff --git a/community/graphicsmagick/CVE-2017-12937.patch b/community/graphicsmagick/CVE-2017-12937.patch deleted file mode 100644 index ee78a0ecda..0000000000 --- a/community/graphicsmagick/CVE-2017-12937.patch +++ /dev/null @@ -1,34 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1501555785 18000 -# Node ID 95d00d55e978dec3e1bb4c288dbc210b5cc8bea1 -# Parent 921a31d31ea85405b54771941e195782e50e589d -SUN: Fix heap read overflow while indexing colormap in bilevel decoder - -diff -r 921a31d31ea8 -r 95d00d55e978 coders/sun.c ---- a/coders/sun.c Mon Jul 31 09:35:26 2017 -0400 -+++ b/coders/sun.c Mon Jul 31 21:49:45 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003-2015 GraphicsMagick Group -+% Copyright (C) 2003-2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -577,6 +577,7 @@ - for (bit=7; bit >= 0; bit--) - { - index=((*p) & (0x01 << bit) ? 0x01 : 0x00); -+ VerifyColormapIndex(image,index); - indexes[x+7-bit]=index; - q[x+7-bit]=image->colormap[index]; - } -@@ -587,6 +588,7 @@ - for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--) - { - index=((*p) & (0x01 << bit) ? 0x01 : 0x00); -+ VerifyColormapIndex(image,index); - indexes[x+7-bit]=index; - q[x+7-bit]=image->colormap[index]; - } diff --git a/community/graphicsmagick/CVE-2017-13063-13064-13065.patch b/community/graphicsmagick/CVE-2017-13063-13064-13065.patch deleted file mode 100644 index ce35e0623c..0000000000 --- a/community/graphicsmagick/CVE-2017-13063-13064-13065.patch +++ /dev/null @@ -1,96 +0,0 @@ -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1502890099 18000 -# Node ID 54f48ab2d52a2a4af99781057075d8ea9744a649 -# Parent 4970ea920a9388d6f08be1b35d58ef5efded4908 -SVG: Fix buffer-overflow and inconsistent behavior in GetStyleTokens(). - -diff -r 4970ea920a93 -r 54f48ab2d52a coders/svg.c ---- a/coders/svg.c Tue Aug 15 08:05:00 2017 -0500 -+++ b/coders/svg.c Wed Aug 16 08:28:19 2017 -0500 -@@ -267,11 +267,12 @@ - char - **tokens; - -- register const char -+ const char - *p, - *q; - -- register size_t -+ size_t -+ alloc_tokens, - i; - - SVGInfo -@@ -279,21 +280,27 @@ - - svg_info=(SVGInfo *) context; - *number_tokens=0; -+ alloc_tokens=0; - if (text == (const char *) NULL) - return((char **) NULL); - /* - Determine the number of arguments. -+ -+ style="fill: red; stroke: blue; stroke-width: 3" - */ - for (p=text; *p != '\0'; p++) - if (*p == ':') -- (*number_tokens)+=2; -- tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens)); -+ alloc_tokens+=2; -+ if (alloc_tokens == 0) -+ return((char **) NULL); -+ tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens)); - if (tokens == (char **) NULL) - { - ThrowException3(svg_info->exception,ResourceLimitError, - MemoryAllocationFailed,UnableToConvertStringToTokens); - return((char **) NULL); - } -+ (void) memset(tokens,0,(alloc_tokens+2)*sizeof(*tokens)); - /* - Convert string to an ASCII list. - */ -@@ -304,14 +311,36 @@ - if ((*q != ':') && (*q != ';') && (*q != '\0')) - continue; - tokens[i]=AllocateString(p); -+ if (tokens[i] == NULL) -+ { -+ ThrowException3(svg_info->exception,ResourceLimitError, -+ MemoryAllocationFailed,UnableToConvertStringToTokens); -+ break; -+ } - (void) strlcpy(tokens[i],p,q-p+1); -- Strip(tokens[i++]); -+ Strip(tokens[i]); -+ i++; -+ if (i >= alloc_tokens) -+ break; - p=q+1; - } -- tokens[i]=AllocateString(p); -- (void) strlcpy(tokens[i],p,q-p+1); -- Strip(tokens[i++]); -+ if (i < alloc_tokens) -+ { -+ tokens[i]=AllocateString(p); -+ if (tokens[i] == NULL) -+ { -+ ThrowException3(svg_info->exception,ResourceLimitError, -+ MemoryAllocationFailed,UnableToConvertStringToTokens); -+ } -+ else -+ { -+ (void) strlcpy(tokens[i],p,q-p+1); -+ Strip(tokens[i]); -+ i++; -+ } -+ } - tokens[i]=(char *) NULL; -+ *number_tokens=i; - return(tokens); - } - diff --git a/community/graphicsmagick/CVE-2017-13648.patch b/community/graphicsmagick/CVE-2017-13648.patch deleted file mode 100644 index f27c313ce1..0000000000 --- a/community/graphicsmagick/CVE-2017-13648.patch +++ /dev/null @@ -1,23 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1505397055 18000 -# Node ID a0e598438aa970f237fa9b35edce0728cc144f29 -# Parent cadd4b0522fa8b6b6e8ea6a5a9b4a5baebc1b011 -MAT: Fix under-sized allocation leading to heap overflow. - -diff -r cadd4b0522fa -r a0e598438aa9 coders/mat.c ---- a/coders/mat.c Wed Sep 13 10:28:42 2017 -0400 -+++ b/coders/mat.c Thu Sep 14 08:50:55 2017 -0500 -@@ -1050,9 +1050,10 @@ - } - - /* ----- Load raster data ----- */ -- BImgBuff = MagickAllocateMemory(unsigned char *,(size_t) (ldblk)); /* Ldblk was set in the check phase */ -+ BImgBuff = MagickAllocateArray(unsigned char *,(size_t) (ldblk),sizeof(double)); /* Ldblk was set in the check phase */ - if (BImgBuff == NULL) - goto NoMemory; -+ (void) memset(BImgBuff,0,ldblk*sizeof(double)); - - if (CellType==miDOUBLE) /* Find Min and Max Values for floats */ - { diff --git a/community/graphicsmagick/CVE-2017-13775.patch b/community/graphicsmagick/CVE-2017-13775.patch deleted file mode 100644 index d627db2743..0000000000 --- a/community/graphicsmagick/CVE-2017-13775.patch +++ /dev/null @@ -1,182 +0,0 @@ -diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c ---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500 -+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2012-2015 GraphicsMagick Group -+% Copyright (C) 2012-2017 GraphicsMagick Group - % - % This program is covered by multiple licenses, which are described in - % Copyright.txt. You should have received a copy of Copyright.txt with this -@@ -100,6 +100,7 @@ - - char img_label_str[MaxTextExtent]; - -+ - alloc_size = TileInfo->PicSize + 2; - - if (image->logging) -@@ -242,6 +243,9 @@ - total_tiles, - current_tile; - -+ magick_off_t -+ file_size; -+ - /* Open image file. */ - assert(image_info != (const ImageInfo *) NULL); - assert(image_info->signature == MagickSignature); -@@ -254,9 +258,8 @@ - if (status == False) - ThrowReaderException(FileOpenError, UnableToOpenFile, image); - -- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); -- - /* Read JNX image header. */ -+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader)); - JNXHeader.Version = ReadBlobLSBLong(image); - if (JNXHeader.Version > 4) - ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -@@ -266,8 +269,6 @@ - JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image); - JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image); - JNXHeader.Levels = ReadBlobLSBLong(image); -- if (JNXHeader.Levels > 20) -- ThrowReaderException(CorruptImageError, ImproperImageHeader, image); - JNXHeader.Expiration = ReadBlobLSBLong(image); - JNXHeader.ProductID = ReadBlobLSBLong(image); - JNXHeader.CRC = ReadBlobLSBLong(image); -@@ -279,7 +280,41 @@ - if (EOFBlob(image)) - ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); - -+ file_size = GetBlobSize(image); -+ -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "JNX Header:\n" -+ " Version: %u\n" -+ " DeviceSN: %u\n" -+ " MapBounds:\n" -+ " NorthEast: lat = %u, lon = %u\n" -+ " SouthWest: lat = %u, lon = %u\n" -+ " Levels: %u\n" -+ " Expiration: %u\n" -+ " ProductID: %u\n" -+ " CRC: %u\n" -+ " SigVersion: %u\n" -+ " SigOffset: %u\n" -+ " ZOrder: %u", -+ JNXHeader.Version, -+ JNXHeader.DeviceSN, -+ JNXHeader.MapBounds.NorthEast.lat, -+ JNXHeader.MapBounds.NorthEast.lon, -+ JNXHeader.MapBounds.SouthWest.lat, -+ JNXHeader.MapBounds.SouthWest.lon, -+ JNXHeader.Levels, -+ JNXHeader.Expiration, -+ JNXHeader.ProductID, -+ JNXHeader.CRC, -+ JNXHeader.SigVersion, -+ JNXHeader.SigOffset, -+ JNXHeader.ZOrder); -+ -+ if (JNXHeader.Levels > 20) -+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image); -+ - /* Read JNX image level info. */ -+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo)); - total_tiles = 0; - current_tile = 0; - for (i = 0; i < JNXHeader.Levels; i++) -@@ -302,11 +337,23 @@ - { - JNXLevelInfo[i].Copyright = NULL; - } -+ -+ if (EOFBlob(image)) -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ -+ if (image->logging) -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "Level[%u] Info:" -+ " TileCount: %4u" -+ " TilesOffset: %6u" -+ " Scale: %04u", -+ i, -+ JNXLevelInfo[i].TileCount, -+ JNXLevelInfo[i].TilesOffset, -+ JNXLevelInfo[i].Scale -+ ); - } - -- if (EOFBlob(image)) -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -- - /* Get the current limit */ - SaveLimit = GetMagickResourceLimit(MapResource); - -@@ -316,11 +363,32 @@ - /* Read JNX image data. */ - for (i = 0; i < JNXHeader.Levels; i++) - { -+ /* -+ Validate TileCount against remaining file data -+ */ -+ const magick_off_t current_offset = TellBlob(image); -+ const size_t pos_list_entry_size = -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) + -+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t); -+ const magick_off_t remaining = file_size-current_offset; -+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount); -+ -+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ - PositionList = MagickAllocateArray(TJNXTileInfo *, - JNXLevelInfo[i].TileCount, - sizeof(TJNXTileInfo)); - if (PositionList == NULL) -- continue; -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -+ image); -+ } - - (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET); - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -333,12 +401,15 @@ - PositionList[j].PicHeight = ReadBlobLSBShort(image); - PositionList[j].PicSize = ReadBlobLSBLong(image); - PositionList[j].PicOffset = ReadBlobLSBLong(image); -- } - -- if (EOFBlob(image)) -- { -- MagickFreeMemory(PositionList); -- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ if (EOFBlob(image) || -+ ((magick_off_t) PositionList[j].PicOffset + -+ PositionList[j].PicSize > file_size)) -+ { -+ (void) SetMagickResourceLimit(MapResource, SaveLimit); -+ MagickFreeMemory(PositionList); -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } - } - - for (j = 0; j < JNXLevelInfo[i].TileCount; j++) -@@ -351,6 +422,9 @@ - image = ExtractTileJPG(image, image_info, PositionList+j, exception); - (void) SetMonitorHandler(previous_handler); - -+ if (exception->severity >= ErrorException) -+ break; -+ - current_tile++; - if (QuantumTick(current_tile,total_tiles)) - if (!MagickMonitorFormatted(current_tile,total_tiles,exception, diff --git a/community/graphicsmagick/CVE-2017-13776-13777.patch b/community/graphicsmagick/CVE-2017-13776-13777.patch deleted file mode 100644 index d1ecbba678..0000000000 --- a/community/graphicsmagick/CVE-2017-13776-13777.patch +++ /dev/null @@ -1,165 +0,0 @@ -diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c ---- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500 -+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003 -2012 GraphicsMagick Group -+% Copyright (C) 2003-2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -121,13 +121,15 @@ - - static int XBMInteger(Image *image,short int *hex_digits) - { -+ unsigned int -+ flag; -+ - int - c, -- flag, - value; - - value=0; -- flag=0; -+ flag=0U; - for ( ; ; ) - { - c=ReadBlobByte(image); -@@ -158,18 +160,14 @@ - Image - *image; - -- int -- bit; -- -- long -- y; -- - register IndexPacket - *indexes; - -- register long -+ register size_t -+ bytes_per_line, - i, -- x; -+ x, -+ y; - - register PixelPacket - *q; -@@ -177,22 +175,24 @@ - register unsigned char - *p; - -- short int -- hex_digits[256]; -- - unsigned char - *data; - - unsigned int -+ bit, -+ byte, -+ padding, -+ version; -+ -+ int -+ value; -+ -+ short int -+ hex_digits[256]; -+ -+ MagickPassFail - status; - -- unsigned long -- byte, -- bytes_per_line, -- padding, -- value, -- version; -- - /* - Open image file. - */ -@@ -207,6 +207,8 @@ - /* - Read X bitmap header. - */ -+ (void) memset(buffer,0,sizeof(buffer)); -+ name[0]='\0'; - while (ReadBlobString(image,buffer) != (char *) NULL) - if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2) - if ((strlen(name) >= 6) && -@@ -278,6 +280,8 @@ - /* - Initialize hex values. - */ -+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++) -+ hex_digits[i]=(-1); - hex_digits['0']=0; - hex_digits['1']=1; - hex_digits['2']=2; -@@ -311,40 +315,50 @@ - */ - p=data; - if (version == 10) -- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2)) -+ for (i=0; i < (bytes_per_line*image->rows); (i+=2)) - { - value=XBMInteger(image,hex_digits); -+ if (value < 0) -+ { -+ MagickFreeMemory(data); -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } - *p++=(unsigned char) value; - if (!padding || ((i+2) % bytes_per_line)) - *p++=(unsigned char) (value >> 8); - } - else -- for (i=0; i < (long) (bytes_per_line*image->rows); i++) -+ for (i=0; i < (bytes_per_line*image->rows); i++) - { - value=XBMInteger(image,hex_digits); -+ if (value < 0) -+ { -+ MagickFreeMemory(data); -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } - *p++=(unsigned char) value; - } - /* - Convert X bitmap image to pixel packets. - */ - p=data; -- for (y=0; y < (long) image->rows; y++) -+ for (y=0; y < image->rows; y++) - { - q=SetImagePixels(image,0,y,image->columns,1); - if (q == (PixelPacket *) NULL) - break; - indexes=AccessMutableIndexes(image); -- bit=0; -- byte=0; -- for (x=0; x < (long) image->columns; x++) -+ bit=0U; -+ byte=0U; -+ for (x=0; x < image->columns; x++) - { -- if (bit == 0) -+ if (bit == 0U) - byte=(*p++); - indexes[x]=byte & 0x01 ? 0x01 : 0x00; - bit++; -- byte>>=1; -- if (bit == 8) -- bit=0; -+ byte>>=1U; -+ if (bit == 8U) -+ bit=0U; - } - if (!SyncImagePixels(image)) - break; diff --git a/community/graphicsmagick/CVE-2017-14042.patch b/community/graphicsmagick/CVE-2017-14042.patch deleted file mode 100644 index 524632a1ed..0000000000 --- a/community/graphicsmagick/CVE-2017-14042.patch +++ /dev/null @@ -1,77 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503268616 18000 -# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072 -# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3 -PNM: For binary formats, verify sufficient backing file data before memory request. - -diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c ---- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500 -+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500 -@@ -569,7 +569,7 @@ - (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u", - image->colors); - } -- number_pixels=image->columns*image->rows; -+ number_pixels=MagickArraySize(image->columns,image->rows); - if (number_pixels == 0) - ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image); - if (image->storage_class == PseudoClass) -@@ -858,14 +858,14 @@ - if (1 == bits_per_sample) - { - /* PBM */ -- bytes_per_row=((image->columns+7) >> 3); -+ bytes_per_row=((image->columns+7U) >> 3); - import_options.grayscale_miniswhite=MagickTrue; - quantum_type=GrayQuantum; - } - else - { - /* PGM & XV_332 */ -- bytes_per_row=((bits_per_sample+7)/8)*image->columns; -+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns); - if (XV_332_Format == format) - { - quantum_type=IndexQuantum; -@@ -878,7 +878,8 @@ - } - else - { -- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns; -+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel), -+ image->columns); - if (3 == samples_per_pixel) - { - /* PPM */ -@@ -915,6 +916,28 @@ - is_monochrome=MagickFalse; - } - } -+ -+ /* Validate file size before allocating memory */ -+ if (BlobIsSeekable(image)) -+ { -+ const magick_off_t file_size = GetBlobSize(image); -+ const magick_off_t current_offset = TellBlob(image); -+ if ((file_size > 0) && -+ (current_offset > 0) && -+ (file_size > current_offset)) -+ { -+ const magick_off_t remaining = file_size-current_offset; -+ const magick_off_t needed = (magick_off_t) image->rows * -+ (magick_off_t) bytes_per_row; -+ if ((remaining < (magick_off_t) bytes_per_row) || -+ (remaining < needed)) -+ { -+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile, -+ image->filename); -+ break; -+ } -+ } -+ } - - scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1); - if (scanline_set == (ThreadViewDataSet *) NULL) - diff --git a/community/graphicsmagick/CVE-2017-14103.patch b/community/graphicsmagick/CVE-2017-14103.patch deleted file mode 100644 index dbcaea1343..0000000000 --- a/community/graphicsmagick/CVE-2017-14103.patch +++ /dev/null @@ -1,137 +0,0 @@ -http://www.openwall.com/lists/oss-security/2017/09/01/6 - -CVE-2017-11403: -http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 - -CVE-2017-14103: -http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f - -some changes were made to make the patch apply - -# HG changeset patch -# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com> -# Date 1503875721 14400 -# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2 -# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad -Attempt to fix Issue 440. - -diff -ru a/coders/png.c b/coders/png.c ---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500 -+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400 -@@ -3106,7 +3106,9 @@ - if (length > PNG_MAX_UINT || count == 0) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,CorruptImage,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "chunk length (%lu) > PNG_MAX_UINT",length); -+ return ((Image*)NULL); - } - - chunk=(unsigned char *) NULL; -@@ -3117,13 +3119,16 @@ - if (chunk == (unsigned char *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -- image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Could not allocate chunk memory"); -+ return ((Image*)NULL); - } - if (ReadBlob(image,length,chunk) < length) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,CorruptImage,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " chunk reading was incomplete"); -+ return ((Image*)NULL); - } - p=chunk; - } -@@ -3198,7 +3203,7 @@ - jng_width, jng_height); - MagickFreeMemory(chunk); - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ return ((Image *)NULL); - } - - /* Temporarily set width and height resources to match JHDR */ -@@ -3233,8 +3238,9 @@ - if (color_image == (Image *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, -- image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not open color_image blob"); -+ return ((Image *)NULL); - } - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -@@ -3245,7 +3251,9 @@ - if (status == MagickFalse) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(CoderError,UnableToOpenBlob,color_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not open color_image blob"); -+ return ((Image *)NULL); - } - - if (!image_info->ping && jng_color_type >= 12) -@@ -3255,17 +3263,18 @@ - if (alpha_image_info == (ImageInfo *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError, -- MemoryAllocationFailed, image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image_info",length); -+ return ((Image *)NULL); - } - GetImageInfo(alpha_image_info); - alpha_image=AllocateImage(alpha_image_info); - if (alpha_image == (Image *) NULL) - { - DestroyJNGInfo(color_image_info,alpha_image_info); -- ThrowReaderException(ResourceLimitError, -- MemoryAllocationFailed, -- alpha_image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image"); -+ return ((Image *)NULL); - } - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -@@ -3277,7 +3286,9 @@ - { - DestroyJNGInfo(color_image_info,alpha_image_info); - DestroyImage(alpha_image); -- ThrowReaderException(CoderError,UnableToOpenBlob,image); -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " could not allocate alpha_image blob"); -+ return ((Image *)NULL); - } - if (jng_alpha_compression_method == 0) - { -@@ -3613,6 +3624,8 @@ - alpha_image = (Image *)NULL; - DestroyImageInfo(alpha_image_info); - alpha_image_info = (ImageInfo *)NULL; -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ " Destroy the JNG image"); - DestroyImage(jng_image); - jng_image = (Image *)NULL; - } -@@ -5146,8 +5159,8 @@ - - if (image == (Image *) NULL) - { -- DestroyImageList(previous); - CloseBlob(previous); -+ DestroyImageList(previous); - MngInfoFreeStruct(mng_info,&have_mng_structure); - return((Image *) NULL); - } diff --git a/community/graphicsmagick/CVE-2017-14165.patch b/community/graphicsmagick/CVE-2017-14165.patch deleted file mode 100644 index 67e6ef807e..0000000000 --- a/community/graphicsmagick/CVE-2017-14165.patch +++ /dev/null @@ -1,68 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> -# Date 1503257388 18000 -# Node ID 493da54370aa42cb430c52a69eb75db0001a5589 -# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f -SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. - -diff -r f87246749079 -r 493da54370aa coders/sun.c ---- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 -+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 -@@ -498,6 +498,12 @@ - if (sun_info.depth < 8) - image->depth=sun_info.depth; - -+ if (image_info->ping) -+ { -+ CloseBlob(image); -+ return(image); -+ } -+ - /* - Compute bytes per line and bytes per image for an unencoded - image. -@@ -522,15 +528,37 @@ - if (bytes_per_image > sun_info.length) - ThrowReaderException(CorruptImageError,ImproperImageHeader,image); - -- if (image_info->ping) -- { -- CloseBlob(image); -- return(image); -- } - if (sun_info.type == RT_ENCODED) - sun_data_length=(size_t) sun_info.length; - else - sun_data_length=bytes_per_image; -+ -+ /* -+ Verify that data length claimed by header is supported by file size -+ */ -+ if (sun_info.type == RT_ENCODED) -+ { -+ if (sun_data_length < bytes_per_image/255U) -+ { -+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image); -+ } -+ } -+ if (BlobIsSeekable(image)) -+ { -+ const magick_off_t file_size = GetBlobSize(image); -+ const magick_off_t current_offset = TellBlob(image); -+ if ((file_size > 0) && -+ (current_offset > 0) && -+ (file_size > current_offset)) -+ { -+ const magick_off_t remaining = file_size-current_offset; -+ if (remaining < (magick_off_t) sun_data_length) -+ { -+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); -+ } -+ } -+ } -+ - sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); - if (sun_data == (unsigned char *) NULL) - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); - |