Package: src:imagemagick version: 8:6.7.7.10-4 Severity: grave Tags: patch security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
According to upstream changelog a new bug buffer overflow in SGI coders (bug report from pwchen&rayzhong of tencent Author: Cristy <urban-warr...@imagemagick.org> Date: Thu Aug 18 18:24:24 2016 -0400 Prevent buffer overflow in BMP & SGI coders (bug report from pwchen&rayzhong of tencent) diff --git a/ChangeLog b/ChangeLog index 89ea234..b5b3f1e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,5 @@ 2016-08-15 6.9.5-8 Cristy <quetzlzacatenango@image...> - * Prevent buffer overflow in BMP coder (bug report from + * Prevent buffer overflow in BMP & SGI coders (bug report from pwchen&rayzhong of tencent). 2016-08-14 6.9.5-7 Cristy <quetzlzacatenango@image...> diff --git a/coders/sgi.c b/coders/sgi.c index 756f7e6..96f18a0 100644 --- a/coders/sgi.c +++ b/coders/sgi.c @@ -355,13 +355,15 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) image->rows=iris_info.rows; image->depth=(size_t) MagickMin(iris_info.depth,MAGICKCORE_QUANTUM_DEPTH); if (iris_info.pixel_format == 0) - image->depth=(size_t) MagickMin((size_t) 8* - iris_info.bytes_per_pixel,MAGICKCORE_QUANTUM_DEPTH); + image->depth=(size_t) MagickMin((size_t) 8*iris_info.bytes_per_pixel, + MAGICKCORE_QUANTUM_DEPTH); if (iris_info.depth < 3) { image->storage_class=PseudoClass; image->colors=iris_info.bytes_per_pixel > 1 ? 65535 : 256; } + if (EOFBlob(image) != MagickFalse) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break;