On Sun, Jul 9, 2017 at 3:42 PM, Bob Friesenhahn <bfrie...@simple.dallas.tx.us> wrote: > On Sun, 9 Jul 2017, László Böszörményi wrote: >> Thanks for the heads-up - luckily I already known this. At the moment >> I'm sure it affects Stretch as well. I mean, JNG support is not >> enabled, neither disabled and depends on the software environment >> GraphicsMagick compiled in. This means any user may compile >> GraphicsMagick on his/her system, can be vulnerable. The fix is in two >> commits and while the second seems to be a code cleanup only, it >> breaks the package. Pinged upstream about it, but I still waiting for >> the answer. > > As far as I am aware, I do not have any email from you about this. While > there was intermediate breakage, the png.c changes between Mercurial > changeset 15059:dea93a690fc1 and 15066:e8f859704230 are believed to solve > the assertion problem, as well as solve a memory leak problem in the error > path. The test suite is completely passing. Learning from my previous email, when you noted that you are not the author of the fix - I asked Glenn Randers-Pehrson as he is the author of the fixing commits[1][2]. If I apply both on 1.3.26 then the self test fails with: -- cut -- t/jbig/write.t .... 1..1 ok 1 ok perl: magick/image.c:1307: DestroyImageInfo: Assertion `image_info->signature == MagickSignature' failed. Magick: abort due to signal 6 (SIGABRT) "Abort"... t/jng/read.t ...... 1..11 ok 1 Failed 10/11 subtests perl: magick/image.c:1307: DestroyImageInfo: Assertion `image_info->signature == MagickSignature' failed. Magick: abort due to signal 6 (SIGABRT) "Abort"... -- cut --
If I remove the second[2] commit, then all is fine again. Environment is Debian/Sid, Perl is 5.24.1 version. Regards, Laszlo/GCS [1] http://hg.code.sf.net/p/graphicsmagick/code/rev/dea93a690fc1 [2] http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5