Hi,
I intend to NMU this bug on behalf of the testing security
team.
I ported the patches to 6.2.4.5. The attached patch fixes
the 4 CVE ids.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/imagemagick-6.2.4.5.dfsg1-1_6.2.4.5.dfsg1-1.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u imagemagick-6.2.4.5.dfsg1/coders/xwd.c imagemagick-6.2.4.5.dfsg1/coders/xwd.c
--- imagemagick-6.2.4.5.dfsg1/coders/xwd.c
+++ imagemagick-6.2.4.5.dfsg1/coders/xwd.c
@@ -99,6 +99,10 @@
%
%
*/
+
+#define CheckOverflowException(length,width,height) \
+(((height) != 0) ((length)/((size_t) height) != ((size_t) width)))
+
static MagickBooleanType IsXWD(const unsigned char *magick,const size_t length)
{
if (length 8)
@@ -233,7 +237,7 @@
length=(size_t) header.header_size-sz_XWDheader;
if (length ((~0UL)/sizeof(*comment)))
ThrowReaderException(CorruptImageError,ImproperImageHeader);
- comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
+ comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -286,7 +290,8 @@
length=(size_t) header.ncolors;
if (length ((~0UL)/sizeof(*colors)))
ThrowReaderException(CorruptImageError,ImproperImageHeader);
- colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
+
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
for (i=0; i (long) header.ncolors; i++)
@@ -328,7 +333,7 @@
if (MAGICK_OVERFLOW(length,tmp,ximage-depth))
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
}
- ximage-data=(char *) AcquireMagickMemory(length);
+ ximage-data=(char *) AcquireQuantumMemory(length,sizeof(*ximage-data));
if (ximage-data == (char *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
count=ReadBlob(image,length,(unsigned char *) ximage-data);
@@ -344,6 +349,12 @@
image-storage_class=DirectClass;
else
image-storage_class=PseudoClass;
+ if (SetImageExtent(image,0,0) == MagickFalse)
+ {
+ InheritException(exception,image-exception);
+ return(DestroyImageList(image));
+ }
+
image-colors=header.ncolors;
if (image_info-ping == MagickFalse)
switch (image-storage_class)
@@ -713,8 +724,7 @@
/*
Dump colormap to file.
*/
- colors=(XColor *)
-AcquireMagickMemory((size_t) image-colors*sizeof(*colors));
+ colors=(XColor *) AcquireQuantumMemory((size_t) image-colors,sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowWriterException(ResourceLimitError,MemoryAllocationFailed);
for (i=0; i (long) image-colors; i++)
@@ -750,7 +760,7 @@
length=3*bytes_per_line;
if (image-storage_class == PseudoClass)
length=bytes_per_line;
- pixels=(unsigned char *) AcquireMagickMemory(length);
+ pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,MemoryAllocationFailed);
ResetMagickMemory(pixels,0,length);
diff -u imagemagick-6.2.4.5.dfsg1/coders/xcf.c imagemagick-6.2.4.5.dfsg1/coders/xcf.c
--- imagemagick-6.2.4.5.dfsg1/coders/xcf.c
+++ imagemagick-6.2.4.5.dfsg1/coders/xcf.c
@@ -305,7 +305,7 @@
XCFPixelPacket *xcfdata, *xcfodata;
unsigned char *graydata;
- xcfdata = xcfodata = (XCFPixelPacket *) AcquireMagickMemory(data_length);
+ xcfdata = xcfodata = (XCFPixelPacket *) AcquireQuantumMemory(data_length,sizeof(*xcfdata));
graydata = (unsigned char *)xcfdata; /* used by gray and indexed */
nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
@@ -352,8 +352,7 @@
bpp = (int) inDocInfo-bpp;
- xcfdata = xcfodata = (unsigned char *)
-AcquireMagickMemory((size_t) data_length);
+ xcfdata = xcfodata = (unsigned char *) AcquireQuantumMemory((size_t) data_length,sizeof(*xcfdata));
nmemb_read_successfully = ReadBlob(image, (size_t) data_length, xcfdata);
@@ -1149,8 +1148,8 @@
/* allocate our array of layer info blocks */
-layer_info=(XCFLayerInfo *)
- AcquireMagickMemory(number_layers*sizeof(XCFLayerInfo));
+layer_info=(XCFLayerInfo *) AcquireQuantumMemory((size_t) number_layers, sizeof(*layer_info));
+
if (layer_info == (XCFLayerInfo *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
(void) ResetMagickMemory(layer_info,0,number_layers*sizeof(XCFLayerInfo));
diff -u imagemagick-6.2.4.5.dfsg1/coders/dcm.c imagemagick-6.2.4.5.dfsg1/coders/dcm.c
--- imagemagick-6.2.4.5.dfsg1/coders/dcm.c
+++