[GraphicsMagick] CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)
Rex Dieter
rdieter at fedoraproject.org
Tue Aug 21 03:24:41 UTC 2012
commit 4a7199bded6be4bf2c214dc856a0ce8388256930
Author: Rex Dieter <rdieter at fedoraproject.org>
Date: Mon Aug 20 22:28:33 2012 -0500
CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)
GraphicsMagick-CVE-2012-3438.patch | 65 ++++++++++++++++++++++++++++++++++++
GraphicsMagick.spec | 11 +++++-
2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/GraphicsMagick-CVE-2012-3438.patch b/GraphicsMagick-CVE-2012-3438.patch
new file mode 100644
index 0000000..bacf70e
--- /dev/null
+++ b/GraphicsMagick-CVE-2012-3438.patch
@@ -0,0 +1,65 @@
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp at simple...>
+# Date 1343491548 18000
+# Node ID d6e469d02cd260b6531e86a8a6c8a5a2b9ff51cb
+# Parent fe9e2eb655ce8b85abfd9b88d20a8a1648ad71e7
+coders/png.c: Some typecasts were inconsistent with libpng-1.4 and later.
+
+diff -r fe9e2eb655ce -r d6e469d02cd2 coders/png.c
+--- a/coders/png.c Thu Jul 26 20:24:26 2012 -0500
++++ b/coders/png.c Sat Jul 28 11:05:48 2012 -0500
+@@ -1360,7 +1360,11 @@
+ }
+
+ #ifdef PNG_USER_MEM_SUPPORTED
+-static png_voidp png_IM_malloc(png_structp png_ptr,png_uint_32 size)
++#if PNG_LIBPNG_VER >= 14000
++static png_voidp png_IM_malloc(png_structp png_ptr,png_alloc_size_t size)
++#else
++static png_voidp png_IM_malloc(png_structp png_ptr,png_size_t size)
++#endif
+ {
+ (void) png_ptr;
+ return MagickAllocateMemory(png_voidp,(size_t) size);
+@@ -6169,12 +6173,22 @@
+ (void) printf("writing raw profile: type=%.1024s, length=%lu\n",
+ profile_type, (unsigned long)length);
+ }
+- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
++#if PNG_LIBPNG_VER >= 14000
++ text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
++#else
++ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
++#endif
+ description_length=strlen((const char *) profile_description);
+ allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
+ + description_length);
+- text[0].text=(png_charp) png_malloc(ping,allocated_length);
+- text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
++#if PNG_LIBPNG_VER >= 14000
++ text[0].text=(png_charp) png_malloc(ping,
++ (png_alloc_size_t) allocated_length);
++ text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
++#else
++ text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length);
++ text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80);
++#endif
+ text[0].key[0]='\0';
+ (void) strcat(text[0].key, "Raw profile type ");
+ (void) strncat(text[0].key, (const char *) profile_type, 61);
+@@ -7620,7 +7634,12 @@
+
+ if (*attribute->key == '[')
+ continue;
+- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
++#if PNG_LIBPNG_VER >= 14000
++ text=(png_textp) png_malloc(ping,
++ (png_alloc_size_t) sizeof(png_text));
++#else
++ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
++#endif
+ text[0].key=attribute->key;
+ text[0].text=attribute->value;
+ text[0].text_length=strlen(attribute->value);
+
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index 8261918..c6feb32 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -8,7 +8,7 @@
Summary: An ImageMagick fork, offering faster image generation and better quality
Name: GraphicsMagick
Version: 1.3.16
-Release: 4%{?dist}
+Release: 5%{?dist}
License: MIT
Group: Applications/Multimedia
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@@ -21,6 +21,11 @@ Patch1: GraphicsMagick-1.3.16-multilib.patch
## upstreamable patches
Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
+## upstream patches
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438
+# http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
+Patch100: GraphicsMagick-CVE-2012-3438.patch
+
BuildRequires: bzip2-devel
BuildRequires: freetype-devel
BuildRequires: jasper-devel
@@ -110,6 +115,7 @@ however.
%patch1 -p1 -b .multilib
%patch50 -p1 -b .perl_linkage
+%patch100 -p1 -b .CVE-2012-3438
iconv -f iso-8859-2 -t utf8 < ChangeLog > ChangeLog.utf8
mv -f ChangeLog.utf8 ChangeLog
@@ -263,6 +269,9 @@ rm -rf %{buildroot}
%changelog
+* Mon Aug 20 2012 Rex Dieter <rdieter at fedoraproject.org> 1.3.16-5
+- CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)
+
* Mon Aug 20 2012 Rex Dieter <rdieter at fedoraproject.org> 1.3.16-4
- link GraphicsMagick against lcms2 instead of lcms1 (#849778)
More information about the scm-commits
mailing list