[GraphicsMagick] CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)

[Rex Dieter]

commit 4a7199bded6be4bf2c214dc856a0ce8388256930
Author: Rex Dieter <rdieter at fedoraproject.org>
Date:   Mon Aug 20 22:28:33 2012 -0500

    CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)

 GraphicsMagick-CVE-2012-3438.patch |   65 ++++++++++++++++++++++++++++++++++++
 GraphicsMagick.spec                |   11 +++++-
 2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/GraphicsMagick-CVE-2012-3438.patch b/GraphicsMagick-CVE-2012-3438.patch
new file mode 100644
index 0000000..bacf70e
--- /dev/null
+++ b/GraphicsMagick-CVE-2012-3438.patch
@@ -0,0 +1,65 @@
+
+# HG changeset patch
+# User Glenn Randers-Pehrson <glennrp at simple...>
+# Date 1343491548 18000
+# Node ID d6e469d02cd260b6531e86a8a6c8a5a2b9ff51cb
+# Parent  fe9e2eb655ce8b85abfd9b88d20a8a1648ad71e7
+coders/png.c: Some typecasts were inconsistent with libpng-1.4 and later.
+
+diff -r fe9e2eb655ce -r d6e469d02cd2 coders/png.c
+--- a/coders/png.c	Thu Jul 26 20:24:26 2012 -0500
++++ b/coders/png.c	Sat Jul 28 11:05:48 2012 -0500
+@@ -1360,7 +1360,11 @@
+ }
+ 
+ #ifdef PNG_USER_MEM_SUPPORTED
+-static png_voidp png_IM_malloc(png_structp png_ptr,png_uint_32 size)
++#if PNG_LIBPNG_VER >= 14000
++static png_voidp png_IM_malloc(png_structp png_ptr,png_alloc_size_t size)
++#else
++static png_voidp png_IM_malloc(png_structp png_ptr,png_size_t size)
++#endif
+ {
+   (void) png_ptr;
+   return MagickAllocateMemory(png_voidp,(size_t) size);
+@@ -6169,12 +6173,22 @@
+       (void) printf("writing raw profile: type=%.1024s, length=%lu\n",
+                     profile_type, (unsigned long)length);
+     }
+-  text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
++#if PNG_LIBPNG_VER >= 14000
++  text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
++#else
++  text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
++#endif
+   description_length=strlen((const char *) profile_description);
+   allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
+                                   + description_length);
+-  text[0].text=(png_charp) png_malloc(ping,allocated_length);
+-  text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
++#if PNG_LIBPNG_VER >= 14000
++   text[0].text=(png_charp) png_malloc(ping,
++      (png_alloc_size_t) allocated_length);
++   text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
++#else
++   text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length);
++   text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80);
++#endif
+   text[0].key[0]='\0';
+   (void) strcat(text[0].key, "Raw profile type ");
+   (void) strncat(text[0].key, (const char *) profile_type, 61);
+@@ -7620,7 +7634,12 @@
+ 
+       if (*attribute->key == '[')
+         continue;
+-      text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
++#if PNG_LIBPNG_VER >= 14000
++            text=(png_textp) png_malloc(ping,
++                 (png_alloc_size_t) sizeof(png_text));
++#else
++            text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
++#endif
+       text[0].key=attribute->key;
+       text[0].text=attribute->value;
+       text[0].text_length=strlen(attribute->value);
+
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index 8261918..c6feb32 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -8,7 +8,7 @@
 Summary: An ImageMagick fork, offering faster image generation and better quality
 Name: GraphicsMagick
 Version: 1.3.16
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: MIT
 Group: Applications/Multimedia
 Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@@ -21,6 +21,11 @@ Patch1: GraphicsMagick-1.3.16-multilib.patch
 ## upstreamable patches
 Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
 
+## upstream patches
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438
+# http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
+Patch100: GraphicsMagick-CVE-2012-3438.patch
+
 BuildRequires: bzip2-devel
 BuildRequires: freetype-devel
 BuildRequires: jasper-devel
@@ -110,6 +115,7 @@ however.
 
 %patch1 -p1 -b .multilib
 %patch50 -p1 -b .perl_linkage
+%patch100 -p1 -b .CVE-2012-3438
 
 iconv -f iso-8859-2 -t utf8 < ChangeLog > ChangeLog.utf8
 mv -f ChangeLog.utf8 ChangeLog
@@ -263,6 +269,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Mon Aug 20 2012 Rex Dieter <rdieter at fedoraproject.org> 1.3.16-5
+- CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)
+
 * Mon Aug 20 2012 Rex Dieter <rdieter at fedoraproject.org> 1.3.16-4
 - link GraphicsMagick against lcms2 instead of lcms1 (#849778)