[ImageMagick/f16] New patches
Pavel Alexeev
hubbitus at fedoraproject.org
Tue Jun 12 11:19:28 UTC 2012
commit c57fededce54be57e7deb40004fe148ae171576c
Author: Pavel Alexeev (aka Pahan-Hubbitus) <pahan at hubbitus.info>
Date: Tue Jun 12 15:14:23 2012 +0400
New patches
ImageMagick-6.7.0-10-CVE-2012-0259.patch | 47 ++++++++++++++++++++++++++++++
ImageMagick-6.7.0-10-CVE-2012-1610.patch | 26 ++++++++++++++++
sources | 1 -
3 files changed, 73 insertions(+), 1 deletions(-)
---
diff --git a/ImageMagick-6.7.0-10-CVE-2012-0259.patch b/ImageMagick-6.7.0-10-CVE-2012-0259.patch
new file mode 100644
index 0000000..d6657e7
--- /dev/null
+++ b/ImageMagick-6.7.0-10-CVE-2012-0259.patch
@@ -0,0 +1,47 @@
+--- ImageMagick-6.7.5-10/magick/property.c 2012-02-29 20:41:19.000000000 -0500
++++ ImageMagick-6.7.6-3/magick/property.c 2012-03-28 19:00:20.537642844 -0400
+@@ -1309,6 +1309,8 @@
+ buffer[MaxTextExtent],
+ *value;
+
++ value=(char *) NULL;
++ *buffer='\0';
+ switch (format)
+ {
+ case EXIF_FMT_BYTE:
+--- ImageMagick-6.7.5-10/coders/jpeg.c 2012-03-02 12:37:45.000000000 -0500
++++ ImageMagick-6.7.6-3/coders/jpeg.c 2012-03-28 19:00:11.641806710 -0400
+@@ -319,6 +320,8 @@
+
+ static MagickBooleanType JPEGWarningHandler(j_common_ptr jpeg_info,int level)
+ {
++#define JPEGExcessiveWarnings 1000
++
+ char
+ message[JMSG_LENGTH_MAX];
+
+@@ -337,11 +340,12 @@
+ Process warning message.
+ */
+ (jpeg_info->err->format_message)(jpeg_info,message);
++ if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings)
++ JPEGErrorHandler(jpeg_info);
+ if ((jpeg_info->err->num_warnings == 0) ||
+ (jpeg_info->err->trace_level >= 3))
+ ThrowBinaryException(CorruptImageWarning,(char *) message,
+ image->filename);
+- jpeg_info->err->num_warnings++;
+ }
+ else
+ if ((image->debug != MagickFalse) &&
+--- ImageMagick-6.7.0-10/coders/tiff.c.orig 2011-06-25 16:26:44.000000000 +0400
+--- ImageMagick-6.7.0-10/coders/tiff.c 2012-06-12 13:39:30.921473863 +0400
+@@ -595,7 +595,7 @@
+ *ascii;
+
+ if (TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0)
+- (void) CopyMagickMemory(value,ascii,MaxTextExtent);
++ (void) CopyMagickString(value,ascii,MaxTextExtent);
+ break;
+ }
+ case TIFF_SHORT:
diff --git a/ImageMagick-6.7.0-10-CVE-2012-1610.patch b/ImageMagick-6.7.0-10-CVE-2012-1610.patch
new file mode 100644
index 0000000..4480152
--- /dev/null
+++ b/ImageMagick-6.7.0-10-CVE-2012-1610.patch
@@ -0,0 +1,26 @@
+--- ImageMagick-6.5.4-7/magick/property.c 2012-04-02 13:25:21.000000000 +0200
++++ ImageMagick-6.5.4-7/magick/property.c 2012-04-03 10:39:44.000000000 +0200
+@@ -1269,6 +1269,8 @@
+ break;
+ components=(ssize_t) ((int) ReadPropertyLong(endian,q+4));
+ number_bytes=(size_t) components*tag_bytes[format];
++ if (number_bytes < components)
++ break; /* prevent overflow */
+ if (number_bytes <= 4)
+ p=q+8;
+ else
+
+--- ImageMagick-6.5.4-7/magick/profile.c 2012-04-02 13:25:21.000000000 +0200
++++ ImageMagick-6.5.4-7/magick/profile.c 2012-04-03 10:39:44.000000000 +0200
+@@ -1926,8 +1926,10 @@
+ format=(ssize_t) ReadProfileShort(endian,q+2);
+ if ((format-1) >= EXIF_NUM_FORMATS)
+ break;
+- components=(int) ReadProfileLong(endian,q+4);
++ components=(ssize_t) ((int) ReadProfileLong(endian,q+4));
+ number_bytes=(size_t) components*format_bytes[format];
++ if (number_bytes < components)
++ break; /* prevent overflow */
+ if (number_bytes <= 4)
+ p=q+8;
+ else
diff --git a/sources b/sources
index 374602d..e277766 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-0b9908beeeaf4e7990b23c80e6e81d14 ImageMagick-6.4.0-multilib.patch
440500b08d3b861c4206d5fd1e86776d ImageMagick-6.7.0-10.tar.xz
More information about the scm-commits
mailing list