CVS update of imagemagick (coders/xwd.c debian/changelog)
Daniel Kobras
kobras at alioth.debian.org
Sat Apr 28 14:16:13 UTC 2007
Date: Saturday, April 28, 2007 @ 14:16:13
Author: kobras
Path: /cvsroot/pkg-gmagick/imagemagick
Modified: coders/xwd.c debian/changelog
Fix multiple integer overflows in XWD coder:
- missing pieces of fix for CVE-2007-1667 [Larry Doolittle]
- fixes from CVE-2007-1797, lifted from upstream SVN.
------------------+
coders/xwd.c | 25 ++++++++++++++++++-------
debian/changelog | 6 ++++--
2 files changed, 22 insertions(+), 9 deletions(-)
Index: imagemagick/coders/xwd.c
diff -u imagemagick/coders/xwd.c:1.2 imagemagick/coders/xwd.c:1.3
--- imagemagick/coders/xwd.c:1.2 Thu Mar 15 17:26:42 2007
+++ imagemagick/coders/xwd.c Sat Apr 28 14:16:13 2007
@@ -231,7 +231,9 @@
if (header.header_size < sz_XWDheader)
ThrowReaderException(CorruptImageError,"CorruptImage");
length=(size_t) header.header_size-sz_XWDheader;
- comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+ if (length > ((~0UL)/sizeof(*comment)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -281,8 +283,10 @@
XWDColor
color;
- colors=(XColor *)
- AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+ length=(size_t) header.ncolors;
+ if (length > ((~0UL)/sizeof(*colors)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) header.ncolors; i++)
@@ -313,10 +317,17 @@
/*
Allocate the pixel buffer.
*/
- if (ximage->format == ZPixmap)
- length=(size_t) ximage->bytes_per_line*ximage->height;
- else
- length=(size_t) ximage->bytes_per_line*ximage->height*ximage->depth;
+#define OVERFLOW(c,a,b) ((b) != 0 && ((c)/(b) != (a)))
+ length=ximage->bytes_per_line*ximage->height;
+ if (OVERFLOW(length,ximage->bytes_per_line,ximage->height))
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+ if (ximage->format != ZPixmap)
+ {
+ size_t tmp=length;
+ length*=ximage->depth;
+ if (OVERFLOW(length,tmp,ximage->depth))
+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+ }
ximage->data=(char *) AcquireMagickMemory(length);
if (ximage->data == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
Index: imagemagick/debian/changelog
diff -u imagemagick/debian/changelog:1.10 imagemagick/debian/changelog:1.11
--- imagemagick/debian/changelog:1.10 Sat Apr 28 13:53:52 2007
+++ imagemagick/debian/changelog Sat Apr 28 14:16:13 2007
@@ -23,9 +23,11 @@
* coders/pnm.c: Fix segfault in PNM coder.
* coders/sgi.c: Fix segfault in SGI coder.
* coders/sun.c: Fix segfault during conversion in SUN coder.
- * coders/xwd.c: Fix segfault during conversion in XWD coder. (CVE-2007-1667)
+ * coders/xwd.c: Fix segfault during conversion in XWD coder.
+ * coders/xwd.c: Fix multiple integer overflows in XWD coder.
+ (CVE-2007-1667, CVE-2007-1797)
- -- Daniel Kobras <kobras at debian.org> Sat, 28 Apr 2007 15:51:48 +0200
+ -- Daniel Kobras <kobras at debian.org> Sat, 28 Apr 2007 16:15:00 +0200
imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high
More information about the pkg-gmagick-commit
mailing list