http://www.openwall.com/lists/oss-security/2017/09/01/6
CVE-2017-11403:
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
CVE-2017-14103:
http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
some changes were made to make the patch apply
# HG changeset patch
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
# Date 1503875721 14400
# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
Attempt to fix Issue 440.
diff -ru a/coders/png.c b/coders/png.c
--- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
@@ -3106,7 +3106,9 @@
if (length > PNG_MAX_UINT || count == 0)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CorruptImageError,CorruptImage,image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "chunk length (%lu) > PNG_MAX_UINT",length);
+ return ((Image*)NULL);
}
chunk=(unsigned char *) NULL;
@@ -3117,13 +3119,16 @@
if (chunk == (unsigned char *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Could not allocate chunk memory");
+ return ((Image*)NULL);
}
if (ReadBlob(image,length,chunk) < length)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CorruptImageError,CorruptImage,image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " chunk reading was incomplete");
+ return ((Image*)NULL);
}
p=chunk;
}
@@ -3198,7 +3203,7 @@
jng_width, jng_height);
MagickFreeMemory(chunk);
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ return ((Image *)NULL);
}
/* Temporarily set width and height resources to match JHDR */
@@ -3233,8 +3238,9 @@
if (color_image == (Image *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
- image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not open color_image blob");
+ return ((Image *)NULL);
}
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3245,7 +3251,9 @@
if (status == MagickFalse)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not open color_image blob");
+ return ((Image *)NULL);
}
if (!image_info->ping && jng_color_type >= 12)
@@ -3255,17 +3263,18 @@
if (alpha_image_info == (ImageInfo *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,
- MemoryAllocationFailed, image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image_info",length);
+ return ((Image *)NULL);
}
GetImageInfo(alpha_image_info);
alpha_image=AllocateImage(alpha_image_info);
if (alpha_image == (Image *) NULL)
{
DestroyJNGInfo(color_image_info,alpha_image_info);
- ThrowReaderException(ResourceLimitError,
- MemoryAllocationFailed,
- alpha_image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image");
+ return ((Image *)NULL);
}
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3277,7 +3286,9 @@
{
DestroyJNGInfo(color_image_info,alpha_image_info);
DestroyImage(alpha_image);
- ThrowReaderException(CoderError,UnableToOpenBlob,image);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " could not allocate alpha_image blob");
+ return ((Image *)NULL);
}
if (jng_alpha_compression_method == 0)
{
@@ -3613,6 +3624,8 @@
alpha_image = (Image *)NULL;
DestroyImageInfo(alpha_image_info);
alpha_image_info = (ImageInfo *)NULL;
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Destroy the JNG image");
DestroyImage(jng_image);
jng_image = (Image *)NULL;
}
@@ -5146,8 +5159,8 @@
if (image == (Image *) NULL)
{
- DestroyImageList(previous);
CloseBlob(previous);
+ DestroyImageList(previous);
MngInfoFreeStruct(mng_info,&have_mng_structure);
return((Image *) NULL);
}
