summary refs log tree commit diff
path: root/gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
blob: dbcaea134355207013f0aed7b5871c92ce588ae8 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
http://www.openwall.com/lists/oss-security/2017/09/01/6

CVE-2017-11403:
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37

CVE-2017-14103:
http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f

some changes were made to make the patch apply

# HG changeset patch
# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
# Date 1503875721 14400
# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
# Parent  f0f2ea85a2930f3b6dcd72352719adb9660f2aad
Attempt to fix Issue 440.

diff -ru a/coders/png.c b/coders/png.c
--- a/coders/png.c	1969-12-31 19:00:00.000000000 -0500
+++ b/coders/png.c	2017-09-10 11:31:56.543194173 -0400
@@ -3106,7 +3106,9 @@
       if (length > PNG_MAX_UINT || count == 0)
         {
           DestroyJNGInfo(color_image_info,alpha_image_info);
-          ThrowReaderException(CorruptImageError,CorruptImage,image);
+          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+              "chunk length (%lu) > PNG_MAX_UINT",length);
+          return ((Image*)NULL);
         }

       chunk=(unsigned char *) NULL;
@@ -3117,13 +3119,16 @@
           if (chunk == (unsigned char *) NULL)
             {
               DestroyJNGInfo(color_image_info,alpha_image_info);
-              ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-                                   image);
+              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                  "    Could not allocate chunk memory");
+              return ((Image*)NULL);
             }
           if (ReadBlob(image,length,chunk) < length)
             {
               DestroyJNGInfo(color_image_info,alpha_image_info);
-              ThrowReaderException(CorruptImageError,CorruptImage,image);
+              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                  "    chunk reading was incomplete");
+              return ((Image*)NULL);
             }
           p=chunk;
         }
@@ -3198,7 +3203,7 @@
                   jng_width, jng_height);
               MagickFreeMemory(chunk);
               DestroyJNGInfo(color_image_info,alpha_image_info);
-              ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+              return ((Image *)NULL);
             }

           /* Temporarily set width and height resources to match JHDR */
@@ -3233,8 +3238,9 @@
           if (color_image == (Image *) NULL)
             {
               DestroyJNGInfo(color_image_info,alpha_image_info);
-              ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-                                   image);
+              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                  "    could not open color_image blob");
+              return ((Image *)NULL);
             }
           if (logging)
             (void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3245,7 +3251,9 @@
           if (status == MagickFalse)
             {
               DestroyJNGInfo(color_image_info,alpha_image_info);
-              ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
+              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                  "    could not open color_image blob");
+              return ((Image *)NULL);
             }

           if (!image_info->ping && jng_color_type >= 12)
@@ -3255,17 +3263,18 @@
               if (alpha_image_info == (ImageInfo *) NULL)
                 {
                   DestroyJNGInfo(color_image_info,alpha_image_info);
-                  ThrowReaderException(ResourceLimitError,
-                                       MemoryAllocationFailed, image);
+                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                      "    could not allocate alpha_image_info",length);
+                  return ((Image *)NULL);
                 }
               GetImageInfo(alpha_image_info);
               alpha_image=AllocateImage(alpha_image_info);
               if (alpha_image == (Image *) NULL)
                 {
                   DestroyJNGInfo(color_image_info,alpha_image_info);
-                  ThrowReaderException(ResourceLimitError,
-                                       MemoryAllocationFailed,
-                                       alpha_image);
+                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                      "    could not allocate alpha_image");
+                  return ((Image *)NULL);
                 }
               if (logging)
                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -3277,7 +3286,9 @@
                 {
                   DestroyJNGInfo(color_image_info,alpha_image_info);
                   DestroyImage(alpha_image);
-                  ThrowReaderException(CoderError,UnableToOpenBlob,image);
+                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                      "    could not allocate alpha_image blob");
+                  return ((Image *)NULL);
                 }
               if (jng_alpha_compression_method == 0)
                 {
@@ -3613,6 +3624,8 @@
               alpha_image = (Image *)NULL;
               DestroyImageInfo(alpha_image_info);
               alpha_image_info = (ImageInfo *)NULL;
+              (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                  " Destroy the JNG image");
               DestroyImage(jng_image);
               jng_image = (Image *)NULL;
             }
@@ -5146,8 +5159,8 @@

       if (image == (Image *) NULL)
         {
-          DestroyImageList(previous);
           CloseBlob(previous);
+          DestroyImageList(previous);
           MngInfoFreeStruct(mng_info,&have_mng_structure);
           return((Image *) NULL);
         }