summary refs log tree commit diff
path: root/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
blob: 1f55d90d38455f8420b9255daec1239bc767bb93 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
http://openwall.com/lists/oss-security/2017/09/06/4

some changes were made to make the patch apply

# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503257388 18000
# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
# Parent  f8724674907902b7bc37c04f252fe30fbdd88e6f
SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.

diff -r f87246749079 -r 493da54370aa coders/sun.c
--- a/coders/sun.c	Sun Aug 20 12:21:03 2017 +0200
+++ b/coders/sun.c	Sun Aug 20 14:29:48 2017 -0500
@@ -498,6 +498,12 @@
     if (sun_info.depth < 8)
       image->depth=sun_info.depth;
 
+    if (image_info->ping)
+      {
+        CloseBlob(image);
+        return(image);
+      }
+
     /*
       Compute bytes per line and bytes per image for an unencoded
       image.
@@ -522,15 +528,37 @@
       if (bytes_per_image > sun_info.length)
         ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
 
-    if (image_info->ping)
-      {
-        CloseBlob(image);
-        return(image);
-      }
     if (sun_info.type == RT_ENCODED)
       sun_data_length=(size_t) sun_info.length;
     else
       sun_data_length=bytes_per_image;
+
+    /*
+      Verify that data length claimed by header is supported by file size
+    */
+    if (sun_info.type == RT_ENCODED)
+      {
+        if (sun_data_length < bytes_per_image/255U)
+          {
+            ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+          }
+      }
+    if (BlobIsSeekable(image))
+      {
+        const magick_off_t file_size = GetBlobSize(image);
+        const magick_off_t current_offset = TellBlob(image);
+        if ((file_size > 0) &&
+            (current_offset > 0) &&
+            (file_size > current_offset))
+        {
+          const magick_off_t remaining = file_size-current_offset;
+          if (remaining < (magick_off_t) sun_data_length)
+            {
+              ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+            }
+        }
+      }
+
     sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
     if (sun_data == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);