Search
j0ke.net Open Build Service
>
Projects
>
graphics
:
ImageMagick:6.7.6.9
>
ImageMagick
> ImageMagick-security-exif.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File ImageMagick-security-exif.patch of Package ImageMagick
http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629 Index: ImageMagick-6.7.2-7/coders/jpeg.c =================================================================== --- ImageMagick-6.7.2-7.orig/coders/jpeg.c +++ ImageMagick-6.7.2-7/coders/jpeg.c @@ -301,6 +301,8 @@ static MagickBooleanType JPEGErrorHandle static MagickBooleanType JPEGWarningHandler(j_common_ptr jpeg_info,int level) { +#define JPEGExcessiveWarnings 1000 + char message[JMSG_LENGTH_MAX]; @@ -319,11 +321,12 @@ static MagickBooleanType JPEGWarningHand Process warning message. */ (jpeg_info->err->format_message)(jpeg_info,message); + if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings) + JPEGErrorHandler(jpeg_info); if ((jpeg_info->err->num_warnings == 0) || (jpeg_info->err->trace_level >= 3)) ThrowBinaryException(CorruptImageWarning,(char *) message, image->filename); - jpeg_info->err->num_warnings++; } else if ((image->debug != MagickFalse) && Index: ImageMagick-6.7.2-7/coders/tiff.c =================================================================== --- ImageMagick-6.7.2-7.orig/coders/tiff.c +++ ImageMagick-6.7.2-7/coders/tiff.c @@ -604,7 +604,7 @@ static void TIFFGetEXIFProperties(TIFF * ascii=(char *) NULL; if ((TIFFGetField(tiff,exif_info[i].tag,&ascii,&sans) != 0) && (ascii != (char *) NULL) && (*ascii != '\0')) - (void) CopyMagickMemory(value,ascii,MaxTextExtent); + (void) CopyMagickString(value,ascii,MaxTextExtent); break; } case TIFF_SHORT: Index: ImageMagick-6.7.2-7/magick/property.c =================================================================== --- ImageMagick-6.7.2-7.orig/magick/property.c +++ ImageMagick-6.7.2-7/magick/property.c @@ -1269,6 +1269,8 @@ static MagickBooleanType GetEXIFProperty break; components=(ssize_t) ((int) ReadPropertyLong(endian,q+4)); number_bytes=(size_t) components*tag_bytes[format]; + if (number_bytes < components) + break; /* prevent overflow */ if (number_bytes <= 4) p=q+8; else @@ -1290,6 +1292,8 @@ static MagickBooleanType GetEXIFProperty buffer[MaxTextExtent], *value; + value=(char *) NULL; + *buffer='\0'; switch (format) { case EXIF_FMT_BYTE: Index: ImageMagick-6.7.2-7/magick/profile.c =================================================================== --- ImageMagick-6.7.2-7.orig/magick/profile.c +++ ImageMagick-6.7.2-7/magick/profile.c @@ -1927,8 +1927,10 @@ MagickExport MagickBooleanType SyncImage format=(ssize_t) ReadProfileShort(endian,q+2); if ((format-1) >= EXIF_NUM_FORMATS) break; - components=(int) ReadProfileLong(endian,q+4); + components=(ssize_t) ((int) ReadProfileLong(endian,q+4)); number_bytes=(size_t) components*format_bytes[format]; + if (number_bytes < components) + break; /* prevent overflow */ if (number_bytes <= 4) p=q+8; else