packages/GraphicsMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!6 fix some CVEs

Browse Source 
From: @maminjie
Reviewed-by: @yanzh_h
Signed-off-by: @yanzh_h
This commit is contained in:
openeuler-ci-bot 2020-09-21 09:13:44 +08:00 committed by Gitee
commit 8cf6a37a02
9 changed files with 641 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
CVE-2018-18544.patch Normal file
View File

@ -0,0 +1,26 @@
From 960de60924208e2fceff6d118c0bcec38dae627b Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 16:00:58 +0800
Subject: [PATCH] ProcessMSLScript(): Release msl_image if OpenBlob fails.
(CVE-2018-18544)
refers to http://hg.code.sf.net/p/graphicsmagick/code/rev/31349424878d
---
coders/msl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/coders/msl.c b/coders/msl.c
index 5add044..9e99629 100644
--- a/coders/msl.c
+++ b/coders/msl.c
@@ -4540,6 +4540,7 @@ ProcessMSLScript(const ImageInfo *image_info,Image **image,
status=OpenBlob(image_info,msl_image,ReadBinaryBlobMode,exception);
if (status == False)
{
+ DestroyImage(msl_image);
ThrowException(exception,FileOpenError,UnableToOpenFile,
msl_image->filename);
return(False);
--
2.23.0

30
CVE-2019-11005.patch Normal file
View File

@ -0,0 +1,30 @@
SVGStartElement(): Fix stack buffer overflow while parsing quoted font family value.
(CVE-2019-11005)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
diff -r f7610c1281c1 -r b6fb77d7d54d coders/svg.c
--- a/coders/svg.c Fri Apr 05 08:13:14 2019 -0500
+++ b/coders/svg.c Fri Apr 05 08:43:15 2019 -0500
@@ -1745,12 +1745,12 @@
font-family. Maybe we need a generalized solution for
this.
*/
- if ((value[0] == '\'') && (value[strlen(value)-1] == '\''))
+ int value_length;
+ if ((value[0] == '\'') && ((value_length=(int) strlen(value)) > 2)
+ && (value[value_length-1] == '\''))
{
- char nvalue[MaxTextExtent];
- (void) strlcpy(nvalue,value+1,sizeof(nvalue));
- nvalue[strlen(nvalue)-1]='\0';
- MVGPrintf(svg_info->file,"font-family '%s'\n",nvalue);
+ MVGPrintf(svg_info->file,"font-family '%.*s'\n",
+ (int)(value_length-2),value+1);
}
else
{

45
CVE-2019-11006.patch Normal file
View File

@ -0,0 +1,45 @@
From a404f04f6114057b9b64eab8436a0668f6aa16f7 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 15:35:05 +0800
Subject: [PATCH] ReadMIFFImage(): Detect end of file while reading RLE
packets. (CVE-2019-11006)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1
---
coders/miff.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/coders/miff.c b/coders/miff.c
index 307b10e..60ad6f7 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1706,7 +1706,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
p=pixels;
for (length=0; length < image->columns; )
{
- p+=ReadBlob(image,packet_size,p);
+ size_t
+ bytes_read;
+
+ if ((bytes_read=ReadBlob(image,packet_size,p)) != packet_size)
+ ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+ image);
+ p+=bytes_read;
length+=*(p-1)+1;
}
@@ -1731,7 +1737,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
if (q == (PixelPacket *) NULL)
break;
pixels_p=pixels;
- (void) ReadBlobZC(image,packet_size*image->columns,&pixels_p);
+ if (ReadBlobZC(image,packet_size*image->columns,&pixels_p)
+ != (size_t) packet_size*image->columns)
+ ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+ image);
(void) ImportImagePixelArea(image,quantum_type,quantum_size,(const unsigned char*) pixels_p,0,0);
if (!SyncImagePixels(image))
break;
--
2.23.0

110
CVE-2019-11010.patch Normal file
View File

@ -0,0 +1,110 @@
From 38b2e7d3f5a027058a92a48c440b1cf47f2d8af5 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 17:41:12 +0800
Subject: [PATCH] ReadMPCImage(): Deal with a profile length of zero, or an
irrationally large profile length. (CVE-2019-11010)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019
---
coders/miff.c | 36 ++++++++++++++++++++++++++++--------
coders/mpc.c | 37 ++++++++++++++++++++++++++++---------
2 files changed, 56 insertions(+), 17 deletions(-)
diff --git a/coders/miff.c b/coders/miff.c
index 60ad6f7..00813c4 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1368,14 +1368,34 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
{
for (i=0; i < (long) number_of_profiles; i++)
{
- if (profiles[i].length == 0)
- continue;
- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
- if (profiles[i].info == (unsigned char *) NULL)
- ThrowMIFFReaderException(CorruptImageError,UnableToReadGenericProfile,
- image);
- (void) ReadBlob(image,profiles[i].length,profiles[i].info);
- (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+ if (profiles[i].length > 0)
+ {
+ if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) &&
+ ((BlobIsSeekable(image)
+ && (GetBlobSize(image) - TellBlob(image)) >
+ (magick_off_t) profiles[i].length) ||
+ (profiles[i].length < 15*1024*1024)))
+ {
+ profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
+ if (profiles[i].info == (unsigned char *) NULL)
+ ThrowMIFFReaderException(CorruptImageError,UnableToReadGenericProfile,
+ image);
+ if (ReadBlob(image,profiles[i].length,profiles[i].info)
+ != profiles[i].length)
+ ThrowMIFFReaderException(CorruptImageError,
+ UnexpectedEndOfFile,
+ image);
+ (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+ }
+ else
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Profile size %" MAGICK_SIZE_T_F "u is excessively large",
+ (MAGICK_SIZE_T ) profiles[i].length);
+ ThrowMIFFReaderException(CorruptImageError,ImproperImageHeader,
+ image);
+ }
+ }
MagickFreeMemory(profiles[i].name);
MagickFreeMemory(profiles[i].info);
}
diff --git a/coders/mpc.c b/coders/mpc.c
index 3459f92..e184fd1 100644
--- a/coders/mpc.c
+++ b/coders/mpc.c
@@ -772,15 +772,34 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
for (i=0; i < (long) number_of_profiles; i++)
{
- if (profiles[i].length == 0)
- continue;
- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
- if (profiles[i].info == (unsigned char *) NULL)
- ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
- image);
- (void) ReadBlob(image,profiles[i].length,profiles[i].info);
- (void) SetImageProfile(image,profiles[i].name,profiles[i].info,
- profiles[i].length);
+ if (profiles[i].length > 0)
+ {
+ if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) &&
+ ((BlobIsSeekable(image)
+ && (GetBlobSize(image) - TellBlob(image)) >
+ (magick_off_t) profiles[i].length) ||
+ (profiles[i].length < 15*1024*1024)))
+ {
+ profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
+ if (profiles[i].info == (unsigned char *) NULL)
+ ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
+ image);
+ if (ReadBlob(image,profiles[i].length,profiles[i].info)
+ != profiles[i].length)
+ ThrowMPCReaderException(CorruptImageError,
+ UnexpectedEndOfFile,
+ image);
+ (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+ }
+ else
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Profile size %" MAGICK_SIZE_T_F "u is excessively large",
+ (MAGICK_SIZE_T ) profiles[i].length);
+ ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,
+ image);
+ }
+ }
MagickFreeMemory(profiles[i].name);
MagickFreeMemory(profiles[i].info);
}
--
2.23.0

39
CVE-2019-12921.patch Normal file
View File

@ -0,0 +1,39 @@
From 1b5507f188dd0cd76099348c5f151a8ba61a812d Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 16:39:22 +0800
Subject: [PATCH] fix CVE-2019-12921
the text filename component potentially allows to read arbitrary files via TranslateTextEx for SVG
refers to https://build.opensuse.org/request/show/788214
---
magick/render.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/magick/render.c b/magick/render.c
index 3caf603..75bbe2f 100644
--- a/magick/render.c
+++ b/magick/render.c
@@ -2360,11 +2360,16 @@ DrawImage(Image *image,const DrawInfo *draw_info)
if (*draw_info->primitive == '\0')
return(MagickFail);
(void) LogMagickEvent(RenderEvent,GetMagickModule(),"begin draw-image");
- if (*draw_info->primitive != '@')
- primitive=AllocateString(draw_info->primitive);
- else
+ /*
+ Read primitive from file if supplied primitive starts with '@' and
+ we are not already drawing.
+ */
+ if ((*draw_info->primitive == '@') &&
+ (DrawImageGetCurrentRecurseLevel(image) == 1))
primitive=(char *)
FileToBlob(draw_info->primitive+1,&length,&image->exception);
+ else
+ primitive=AllocateString(draw_info->primitive);
if (primitive == (char *) NULL)
return(MagickFail);
primitive_extent=strlen(primitive);
--
2.23.0

34
CVE-2019-7397.patch Normal file
View File

@ -0,0 +1,34 @@
WritePDFImage(): Make sure to free 'xref' before returning. (ImageMagick CVE-2019-7397)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/11ad3aeb8ab1
diff -r e29c20957e2d -r 11ad3aeb8ab1 coders/pdf.c
--- a/coders/pdf.c Sun Feb 10 17:07:33 2019 -0600
+++ b/coders/pdf.c Mon Feb 11 20:31:53 2019 -0600
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2018 GraphicsMagick Group
+% Copyright (C) 2003-2019 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -1375,6 +1375,7 @@
if (!status)
{
CloseBlob(image);
+ MagickFreeMemory(xref);
return(False);
}
break;
@@ -1478,6 +1479,7 @@
if (!status)
{
CloseBlob(image);
+ MagickFreeMemory(xref);
return(False);
}
break;

296
CVE-2020-10938.patch Normal file
View File

@ -0,0 +1,296 @@
HuffmanDecodeImage(): Fix signed overflow on range check which leads to heap overflow in 32-bit applications. Ascii85Tuple(): Fix thread safety issue.
(CVE-2020-10938)
refers to http://hg.code.sf.net/p/graphicsmagick/code/rev/95abc2b694ce
diff -r 751e9e822b09 -r 95abc2b694ce magick/compress.c
--- a/magick/compress.c Sun Nov 10 13:33:34 2019 -0600
+++ b/magick/compress.c Sat Nov 16 10:31:37 2019 -0600
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003-2019 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -53,21 +53,26 @@
*/
typedef struct HuffmanTable
{
+ unsigned int
+ id;
+
int
- id,
- code,
+ code;
+
+ unsigned int
length,
count;
+
} HuffmanTable;
/*
Huffman coding declarations.
*/
-#define TWId 23
-#define MWId 24
-#define TBId 25
-#define MBId 26
-#define EXId 27
+#define TWId 23U
+#define MWId 24U
+#define TBId 25U
+#define MBId 26U
+#define EXId 27U
static const HuffmanTable
MBTable[]=
@@ -202,37 +207,38 @@
*/
#define MaxLineExtent 36
-static char *Ascii85Tuple(unsigned char *data)
+static char *Ascii85Tuple(char tuple[6], const unsigned char * restrict data)
{
- static char
- tuple[6];
+ magick_uint32_t
+ code;
- register long
- i,
- x;
-
- unsigned long
- code,
- quantum;
-
- code=((((unsigned long) data[0] << 8) | (unsigned long) data[1]) << 16) |
- ((unsigned long) data[2] << 8) | (unsigned long) data[3];
- if (code == 0L)
+ code=((((magick_uint32_t) data[0] << 8) | (magick_uint32_t) data[1]) << 16) |
+ ((magick_uint32_t) data[2] << 8) | (magick_uint32_t) data[3];
+ if (code == 0)
{
tuple[0]='z';
tuple[1]='\0';
- return(tuple);
}
- quantum=85UL*85UL*85UL*85UL;
- for (i=0; i < 4; i++)
- {
- x=(long) (code/quantum);
- code-=quantum*x;
- tuple[i]=(char) (x+(int) '!');
- quantum/=85L;
- }
- tuple[4]=(char) ((code % 85L)+(int) '!');
- tuple[5]='\0';
+ else
+ {
+ register magick_int32_t
+ i,
+ x;
+
+ magick_uint32_t
+ quantum;
+
+ quantum=85U*85U*85U*85U;
+ for (i=0; i < 4; i++)
+ {
+ x=(magick_int32_t) (code/quantum);
+ code-=quantum*x;
+ tuple[i]=(char) (x+(int) '!');
+ quantum/=85;
+ }
+ tuple[4]=(char) ((code % 85)+(int) '!');
+ tuple[5]='\0';
+ }
return(tuple);
}
@@ -255,6 +261,9 @@
MagickExport void Ascii85Flush(Image *image)
{
+ char
+ tuple_buff[6];
+
register char
*tuple;
@@ -266,7 +275,7 @@
image->ascii85->buffer[image->ascii85->offset]=0;
image->ascii85->buffer[image->ascii85->offset+1]=0;
image->ascii85->buffer[image->ascii85->offset+2]=0;
- tuple=Ascii85Tuple(image->ascii85->buffer);
+ tuple=Ascii85Tuple(tuple_buff, image->ascii85->buffer);
(void) WriteBlob(image,image->ascii85->offset+1,
*tuple == 'z' ? "!!!!" : tuple);
}
@@ -286,6 +295,9 @@
register unsigned char
*p;
+ char
+ tuple_buff[6];
+
assert(image != (Image *) NULL);
assert(image->signature == MagickSignature);
assert(image->ascii85 != (Ascii85Info *) NULL);
@@ -296,7 +308,7 @@
p=image->ascii85->buffer;
for (n=image->ascii85->offset; n >= 4; n-=4)
{
- for (q=Ascii85Tuple(p); *q; q++)
+ for (q=Ascii85Tuple(tuple_buff,p); *q; q++)
{
image->ascii85->line_break--;
if ((image->ascii85->line_break < 0) && (*q != '%'))
@@ -355,11 +367,11 @@
%
%
*/
-#define HashSize 1021
-#define MBHashA 293
-#define MBHashB 2695
-#define MWHashA 3510
-#define MWHashB 1178
+#define HashSize 1021U
+#define MBHashA 293U
+#define MBHashB 2695U
+#define MWHashA 3510U
+#define MWHashB 1178U
#define InitializeHashTable(hash,table,a,b) \
{ \
@@ -401,26 +413,30 @@
byte,
code,
color,
- length,
null_lines,
runlength;
unsigned int
bit,
index,
+ length,
mask;
long
- count,
+ count;
+
+ unsigned long
y;
register IndexPacket
*indexes;
- register long
- i,
+ register unsigned long
x;
+ unsigned int
+ i;
+
register PixelPacket
*q;
@@ -481,13 +497,13 @@
image->x_resolution=204.0;
image->y_resolution=196.0;
image->units=PixelsPerInchResolution;
- for (y=0; ((y < (long) image->rows) && (null_lines < 3)); )
+ for (y=0; ((y < image->rows) && (null_lines < 3)); )
{
/*
Initialize scanline to white.
*/
p=scanline;
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
*p++=0;
/*
Decode Huffman encoded scanline.
@@ -502,7 +518,7 @@
{
if (byte == EOF)
break;
- if (x >= (long) image->columns)
+ if (x >= image->columns)
{
while (runlength < 11)
InputBit(bit);
@@ -563,7 +579,7 @@
case TBId:
{
count+=entry->count;
- if ((x+count) > (long) image->columns)
+ if ((x+(unsigned long) count) > image->columns)
count=(long) image->columns-x;
if (count > 0)
{
@@ -603,7 +619,7 @@
break;
}
indexes=AccessMutableIndexes(image);
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
{
index=(unsigned int) (*p++);
indexes[x]=index;
@@ -695,7 +711,9 @@
runlength;
long
- n,
+ n;
+
+ unsigned long
y;
Image
@@ -704,8 +722,10 @@
register const IndexPacket
*indexes;
- register long
- i,
+ unsigned long
+ i;
+
+ register unsigned long
x;
register const PixelPacket
@@ -772,10 +792,10 @@
polarity=(PixelIntensityToQuantum(&huffman_image->colormap[0]) <
PixelIntensityToQuantum(&huffman_image->colormap[1]) ? 0x00 : 0x01);
q=scanline;
- for (i=(long) width; i > 0; i--)
+ for (i=0; i < width; i++) /* was: for (i=(long) width; i > 0; i--) */
*q++=(unsigned char) polarity;
q=scanline;
- for (y=0; y < (long) huffman_image->rows; y++)
+ for (y=0; y < huffman_image->rows; y++)
{
p=AcquireImagePixels(huffman_image,0,y,huffman_image->columns,1,
&huffman_image->exception);
@@ -785,7 +805,7 @@
break;
}
indexes=AccessImmutableIndexes(huffman_image);
- for (x=0; x < (long) huffman_image->columns; x++)
+ for (x=0; x < huffman_image->columns; x++)
{
*q=(unsigned char) (indexes[x] == polarity ? !polarity : polarity);
q++;

48
CVE-2020-12672.patch Normal file
View File

@ -0,0 +1,48 @@
From a5646313975525c598527269bbfe4524909275f3 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 17:59:51 +0800
Subject: [PATCH] MNG: Fix small heap overwrite or assertion if magnifying and
image to be magnified has rows or columns == 1. (CVE-2020-12672)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/50395430a371
---
coders/png.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/coders/png.c b/coders/png.c
index ebb0a4a..b8b6c2b 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5571,7 +5571,28 @@ static Image *ReadMNGImage(const ImageInfo *image_info,
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " Processing MNG MAGN chunk");
+ " Processing MNG MAGN chunk: MB=%u, ML=%u,"
+ " MR=%u, MT=%u, MX=%u, MY=%u,"
+ " X_method=%u, Y_method=%u",
+ mng_info->magn_mb,mng_info->magn_ml,
+ mng_info->magn_mr,mng_info->magn_mt,
+ mng_info->magn_mx,mng_info->magn_my,
+ mng_info->magn_methx,
+ mng_info->magn_methy);
+
+ /*
+ If the image width is 1, then X magnification is done
+ by simple pixel replication.
+ */
+ if (image->columns == 1)
+ mng_info->magn_methx = 1;
+
+ /*
+ If the image height is 1, then Y magnification is done
+ by simple pixel replication.
+ */
+ if (image->rows == 1)
+ mng_info->magn_methy = 1;
if (mng_info->magn_methx == 1)
{
--
2.23.0

14
GraphicsMagick.spec
View File

@ -10,7 +10,7 @@
Name: GraphicsMagick
Version: 1.3.30
Release: 6
Release: 7
Summary: Derived from ImageMagick, providing faster image generation speed and better quality
License: MIT
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@ -23,6 +23,14 @@ Patch0003: CVE-2019-11505.patch
Patch0004: CVE-2019-11008.patch
Patch0005: CVE-2019-11506.patch
Patch0006: CVE-2019-11009.patch
Patch0007: CVE-2018-18544.patch
Patch0008: CVE-2019-7397.patch
Patch0009: CVE-2019-11005.patch
Patch0010: CVE-2019-11006.patch
Patch0011: CVE-2019-11010.patch
Patch0012: CVE-2019-12921.patch
Patch0013: CVE-2020-10938.patch
Patch0014: CVE-2020-12672.patch
BuildRequires: bzip2-devel freetype-devel gcc-c++ giflib-devel lcms2-devel libjpeg-devel
BuildRequires: libpng-devel librsvg2-devel libtiff-devel libtool-ltdl-devel libxml2-devel lpr
@ -221,6 +229,10 @@ time %make_build check ||:
%changelog
* Sat Sep 19 2020 maminjie <maminjie1@huawei.com> - 1.3.30-7
- fix some CVEs: CVE-2018-18544 CVE-2019-7397 CVE-2019-11005 CVE-2019-11006
CVE-2019-11010 CVE-2019-12921 CVE-2020-10938 CVE-2020-12672
* Thu Jan 23 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.3.30-6
- Type:bugfix
- Id:NA