packages/GraphicsMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 1.3.41 for fix CVE-2020-21679

Browse Source
This commit is contained in:
wk333 2023-09-13 10:06:56 +08:00
parent f2316426b1
commit c91f4e7406
22 changed files with 242 additions and 1986 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
CVE-2018-18544.patch
View File

@ -1,26 +0,0 @@
From 960de60924208e2fceff6d118c0bcec38dae627b Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 16:00:58 +0800
Subject: [PATCH] ProcessMSLScript(): Release msl_image if OpenBlob fails.
(CVE-2018-18544)
refers to http://hg.code.sf.net/p/graphicsmagick/code/rev/31349424878d
---
coders/msl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/coders/msl.c b/coders/msl.c
index 5add044..9e99629 100644
--- a/coders/msl.c
+++ b/coders/msl.c
@@ -4540,6 +4540,7 @@ ProcessMSLScript(const ImageInfo *image_info,Image **image,
status=OpenBlob(image_info,msl_image,ReadBinaryBlobMode,exception);
if (status == False)
{
+ DestroyImage(msl_image);
ThrowException(exception,FileOpenError,UnableToOpenFile,
msl_image->filename);
return(False);
--
2.23.0

30
CVE-2019-11005.patch
View File

@ -1,30 +0,0 @@
SVGStartElement(): Fix stack buffer overflow while parsing quoted font family value.
(CVE-2019-11005)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
diff -r f7610c1281c1 -r b6fb77d7d54d coders/svg.c
--- a/coders/svg.c Fri Apr 05 08:13:14 2019 -0500
+++ b/coders/svg.c Fri Apr 05 08:43:15 2019 -0500
@@ -1745,12 +1745,12 @@
font-family. Maybe we need a generalized solution for
this.
*/
- if ((value[0] == '\'') && (value[strlen(value)-1] == '\''))
+ int value_length;
+ if ((value[0] == '\'') && ((value_length=(int) strlen(value)) > 2)
+ && (value[value_length-1] == '\''))
{
- char nvalue[MaxTextExtent];
- (void) strlcpy(nvalue,value+1,sizeof(nvalue));
- nvalue[strlen(nvalue)-1]='\0';
- MVGPrintf(svg_info->file,"font-family '%s'\n",nvalue);
+ MVGPrintf(svg_info->file,"font-family '%.*s'\n",
+ (int)(value_length-2),value+1);
}
else
{

45
CVE-2019-11006.patch
View File

@ -1,45 +0,0 @@
From a404f04f6114057b9b64eab8436a0668f6aa16f7 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 15:35:05 +0800
Subject: [PATCH] ReadMIFFImage(): Detect end of file while reading RLE
packets. (CVE-2019-11006)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1
---
coders/miff.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/coders/miff.c b/coders/miff.c
index 307b10e..60ad6f7 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1706,7 +1706,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
p=pixels;
for (length=0; length < image->columns; )
{
- p+=ReadBlob(image,packet_size,p);
+ size_t
+ bytes_read;
+
+ if ((bytes_read=ReadBlob(image,packet_size,p)) != packet_size)
+ ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+ image);
+ p+=bytes_read;
length+=*(p-1)+1;
}
@@ -1731,7 +1737,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
if (q == (PixelPacket *) NULL)
break;
pixels_p=pixels;
- (void) ReadBlobZC(image,packet_size*image->columns,&pixels_p);
+ if (ReadBlobZC(image,packet_size*image->columns,&pixels_p)
+ != (size_t) packet_size*image->columns)
+ ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+ image);
(void) ImportImagePixelArea(image,quantum_type,quantum_size,(const unsigned char*) pixels_p,0,0);
if (!SyncImagePixels(image))
break;
--
2.23.0

111
CVE-2019-11007.patch
View File

@ -1,111 +0,0 @@
--- a/magick/colormap.c Tue Apr 02 18:38:00 2019 -0500
+++ b/magick/colormap.c Tue Apr 02 19:44:26 2019 -0500
@@ -35,11 +35,11 @@
% AllocateImageColormap() allocates an image colormap and initializes
% it to a linear gray colorspace with increasing intensity. If the image
% already has a colormap, it is replaced. AllocateImageColormap() returns
-% True if successful, otherwise False if there is not enough memory.
+% MagickPass if successful, otherwise MagickFail if there is not enough memory.
%
% The format of the AllocateImageColormap method is:
%
-% unsigned int AllocateImageColormap(Image *image,
+% MagickPassFail AllocateImageColormap(Image *image,
% const unsigned long colors)
%
% A description of each parameter follows:
@@ -109,7 +109,7 @@
%
% The format of the CycleColormapImage method is:
%
-% CycleColormapImage(Image *image,const int amount)
+% MagickPassFail CycleColormapImage(Image *image,const int amount)
%
% A description of each parameter follows:
%
@@ -250,6 +250,76 @@
% %
% %
% %
++ R e a l l o c a t e I m a g e C o l o r m a p %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% ReallocateImageColormap() reallocates an image colormap (or allocates it
+% if is not already allocated) and clears any added colormap entries
+% while preserving existing entries. ReallocateImageColormap() returns
+% MagickPass if successful, otherwise MagickFail if there is not enough
+% memory or the number of colormap entries is not supported.
+%
+% The image storage class is not modified by this function.
+%
+% The format of the ReallocateImageColormap method is:
+%
+% MagickPassFail ReallocateImageColormap(Image *image,
+% const unsigned int colors)
+%
+% A description of each parameter follows:
+%
+% o image: The image.
+%
+% o colors: The number of colors in the image colormap.
+%
+%
+*/
+MagickExport MagickPassFail ReallocateImageColormap(Image *image,
+ const unsigned int colors)
+{
+ register unsigned int
+ i;
+
+ unsigned int
+ prev_colors;
+
+ size_t
+ length;
+
+ /*
+ Allocate image colormap.
+ */
+ assert(image != (Image *) NULL);
+ assert(image->signature == MagickSignature);
+ if (colors > MaxColormapSize)
+ return (MagickFail);
+ prev_colors=image->colors;
+ length=MagickArraySize((size_t) colors,sizeof(PixelPacket));
+ MagickReallocMemory(PixelPacket *,image->colormap,length);
+ if (image->colormap == (PixelPacket *) NULL)
+ {
+ image->colors=0;
+ return(MagickFail);
+ }
+ image->colors=colors;
+ for (i=prev_colors; i < image->colors; i++)
+ {
+ image->colormap[i].red=0;
+ image->colormap[i].green=0;
+ image->colormap[i].blue=0;
+ image->colormap[i].opacity=OpaqueOpacity;
+ }
+ return(MagickPass);
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
% R e p l a c e I m a g e C o l o r m a p %
% %
% %
@@ -438,7 +508,7 @@
%
% The format of the SortColormapByIntensity method is:
%
-% unsigned int SortColormapByIntensity(Image *image)
+% MagickPassFail SortColormapByIntensity(Image *image)
%
% A description of each parameter follows:
%

488
CVE-2019-11008.patch
View File

@ -1,488 +0,0 @@
--- a/coders/xwd.c Fri Apr 05 08:43:15 2019 -0500
+++ b/coders/xwd.c Sun Apr 07 15:29:54 2019 -0500
@@ -96,6 +96,102 @@
#if defined(HasX11)
#include "magick/xwindow.h"
+
+static void TraceXWDHeader(const XWDFileHeader *header)
+{
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "XWDFileHeader:\n"
+ " header_size : %u\n"
+ " file_version : %u\n"
+ " pixmap_format : %s\n"
+ " pixmap_depth : %u\n"
+ " pixmap_width : %u\n"
+ " pixmap_height : %u\n"
+ " xoffset : %u\n"
+ " byte_order : %s\n"
+ " bitmap_unit : %u\n"
+ " bitmap_bit_order : %s\n"
+ " bitmap_pad : %u\n"
+ " bits_per_pixel : %u\n"
+ " bytes_per_line : %u\n"
+ " visual_class : %s\n"
+ " red_mask : 0x%06X\n"
+ " green_mask : 0x%06X\n"
+ " blue_mask : 0x%06X\n"
+ " bits_per_rgb : %u\n"
+ " colormap_entries : %u\n"
+ " ncolors : %u\n"
+ " window_width : %u\n"
+ " window_height : %u\n"
+ " window_x : %u\n"
+ " window_y : %u\n"
+ " window_bdrwidth : %u",
+ (unsigned int) header->header_size,
+ (unsigned int) header->file_version,
+ /* (unsigned int) header->pixmap_format, */
+ (header->pixmap_format == XYBitmap ? "XYBitmap" :
+ (header->pixmap_format == XYPixmap ? "XYPixmap" :
+ (header->pixmap_format == ZPixmap ? "ZPixmap" : "?"))),
+ (unsigned int) header->pixmap_depth,
+ (unsigned int) header->pixmap_width,
+ (unsigned int) header->pixmap_height,
+ (unsigned int) header->xoffset,
+ (header->byte_order == MSBFirst? "MSBFirst" :
+ (header->byte_order == LSBFirst ? "LSBFirst" : "?")),
+ (unsigned int) header->bitmap_unit,
+ (header->bitmap_bit_order == MSBFirst? "MSBFirst" :
+ (header->bitmap_bit_order == LSBFirst ? "LSBFirst" :
+ "?")),
+ (unsigned int) header->bitmap_pad,
+ (unsigned int) header->bits_per_pixel,
+ (unsigned int) header->bytes_per_line,
+ (header->visual_class == StaticGray ? "StaticGray" :
+ (header->visual_class == GrayScale ? "GrayScale" :
+ (header->visual_class == StaticColor ? "StaticColor" :
+ (header->visual_class == PseudoColor ? "PseudoColor" :
+ (header->visual_class == TrueColor ? "TrueColor" :
+ (header->visual_class == DirectColor ?
+ "DirectColor" : "?")))))),
+ (unsigned int) header->red_mask,
+ (unsigned int) header->green_mask,
+ (unsigned int) header->blue_mask,
+ (unsigned int) header->bits_per_rgb,
+ (unsigned int) header->colormap_entries,
+ (unsigned int) header->ncolors,
+ (unsigned int) header->window_width,
+ (unsigned int) header->window_height,
+ (unsigned int) header->window_x,
+ (unsigned int) header->window_y,
+ (unsigned int) header->window_bdrwidth
+ );
+}
+
+/*
+ Compute required allocation sizes
+
+ FIXME: This is still a work in progress.
+
+ BitmapUnit (pixmap_depth) is the size of each data unit in each
+ scan line. This value may be 8, 16, or 32.
+
+ BitmapPad (bitmap_pad) is the number of bits of padding added to
+ each scan line. This value may be 8, 16, or 32.
+*/
+static MagickPassFail BytesPerLine(size_t *bytes_per_line,
+ size_t *scanline_bits,
+ const size_t pixmap_width,
+ const size_t pixmap_depth,
+ const size_t bitmap_pad)
+{
+ *bytes_per_line=0;
+ *scanline_bits=MagickArraySize(pixmap_width,pixmap_depth);
+ if ((*scanline_bits > 0) && (((~(size_t)0) - *scanline_bits > (bitmap_pad)-1)))
+ *bytes_per_line=((((*scanline_bits)+((bitmap_pad)-1))/
+ (bitmap_pad))*((bitmap_pad) >> 3));
+
+ return (*bytes_per_line !=0 && *scanline_bits != 0) ? MagickPass : MagickFail;
+}
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -211,71 +307,11 @@
if (*(char *) &lsb_first)
MSBOrderLong((unsigned char *) &header,sz_XWDheader);
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
- "XWDFileHeader:\n"
- " header_size : %u\n"
- " file_version : %u\n"
- " pixmap_format : %s\n"
- " pixmap_depth : %u\n"
- " pixmap_width : %u\n"
- " pixmap_height : %u\n"
- " xoffset : %u\n"
- " byte_order : %s\n"
- " bitmap_unit : %u\n"
- " bitmap_bit_order : %s\n"
- " bitmap_pad : %u\n"
- " bits_per_pixel : %u\n"
- " bytes_per_line : %u\n"
- " visual_class : %s\n"
- " red_mask : 0x%06X\n"
- " green_mask : 0x%06X\n"
- " blue_mask : 0x%06X\n"
- " bits_per_rgb : %u\n"
- " colormap_entries : %u\n"
- " ncolors : %u\n"
- " window_width : %u\n"
- " window_height : %u\n"
- " window_x : %u\n"
- " window_y : %u\n"
- " window_bdrwidth : %u",
- (unsigned int) header.header_size,
- (unsigned int) header.file_version,
- /* (unsigned int) header.pixmap_format, */
- (header.pixmap_format == XYBitmap ? "XYBitmap" :
- (header.pixmap_format == XYPixmap ? "XYPixmap" :
- (header.pixmap_format == ZPixmap ? "ZPixmap" : "?"))),
- (unsigned int) header.pixmap_depth,
- (unsigned int) header.pixmap_width,
- (unsigned int) header.pixmap_height,
- (unsigned int) header.xoffset,
- (header.byte_order == MSBFirst? "MSBFirst" :
- (header.byte_order == LSBFirst ? "LSBFirst" : "?")),
- (unsigned int) header.bitmap_unit,
- (header.bitmap_bit_order == MSBFirst? "MSBFirst" :
- (header.bitmap_bit_order == LSBFirst ? "LSBFirst" :
- "?")),
- (unsigned int) header.bitmap_pad,
- (unsigned int) header.bits_per_pixel,
- (unsigned int) header.bytes_per_line,
- (header.visual_class == StaticGray ? "StaticGray" :
- (header.visual_class == GrayScale ? "GrayScale" :
- (header.visual_class == StaticColor ? "StaticColor" :
- (header.visual_class == PseudoColor ? "PseudoColor" :
- (header.visual_class == TrueColor ? "TrueColor" :
- (header.visual_class == DirectColor ?
- "DirectColor" : "?")))))),
- (unsigned int) header.red_mask,
- (unsigned int) header.green_mask,
- (unsigned int) header.blue_mask,
- (unsigned int) header.bits_per_rgb,
- (unsigned int) header.colormap_entries,
- (unsigned int) header.ncolors,
- (unsigned int) header.window_width,
- (unsigned int) header.window_height,
- (unsigned int) header.window_x,
- (unsigned int) header.window_y,
- (unsigned int) header.window_bdrwidth
- );
+ /*
+ Trace XWD header
+ */
+ if (image->logging)
+ TraceXWDHeader(&header);
/*
Check to see if the dump file is in the proper format.
@@ -283,7 +319,8 @@
if (header.file_version != XWD_FILE_VERSION)
ThrowXWDReaderException(CorruptImageError,InvalidFileFormatVersion,image);
if (header.header_size < sz_XWDheader)
- ThrowXWDReaderException(CorruptImageError,CorruptImage,image);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
switch (header.visual_class)
{
case StaticGray:
@@ -295,7 +332,7 @@
break;
default:
{
- ThrowXWDReaderException(CorruptImageError,CorruptImage,image);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
}
}
switch (header.pixmap_format)
@@ -306,10 +343,36 @@
break;
default:
{
- ThrowXWDReaderException(CorruptImageError,CorruptImage,image);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
}
}
+ if ((header.bits_per_pixel == 0) || (header.bits_per_pixel > 32))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ if ((header.bitmap_pad % 8 != 0) || (header.bitmap_pad > 32))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
+ {
+ size_t
+ bytes_per_line=0,
+ scanline_bits;
+
+ if (BytesPerLine(&bytes_per_line,&scanline_bits,
+ header.pixmap_width,header.pixmap_depth,header.bitmap_pad)
+ == MagickFail)
+ ThrowReaderException(CoderError,ArithmeticOverflow,image);
+
+ if (header.bytes_per_line < bytes_per_line)
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Header bytes_per_line = %" MAGICK_SIZE_T_F "u,"
+ " expected %" MAGICK_SIZE_T_F "u",
+ (MAGICK_SIZE_T) header.bytes_per_line,
+ (MAGICK_SIZE_T) bytes_per_line);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+
/*
Retrieve comment (if any)
*/
@@ -366,6 +429,7 @@
/* Guard against buffer overflow in libX11. */
if (ximage->bits_per_pixel > 32 || ximage->bitmap_unit > 32)
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
status=XInitImage(ximage);
if (status == False)
ThrowXWDReaderException(CorruptImageError,UnrecognizedXWDHeader,image);
@@ -456,6 +520,22 @@
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
}
+ {
+
+ magick_off_t
+ file_size;
+
+ file_size=GetBlobSize(image);
+
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "File size %" MAGICK_OFF_F "d,"
+ "Pixels allocation size %" MAGICK_SIZE_T_F "u",
+ file_size, (MAGICK_SIZE_T) length);
+
+ if ((file_size != 0) && ((size_t) file_size < length))
+ ThrowXWDReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+
ximage->data=MagickAllocateMemory(char *,length);
if (ximage->data == (char *) NULL)
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,image);
@@ -725,16 +805,16 @@
*/
static unsigned int WriteXWDImage(const ImageInfo *image_info,Image *image)
{
- long
+ unsigned long
y;
register const PixelPacket
*p;
- register long
+ register unsigned long
x;
- register long
+ register unsigned int
i;
register unsigned char
@@ -743,17 +823,22 @@
unsigned char
*pixels;
+ unsigned int
+ bits_per_pixel;
+
size_t
- pixels_size;
+ bytes_per_line=0,
+ scanline_bits,
+ scanline_pad=0;
unsigned int
+ bitmap_pad;
+
+ MagickPassFail
status;
unsigned long
- bits_per_pixel,
- bytes_per_line,
- lsb_first,
- scanline_pad;
+ lsb_first;
XWDFileHeader
xwd_info;
@@ -766,7 +851,7 @@
assert(image != (Image *) NULL);
assert(image->signature == MagickSignature);
status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);
- if (status == False)
+ if (status == MagickFail)
ThrowWriterException(FileOpenError,UnableToOpenFile,image);
(void) TransformColorspace(image,RGBColorspace);
/*
@@ -774,6 +859,40 @@
*/
if ((image->storage_class == PseudoClass) && (image->colors > 256))
SetImageType(image,TrueColorType);
+
+ /*
+ Compute required allocation sizes
+
+ BitmapUnit is the size of each data unit in each scan line. This
+ value may be 8, 16, or 32.
+
+ BitmapPad is the number of bits of padding added to each scan
+ line. This value may be 8, 16, or 32.
+ */
+ bits_per_pixel=(image->storage_class == DirectClass ? 24 : 8);
+ bitmap_pad=(image->storage_class == DirectClass ? 32 : 8);
+
+ if (BytesPerLine(&bytes_per_line,&scanline_bits,image->columns,
+ bits_per_pixel,bitmap_pad) != MagickFail)
+ scanline_pad=(bytes_per_line-(scanline_bits >> 3));
+
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " image->columns=%lu,"
+ " bits_per_pixel=%u,"
+ " bytes_per_line=%" MAGICK_SIZE_T_F "u,"
+ " bitmap_pad=%u",
+ image->columns,
+ bits_per_pixel,
+ (MAGICK_SIZE_T) bytes_per_line,
+ bitmap_pad);
+ if ((scanline_bits == 0) || (bytes_per_line < (scanline_bits >> 3)))
+ ThrowWriterException(CoderError,ArithmeticOverflow,image);
+
+ if (((bytes_per_line & 0x7fffffff) != bytes_per_line) ||
+ ((image->rows & 0x7fffffff) != image->rows))
+ ThrowWriterException(CoderError,ImageColumnOrRowSizeIsNotSupported,image);
+
/*
Initialize XWD file header.
*/
@@ -788,19 +907,14 @@
xwd_info.byte_order=(CARD32) MSBFirst;
xwd_info.bitmap_unit=(CARD32) (image->storage_class == DirectClass ? 32 : 8);
xwd_info.bitmap_bit_order=(CARD32) MSBFirst;
- xwd_info.bitmap_pad=(CARD32) (image->storage_class == DirectClass ? 32 : 8);
- bits_per_pixel=(image->storage_class == DirectClass ? 24 : 8);
+ xwd_info.bitmap_pad=(CARD32) bitmap_pad;
xwd_info.bits_per_pixel=(CARD32) bits_per_pixel;
- bytes_per_line=(CARD32) ((((xwd_info.bits_per_pixel*
- xwd_info.pixmap_width)+((xwd_info.bitmap_pad)-1))/
- (xwd_info.bitmap_pad))*((xwd_info.bitmap_pad) >> 3));
xwd_info.bytes_per_line=(CARD32) bytes_per_line;
xwd_info.visual_class=(CARD32)
(image->storage_class == DirectClass ? DirectColor : PseudoColor);
xwd_info.red_mask=(CARD32)
(image->storage_class == DirectClass ? 0xff0000 : 0);
- xwd_info.green_mask=(CARD32)
- (image->storage_class == DirectClass ? 0xff00 : 0);
+ xwd_info.green_mask=(CARD32)(image->storage_class == DirectClass ? 0xff00 : 0);
xwd_info.blue_mask=(CARD32) (image->storage_class == DirectClass ? 0xff : 0);
xwd_info.bits_per_rgb=(CARD32) (image->storage_class == DirectClass ? 24 : 8);
xwd_info.colormap_entries=(CARD32)
@@ -812,6 +926,20 @@
xwd_info.window_x=0;
xwd_info.window_y=0;
xwd_info.window_bdrwidth=(CARD32) 0;
+
+ /*
+ Trace XWD header
+ */
+ if (image->logging)
+ TraceXWDHeader(&xwd_info);
+
+ /*
+ Allocate memory for pixels.
+ */
+ pixels=MagickAllocateMemory(unsigned char *,bytes_per_line);
+ if (pixels == (unsigned char *) NULL)
+ ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image);
+
/*
Write XWD header.
*/
@@ -835,7 +963,7 @@
colors=MagickAllocateArray(XColor *,image->colors,sizeof(XColor));
if (colors == (XColor *) NULL)
ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image);
- for (i=0; i < (long) image->colors; i++)
+ for (i=0; i < image->colors; i++)
{
colors[i].pixel=i;
colors[i].red=ScaleQuantumToShort(image->colormap[i].red);
@@ -849,30 +977,22 @@
MSBOrderShort((unsigned char *) &colors[i].red,3*sizeof(short));
}
}
- for (i=0; i < (long) image->colors; i++)
+ for (i=0; i < image->colors; i++)
{
color.pixel=(CARD32) colors[i].pixel;
color.red=colors[i].red;
color.green=colors[i].green;
color.blue=colors[i].blue;
color.flags=colors[i].flags;
- (void) WriteBlob(image,sz_XWDColor,(char *) &color);
+ if (WriteBlob(image,sz_XWDColor,(char *) &color) != sz_XWDColor)
+ break;
}
MagickFreeMemory(colors);
}
/*
- Allocate memory for pixels.
- */
- scanline_pad=(bytes_per_line-((image->columns*bits_per_pixel) >> 3));
- pixels_size=image->columns*(image->storage_class == PseudoClass ? 1 : 3)+scanline_pad;
- pixels=MagickAllocateMemory(unsigned char *,pixels_size);
- if (pixels == (unsigned char *) NULL)
- ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image);
- (void) memset(pixels,0,pixels_size);
- /*
Convert MIFF to XWD raster pixels.
*/
- for (y=0; y < (long) image->rows; y++)
+ for (y=0; y < image->rows; y++)
{
p=AcquireImagePixels(image,0,y,image->columns,1,&image->exception);
if (p == (const PixelPacket *) NULL)
@@ -885,12 +1005,12 @@
*indexes;
indexes=AccessImmutableIndexes(image);
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
*q++=(unsigned char) indexes[x];
}
else
{
- for (x=(long) image->columns; x > 0; x--)
+ for (x=0; x < image->columns; x++)
{
*q++=ScaleQuantumToChar(p->red);
@@ -901,7 +1021,8 @@
}
for (x=(long) scanline_pad; x > 0; x--)
*q++=0;
- (void) WriteBlob(image,(size_t) (q-pixels),(char *) pixels);
+ if (WriteBlob(image,(size_t) (q-pixels),(char *) pixels) != (size_t) (q-pixels))
+ break;
if (image->previous == (Image *) NULL)
if (QuantumTick(y,image->rows))
if (!MagickMonitorFormatted(y,image->rows,&image->exception,
@@ -911,6 +1032,6 @@
}
MagickFreeMemory(pixels);
CloseBlob(image);
- return(True);
+ return (y < image->rows ? MagickFail : MagickPass);
}
#endif

37
CVE-2019-11009.patch
View File

@ -1,37 +0,0 @@
--- a/coders/xwd.c Tue Apr 02 19:44:48 2019 -0500
+++ b/coders/xwd.c Wed Apr 03 19:42:39 2019 -0500
@@ -390,8 +390,8 @@
else
{
image->storage_class=PseudoClass;
+ image->colors=header.ncolors;
}
- image->colors=header.ncolors;
if (!image_info->ping)
{
/*
@@ -507,7 +507,7 @@
/*
Convert X image to DirectClass packets.
*/
- if (image->colors != 0)
+ if (header.ncolors != 0)
{
for (y=0; y < (long) image->rows; y++)
{
@@ -519,12 +519,15 @@
pixel=XGetPixel(ximage,(int) x,(int) y);
index_val=(unsigned short)
((pixel >> red_shift) & red_mask);
+ VerifyColormapIndexWithColors(image,index_val,header.ncolors);
q->red=ScaleShortToQuantum(colors[index_val].red);
index_val=(unsigned short)
((pixel >> green_shift) & green_mask);
+ VerifyColormapIndexWithColors(image,index_val,header.ncolors);
q->green=ScaleShortToQuantum(colors[index_val].green);
index_val=(unsigned short)
((pixel >> blue_shift) & blue_mask);
+ VerifyColormapIndexWithColors(image,index_val,header.ncolors);
q->blue=ScaleShortToQuantum(colors[index_val].blue);
q++;
}

110
CVE-2019-11010.patch
View File

@ -1,110 +0,0 @@
From 38b2e7d3f5a027058a92a48c440b1cf47f2d8af5 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 17:41:12 +0800
Subject: [PATCH] ReadMPCImage(): Deal with a profile length of zero, or an
irrationally large profile length. (CVE-2019-11010)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/a348d9661019
---
coders/miff.c | 36 ++++++++++++++++++++++++++++--------
coders/mpc.c | 37 ++++++++++++++++++++++++++++---------
2 files changed, 56 insertions(+), 17 deletions(-)
diff --git a/coders/miff.c b/coders/miff.c
index 60ad6f7..00813c4 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1368,14 +1368,34 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
{
for (i=0; i < (long) number_of_profiles; i++)
{
- if (profiles[i].length == 0)
- continue;
- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
- if (profiles[i].info == (unsigned char *) NULL)
- ThrowMIFFReaderException(CorruptImageError,UnableToReadGenericProfile,
- image);
- (void) ReadBlob(image,profiles[i].length,profiles[i].info);
- (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+ if (profiles[i].length > 0)
+ {
+ if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) &&
+ ((BlobIsSeekable(image)
+ && (GetBlobSize(image) - TellBlob(image)) >
+ (magick_off_t) profiles[i].length) ||
+ (profiles[i].length < 15*1024*1024)))
+ {
+ profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
+ if (profiles[i].info == (unsigned char *) NULL)
+ ThrowMIFFReaderException(CorruptImageError,UnableToReadGenericProfile,
+ image);
+ if (ReadBlob(image,profiles[i].length,profiles[i].info)
+ != profiles[i].length)
+ ThrowMIFFReaderException(CorruptImageError,
+ UnexpectedEndOfFile,
+ image);
+ (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+ }
+ else
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Profile size %" MAGICK_SIZE_T_F "u is excessively large",
+ (MAGICK_SIZE_T ) profiles[i].length);
+ ThrowMIFFReaderException(CorruptImageError,ImproperImageHeader,
+ image);
+ }
+ }
MagickFreeMemory(profiles[i].name);
MagickFreeMemory(profiles[i].info);
}
diff --git a/coders/mpc.c b/coders/mpc.c
index 3459f92..e184fd1 100644
--- a/coders/mpc.c
+++ b/coders/mpc.c
@@ -772,15 +772,34 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
for (i=0; i < (long) number_of_profiles; i++)
{
- if (profiles[i].length == 0)
- continue;
- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
- if (profiles[i].info == (unsigned char *) NULL)
- ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
- image);
- (void) ReadBlob(image,profiles[i].length,profiles[i].info);
- (void) SetImageProfile(image,profiles[i].name,profiles[i].info,
- profiles[i].length);
+ if (profiles[i].length > 0)
+ {
+ if ((profiles[i].length - ((magick_off_t) profiles[i].length) == 0) &&
+ ((BlobIsSeekable(image)
+ && (GetBlobSize(image) - TellBlob(image)) >
+ (magick_off_t) profiles[i].length) ||
+ (profiles[i].length < 15*1024*1024)))
+ {
+ profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
+ if (profiles[i].info == (unsigned char *) NULL)
+ ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
+ image);
+ if (ReadBlob(image,profiles[i].length,profiles[i].info)
+ != profiles[i].length)
+ ThrowMPCReaderException(CorruptImageError,
+ UnexpectedEndOfFile,
+ image);
+ (void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
+ }
+ else
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Profile size %" MAGICK_SIZE_T_F "u is excessively large",
+ (MAGICK_SIZE_T ) profiles[i].length);
+ ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,
+ image);
+ }
+ }
MagickFreeMemory(profiles[i].name);
MagickFreeMemory(profiles[i].info);
}
--
2.23.0

333
CVE-2019-11473-CVE-2019-11474.patch
View File

@ -1,333 +0,0 @@
From 3c23dfbe1c4c3446fc0c6ab5095e6f9c488ec34f Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Mon, 7 Dec 2020 18:22:24 +0800
Subject: [PATCH] create patch
diff --git a/ChangeLog b/ChangeLog
index 4284834..a89c828 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2019-04-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * coders/xwd.c (ReadXWDImage): Added even more XWD header
+ validation logic. Addresses problems noted by email from Hongxu
+ Chen to the graphicsmagick-security mail alias on Wed, 17 Apr 2019
+ and entitled "Multiple crashes (FPE and invalid read) when
+ processing XWD files". Also addresses additional issues noted
+ that an attacker could request to allocate an arbitrary amount of
+ memory based on ncolors and the claimed header size.
+
2018-06-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* version.sh: Update library versioning for 1.3.30 release.
diff --git a/coders/xwd.c b/coders/xwd.c
index 9f9b850..caff995 100644
--- a/coders/xwd.c
+++ b/coders/xwd.c
@@ -225,7 +225,6 @@ static MagickPassFail BytesPerLine(size_t *bytes_per_line,
*/
#define ThrowXWDReaderException(code_,reason_,image_) \
do { \
- MagickFreeMemory(comment); \
if (ximage) \
MagickFreeMemory(ximage->data); \
MagickFreeMemory(ximage); \
@@ -236,8 +235,7 @@ do { \
static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
char
- *comment = (char *) NULL;
-
+ comment[MaxTextExtent];
Image
*image;
@@ -320,7 +318,7 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
ThrowXWDReaderException(CorruptImageError,InvalidFileFormatVersion,image);
if (header.header_size < sz_XWDheader)
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
-
+ /* Display classes used in opening the connection */
switch (header.visual_class)
{
case StaticGray:
@@ -335,11 +333,18 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
}
}
+
+ /* XYBitmap, XYPixmap, ZPixmap */
switch (header.pixmap_format)
{
- case XYBitmap:
- case XYPixmap:
- case ZPixmap:
+ case XYBitmap: /* 1 bit bitmap format */
+ if (header.pixmap_depth != 1)
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ break;
+ case XYPixmap: /* Single plane bitmap. */
+ case ZPixmap: /* Bitmap with 2 or more planes */
+ if ((header.pixmap_depth < 1) || (header.pixmap_depth > 32))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
break;
default:
{
@@ -347,8 +352,80 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
}
}
- if ((header.bits_per_pixel == 0) || (header.bits_per_pixel > 32))
+ /* Data byte order, LSBFirst, MSBFirst */
+ switch (header.byte_order)
+ {
+ case LSBFirst:
+ case MSBFirst:
+ break;
+ default:
+ {
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ /* Quant. of scanline 8, 16, 32 */
+ switch (header.bitmap_unit)
+ {
+ case 8:
+ case 16:
+ case 32:
+ break;
+ default:
+ {
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ /* LSBFirst, MSBFirst */
+ switch (header.bitmap_bit_order)
+ {
+ case LSBFirst:
+ case MSBFirst:
+ break;
+ default:
+ {
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ /* 8, 16, 32 either XY or ZPixmap */
+ if ((header.pixmap_format == XYPixmap) || (header.pixmap_format == ZPixmap))
+ switch (header.bitmap_pad)
+ {
+ case 8:
+ case 16:
+ case 32:
+ break;
+ default:
+ {
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ /* Bits per pixel (ZPixmap) */
+ switch (header.visual_class)
+ {
+ case StaticGray:
+ case GrayScale:
+ /* Gray-scale image */
+ if (header.bits_per_pixel != 1)
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ break;
+ case StaticColor:
+ case PseudoColor:
+ /* Color-mapped image */
+ if ((header.bits_per_pixel < 1) || (header.bits_per_pixel > 15) || (header.ncolors == 0))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ break;
+ case TrueColor:
+ case DirectColor:
+ /* True-color image */
+ if ((header.bits_per_pixel != 16) && (header.bits_per_pixel != 24) && (header.bits_per_pixel != 32))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ break;
+ }
+ /* Place an arbitrary limit on colormap size */
+ if (header.ncolors > 4096)
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
+ /* 8, 16, 32 either XY or ZPixmap */
if ((header.bitmap_pad % 8 != 0) || (header.bitmap_pad > 32))
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
@@ -377,18 +454,14 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
Retrieve comment (if any)
*/
length=header.header_size-sz_XWDheader;
- if (length > ((~0UL)/sizeof(*comment)))
+ if (length >= MaxTextExtent)
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
- comment=MagickAllocateMemory(char *,length+1);
- if (comment == (char *) NULL)
- ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,image);
count=ReadBlob(image,length,comment);
if (count != length)
ThrowXWDReaderException(CorruptImageError,UnableToReadWindowNameFromDumpFile,
image);
comment[length]='\0';
(void) SetImageAttribute(image,"comment",comment);
- MagickFreeMemory(comment);
/*
Initialize the X image.
@@ -417,6 +490,7 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
*/
if (ximage->width < 0 ||
ximage->height < 0 ||
+ ximage->xoffset < 0 ||
ximage->format < 0 ||
ximage->byte_order < 0 ||
ximage->bitmap_unit < 0 ||
@@ -439,10 +513,14 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
if (CheckImagePixelLimits(image, exception) != MagickPass)
ThrowXWDReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
image->depth=8;
- if ((header.ncolors == 0U) ||
- ((ximage->red_mask != 0) ||
- (ximage->green_mask != 0) ||
- (ximage->blue_mask != 0)))
+ /*
+ FIXME: This block of logic should be re-worked.
+ */
+ if ((header.visual_class != StaticGray) &&
+ ((header.ncolors == 0U) ||
+ ((ximage->red_mask != 0) ||
+ (ximage->green_mask != 0) ||
+ (ximage->blue_mask != 0))))
{
image->storage_class=DirectClass;
if (!image_info->ping)
@@ -454,7 +532,7 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
else
{
image->storage_class=PseudoClass;
- image->colors=header.ncolors;
+ image->colors=header.visual_class == StaticGray ? 2 : header.ncolors; /* FIXME! */
}
if (!image_info->ping)
{
@@ -467,17 +545,13 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
XWDColor
color;
- register long
+ register unsigned int
i;
-
- length=(size_t) header.ncolors;
- if (length > ((~0UL)/sizeof(*colors)))
- ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
- colors=MagickAllocateArray(XColor *,length,sizeof(XColor));
+ colors=MagickAllocateArray(XColor *,header.ncolors,sizeof(XColor));
if (colors == (XColor *) NULL)
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
- for (i=0; i < (long) header.ncolors; i++)
+ for (i=0; i < header.ncolors; i++)
{
count=ReadBlob(image,sz_XWDColor,(char *) &color);
if (count != sz_XWDColor)
@@ -494,7 +568,7 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
*/
lsb_first=1;
if (*(char *) &lsb_first)
- for (i=0; i < (long) header.ncolors; i++)
+ for (i=0; i < header.ncolors; i++)
{
MSBOrderLong((unsigned char *) &colors[i].pixel,
sizeof(unsigned long));
@@ -508,15 +582,14 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
/*
Allocate the pixel buffer.
*/
-#define XWD_OVERFLOW(c,a,b) ((b) != 0 && ((c)/((size_t) b) != ((size_t) a)))
+ length=MagickArraySize(ximage->bytes_per_line,ximage->height);
length=ximage->bytes_per_line*ximage->height;
- if (XWD_OVERFLOW(length,ximage->bytes_per_line,ximage->height))
+ if (0 == length)
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,image);
if (ximage->format != ZPixmap)
{
- size_t tmp=length;
- length*=ximage->depth;
- if (XWD_OVERFLOW(length,tmp,ximage->depth))
+ length=MagickArraySize(length,ximage->depth);
+ if (0 == length)
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
}
@@ -658,17 +731,21 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
/*
Convert X image to PseudoClass packets.
*/
- register long
+ register unsigned int
i;
if (!AllocateImageColormap(image,image->colors))
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
- for (i=0; i < (long) image->colors; i++)
- {
- image->colormap[i].red=ScaleShortToQuantum(colors[i].red);
- image->colormap[i].green=ScaleShortToQuantum(colors[i].green);
- image->colormap[i].blue=ScaleShortToQuantum(colors[i].blue);
+ if (colors != (XColor *) NULL)
+ {
+ const unsigned int min_colors = Min(image->colors,header.ncolors);
+ for (i=0; i < min_colors; i++)
+ {
+ image->colormap[i].red=ScaleShortToQuantum(colors[i].red);
+ image->colormap[i].green=ScaleShortToQuantum(colors[i].green);
+ image->colormap[i].blue=ScaleShortToQuantum(colors[i].blue);
+ }
}
for (y=0; y < (long) image->rows; y++)
{
diff --git a/magick/version.h b/magick/version.h
index 527a09a..a9e0dca 100644
--- a/magick/version.h
+++ b/magick/version.h
@@ -38,8 +38,8 @@ extern "C" {
#define MagickLibVersion 0x211801
#define MagickLibVersionText "1.3.30"
#define MagickLibVersionNumber 21,18,1
-#define MagickChangeDate "20180623"
-#define MagickReleaseDate "2018-06-23"
+#define MagickChangeDate "20190417"
+#define MagickReleaseDate "snapshot-20190417"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff --git a/www/Changelog.html b/www/Changelog.html
index f1ab73c..e5a21da 100644
--- a/www/Changelog.html
+++ b/www/Changelog.html
@@ -34,6 +34,18 @@
</div>
<div class="document">
+<p>2019-04-17 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+<ul class="simple">
+<li>coders/xwd.c (ReadXWDImage): Added even more XWD header
+validation logic. Addresses problems noted by email from Hongxu
+Chen to the graphicsmagick-security mail alias on Wed, 17 Apr 2019
+and entitled &quot;Multiple crashes (FPE and invalid read) when
+processing XWD files&quot;. Also addresses additional issues noted
+that an attacker could request to allocate an arbitrary amount of
+memory based on ncolors and the claimed header size.</li>
+</ul>
+</blockquote>
<p>2018-06-23 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
<blockquote>
--
2.27.0

59
CVE-2019-11505.patch
View File

@ -1,59 +0,0 @@
--- a/coders/pdb.c Wed Apr 10 11:27:35 2019 -0500
+++ b/coders/pdb.c Wed Apr 10 20:48:28 2019 -0500
@@ -30,6 +30,13 @@
%
%
*/
+/*
+ Some information on this format may be found at
+ http://fileformats.archiveteam.org/wiki/Palm_Database_ImageViewer
+
+ Round-trip tests do not pass so this format is not included in the
+ test suite.
+*/
/*
Include declarations.
@@ -733,6 +740,7 @@
entry->magick=(MagickHandler) IsPDB;
entry->description="Palm Database ImageViewer Format";
entry->module="PDB";
+ entry->coder_class=UnstableCoderClass;
(void) RegisterMagickInfo(entry);
}
@@ -842,7 +850,7 @@
status;
size_t
- packets;
+ packets;
unsigned long
literal,
@@ -867,6 +875,7 @@
if (status == False)
ThrowPDBWriterException(FileOpenError,UnableToOpenFile,image);
(void) TransformColorspace(image,RGBColorspace);
+ (void) SetImageType(image,GrayscaleType);
bits_per_pixel=image->depth;
if (GetImageType(image,&image->exception) == BilevelType)
bits_per_pixel=1;
@@ -939,7 +948,7 @@
if (buffer == (unsigned char *) NULL)
ThrowPDBWriterException(ResourceLimitWarning,MemoryAllocationFailed,image);
(void) memset(buffer,0,512);
- packet_size=image->depth > 8 ? 2: 1;
+ packet_size=bits_per_pixel > 8 ? 2: 1;
scanline=MagickAllocateArray(unsigned char *,image->columns,packet_size);
if (scanline == (unsigned char *) NULL)
ThrowPDBWriterException(ResourceLimitWarning,MemoryAllocationFailed,image);
@@ -956,7 +965,7 @@
{
if (!AcquireImagePixels(image,0,y,image->columns,1,&image->exception))
break;
- (void) ExportImagePixelArea(image,GrayQuantum,image->depth,scanline,0,0);
+ (void) ExportImagePixelArea(image,GrayQuantum,bits_per_pixel,scanline,0,0);
for (x=0; x < pdb_image.width; x++)
{
if (x < (long) image->columns)

66
CVE-2019-11506.patch
View File

@ -1,66 +0,0 @@
--- a/coders/mat.c Wed Apr 10 20:48:28 2019 -0500
+++ b/coders/mat.c Thu Apr 11 20:10:35 2019 -0500
@@ -1376,11 +1376,11 @@
% o image: A pointer to an Image structure.
%
*/
-static unsigned int WriteMATLABImage(const ImageInfo *image_info,Image *image)
+static MagickPassFail WriteMATLABImage(const ImageInfo *image_info,Image *image)
{
long y;
unsigned z;
- unsigned int status;
+ MagickPassFail status;
int logging;
unsigned long DataSize;
char padding;
@@ -1403,7 +1403,7 @@
assert(image->signature == MagickSignature);
logging = LogMagickEvent(CoderEvent,GetMagickModule(),"enter MAT");
status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);
- if (status == False)
+ if (status == MagickFail)
ThrowWriterException(FileOpenError,UnableToOpenFile,image);
/*
@@ -1477,26 +1477,32 @@
for (y=0; y<(long)image->columns; y++)
{
progress_quantum++;
- (void) AcquireImagePixels(image,y,0,1,image->rows,&image->exception);
- (void) ExportImagePixelArea(image,z2qtype[z],8,pixels,0,0);
- (void) WriteBlob(image,image->rows,pixels);
+ if (AcquireImagePixels(image,y,0,1,image->rows,&image->exception) == (PixelPacket *) NULL)
+ break;
+ if (ExportImagePixelArea(image,z2qtype[z],8,pixels,0,0) == MagickFail)
+ break;
+ if (WriteBlob(image,image->rows,pixels) != image->rows)
+ break;
if (QuantumTick(progress_quantum,progress_span))
if (!MagickMonitorFormatted(progress_quantum,progress_span,&image->exception,
SaveImageText,image->filename,
image->columns,image->rows))
- goto BreakAll;
+ break;
}
+ if (y != (long)image->columns)
+ {
+ status=MagickFail;
+ goto BreakAll;
+ }
+
} while(z-- >= 2);
}
BreakAll:
while(padding-->0) (void) WriteBlobByte(image,0);
- status=True;
-
- if(pixels)
- {MagickFreeMemory(pixels);pixels=NULL;}
- if(image->next==NULL) break;
+ MagickFreeMemory(pixels);
+ if(status == MagickFail || image->next==NULL) break;
image=SyncNextImageInList(image);
}

39
CVE-2019-12921.patch
View File

@ -1,39 +0,0 @@
From 1b5507f188dd0cd76099348c5f151a8ba61a812d Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 16:39:22 +0800
Subject: [PATCH] fix CVE-2019-12921
the text filename component potentially allows to read arbitrary files via TranslateTextEx for SVG
refers to https://build.opensuse.org/request/show/788214
---
magick/render.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/magick/render.c b/magick/render.c
index 3caf603..75bbe2f 100644
--- a/magick/render.c
+++ b/magick/render.c
@@ -2360,11 +2360,16 @@ DrawImage(Image *image,const DrawInfo *draw_info)
if (*draw_info->primitive == '\0')
return(MagickFail);
(void) LogMagickEvent(RenderEvent,GetMagickModule(),"begin draw-image");
- if (*draw_info->primitive != '@')
- primitive=AllocateString(draw_info->primitive);
- else
+ /*
+ Read primitive from file if supplied primitive starts with '@' and
+ we are not already drawing.
+ */
+ if ((*draw_info->primitive == '@') &&
+ (DrawImageGetCurrentRecurseLevel(image) == 1))
primitive=(char *)
FileToBlob(draw_info->primitive+1,&length,&image->exception);
+ else
+ primitive=AllocateString(draw_info->primitive);
if (primitive == (char *) NULL)
return(MagickFail);
primitive_extent=strlen(primitive);
--
2.23.0

34
CVE-2019-7397.patch
View File

@ -1,34 +0,0 @@
WritePDFImage(): Make sure to free 'xref' before returning. (ImageMagick CVE-2019-7397)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/11ad3aeb8ab1
diff -r e29c20957e2d -r 11ad3aeb8ab1 coders/pdf.c
--- a/coders/pdf.c Sun Feb 10 17:07:33 2019 -0600
+++ b/coders/pdf.c Mon Feb 11 20:31:53 2019 -0600
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2018 GraphicsMagick Group
+% Copyright (C) 2003-2019 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -1375,6 +1375,7 @@
if (!status)
{
CloseBlob(image);
+ MagickFreeMemory(xref);
return(False);
}
break;
@@ -1478,6 +1479,7 @@
if (!status)
{
CloseBlob(image);
+ MagickFreeMemory(xref);
return(False);
}
break;

296
CVE-2020-10938.patch
View File

@ -1,296 +0,0 @@
HuffmanDecodeImage(): Fix signed overflow on range check which leads to heap overflow in 32-bit applications. Ascii85Tuple(): Fix thread safety issue.
(CVE-2020-10938)
refers to http://hg.code.sf.net/p/graphicsmagick/code/rev/95abc2b694ce
diff -r 751e9e822b09 -r 95abc2b694ce magick/compress.c
--- a/magick/compress.c Sun Nov 10 13:33:34 2019 -0600
+++ b/magick/compress.c Sat Nov 16 10:31:37 2019 -0600
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003-2019 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -53,21 +53,26 @@
*/
typedef struct HuffmanTable
{
+ unsigned int
+ id;
+
int
- id,
- code,
+ code;
+
+ unsigned int
length,
count;
+
} HuffmanTable;
/*
Huffman coding declarations.
*/
-#define TWId 23
-#define MWId 24
-#define TBId 25
-#define MBId 26
-#define EXId 27
+#define TWId 23U
+#define MWId 24U
+#define TBId 25U
+#define MBId 26U
+#define EXId 27U
static const HuffmanTable
MBTable[]=
@@ -202,37 +207,38 @@
*/
#define MaxLineExtent 36
-static char *Ascii85Tuple(unsigned char *data)
+static char *Ascii85Tuple(char tuple[6], const unsigned char * restrict data)
{
- static char
- tuple[6];
+ magick_uint32_t
+ code;
- register long
- i,
- x;
-
- unsigned long
- code,
- quantum;
-
- code=((((unsigned long) data[0] << 8) | (unsigned long) data[1]) << 16) |
- ((unsigned long) data[2] << 8) | (unsigned long) data[3];
- if (code == 0L)
+ code=((((magick_uint32_t) data[0] << 8) | (magick_uint32_t) data[1]) << 16) |
+ ((magick_uint32_t) data[2] << 8) | (magick_uint32_t) data[3];
+ if (code == 0)
{
tuple[0]='z';
tuple[1]='\0';
- return(tuple);
}
- quantum=85UL*85UL*85UL*85UL;
- for (i=0; i < 4; i++)
- {
- x=(long) (code/quantum);
- code-=quantum*x;
- tuple[i]=(char) (x+(int) '!');
- quantum/=85L;
- }
- tuple[4]=(char) ((code % 85L)+(int) '!');
- tuple[5]='\0';
+ else
+ {
+ register magick_int32_t
+ i,
+ x;
+
+ magick_uint32_t
+ quantum;
+
+ quantum=85U*85U*85U*85U;
+ for (i=0; i < 4; i++)
+ {
+ x=(magick_int32_t) (code/quantum);
+ code-=quantum*x;
+ tuple[i]=(char) (x+(int) '!');
+ quantum/=85;
+ }
+ tuple[4]=(char) ((code % 85)+(int) '!');
+ tuple[5]='\0';
+ }
return(tuple);
}
@@ -255,6 +261,9 @@
MagickExport void Ascii85Flush(Image *image)
{
+ char
+ tuple_buff[6];
+
register char
*tuple;
@@ -266,7 +275,7 @@
image->ascii85->buffer[image->ascii85->offset]=0;
image->ascii85->buffer[image->ascii85->offset+1]=0;
image->ascii85->buffer[image->ascii85->offset+2]=0;
- tuple=Ascii85Tuple(image->ascii85->buffer);
+ tuple=Ascii85Tuple(tuple_buff, image->ascii85->buffer);
(void) WriteBlob(image,image->ascii85->offset+1,
*tuple == 'z' ? "!!!!" : tuple);
}
@@ -286,6 +295,9 @@
register unsigned char
*p;
+ char
+ tuple_buff[6];
+
assert(image != (Image *) NULL);
assert(image->signature == MagickSignature);
assert(image->ascii85 != (Ascii85Info *) NULL);
@@ -296,7 +308,7 @@
p=image->ascii85->buffer;
for (n=image->ascii85->offset; n >= 4; n-=4)
{
- for (q=Ascii85Tuple(p); *q; q++)
+ for (q=Ascii85Tuple(tuple_buff,p); *q; q++)
{
image->ascii85->line_break--;
if ((image->ascii85->line_break < 0) && (*q != '%'))
@@ -355,11 +367,11 @@
%
%
*/
-#define HashSize 1021
-#define MBHashA 293
-#define MBHashB 2695
-#define MWHashA 3510
-#define MWHashB 1178
+#define HashSize 1021U
+#define MBHashA 293U
+#define MBHashB 2695U
+#define MWHashA 3510U
+#define MWHashB 1178U
#define InitializeHashTable(hash,table,a,b) \
{ \
@@ -401,26 +413,30 @@
byte,
code,
color,
- length,
null_lines,
runlength;
unsigned int
bit,
index,
+ length,
mask;
long
- count,
+ count;
+
+ unsigned long
y;
register IndexPacket
*indexes;
- register long
- i,
+ register unsigned long
x;
+ unsigned int
+ i;
+
register PixelPacket
*q;
@@ -481,13 +497,13 @@
image->x_resolution=204.0;
image->y_resolution=196.0;
image->units=PixelsPerInchResolution;
- for (y=0; ((y < (long) image->rows) && (null_lines < 3)); )
+ for (y=0; ((y < image->rows) && (null_lines < 3)); )
{
/*
Initialize scanline to white.
*/
p=scanline;
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
*p++=0;
/*
Decode Huffman encoded scanline.
@@ -502,7 +518,7 @@
{
if (byte == EOF)
break;
- if (x >= (long) image->columns)
+ if (x >= image->columns)
{
while (runlength < 11)
InputBit(bit);
@@ -563,7 +579,7 @@
case TBId:
{
count+=entry->count;
- if ((x+count) > (long) image->columns)
+ if ((x+(unsigned long) count) > image->columns)
count=(long) image->columns-x;
if (count > 0)
{
@@ -603,7 +619,7 @@
break;
}
indexes=AccessMutableIndexes(image);
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
{
index=(unsigned int) (*p++);
indexes[x]=index;
@@ -695,7 +711,9 @@
runlength;
long
- n,
+ n;
+
+ unsigned long
y;
Image
@@ -704,8 +722,10 @@
register const IndexPacket
*indexes;
- register long
- i,
+ unsigned long
+ i;
+
+ register unsigned long
x;
register const PixelPacket
@@ -772,10 +792,10 @@
polarity=(PixelIntensityToQuantum(&huffman_image->colormap[0]) <
PixelIntensityToQuantum(&huffman_image->colormap[1]) ? 0x00 : 0x01);
q=scanline;
- for (i=(long) width; i > 0; i--)
+ for (i=0; i < width; i++) /* was: for (i=(long) width; i > 0; i--) */
*q++=(unsigned char) polarity;
q=scanline;
- for (y=0; y < (long) huffman_image->rows; y++)
+ for (y=0; y < huffman_image->rows; y++)
{
p=AcquireImagePixels(huffman_image,0,y,huffman_image->columns,1,
&huffman_image->exception);
@@ -785,7 +805,7 @@
break;
}
indexes=AccessImmutableIndexes(huffman_image);
- for (x=0; x < (long) huffman_image->columns; x++)
+ for (x=0; x < huffman_image->columns; x++)
{
*q=(unsigned char) (indexes[x] == polarity ? !polarity : polarity);
q++;

48
CVE-2020-12672.patch
View File

@ -1,48 +0,0 @@
From a5646313975525c598527269bbfe4524909275f3 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 17:59:51 +0800
Subject: [PATCH] MNG: Fix small heap overwrite or assertion if magnifying and
image to be magnified has rows or columns == 1. (CVE-2020-12672)
refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/50395430a371
---
coders/png.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/coders/png.c b/coders/png.c
index ebb0a4a..b8b6c2b 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5571,7 +5571,28 @@ static Image *ReadMNGImage(const ImageInfo *image_info,
if (logging)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " Processing MNG MAGN chunk");
+ " Processing MNG MAGN chunk: MB=%u, ML=%u,"
+ " MR=%u, MT=%u, MX=%u, MY=%u,"
+ " X_method=%u, Y_method=%u",
+ mng_info->magn_mb,mng_info->magn_ml,
+ mng_info->magn_mr,mng_info->magn_mt,
+ mng_info->magn_mx,mng_info->magn_my,
+ mng_info->magn_methx,
+ mng_info->magn_methy);
+
+ /*
+ If the image width is 1, then X magnification is done
+ by simple pixel replication.
+ */
+ if (image->columns == 1)
+ mng_info->magn_methx = 1;
+
+ /*
+ If the image height is 1, then Y magnification is done
+ by simple pixel replication.
+ */
+ if (image->rows == 1)
+ mng_info->magn_methy = 1;
if (mng_info->magn_methx == 1)
{
--
2.23.0

89
CVE-2022-1270.patch
View File

@ -1,89 +0,0 @@
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1648301533 18000
# Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12
# Parent 07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0
ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer.
---
ChangeLog | 7 +++++++
coders/miff.c | 11 +++++++++++
magick/version.h | 2 ++
www/Changelog.html | 7 +++++++
4 files changed, 27 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index a89c828..5116ad0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2022-03-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
+ row length prior to reading data into fixed size buffer.
+ Addresses SourceForge bug #664 "[bug]Heap buffer overflow when
+ parsing MIFF". This severe bug only impacts builds with BZLIB
+ support.
+
2019-04-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xwd.c (ReadXWDImage): Added even more XWD header
validation logic. Addresses problems noted by email from Hongxu
diff --git a/coders/miff.c b/coders/miff.c
index 00813c4..9149a15 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1674,9 +1674,20 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
else
{
length=ReadBlobMSBLong(image);
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "length = %"MAGICK_SIZE_T_F"u",
+ (MAGICK_SIZE_T) length);
+ if ((length == 0) || (length > compressed_length))
+ {
+ (void) BZ2_bzDecompressEnd(&bzip_info);
+ ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage,
+ image);
+ }
bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in);
if ((size_t) bzip_info.avail_in != length)
{
+ (void) BZ2_bzDecompressEnd(&bzip_info);
ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
image);
}
diff --git a/magick/version.h b/magick/version.h
index a9e0dca..1e17abc 100644
--- a/magick/version.h
+++ b/magick/version.h
@@ -40,6 +40,8 @@ extern "C" {
#define MagickLibVersionNumber 21,18,1
#define MagickChangeDate "20190417"
#define MagickReleaseDate "snapshot-20190417"
+#define MagickChangeDate "20220326"
+#define MagickReleaseDate "snapshot-20220326"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff --git a/www/Changelog.html b/www/Changelog.html
index e5a21da..5ec8096 100644
--- a/www/Changelog.html
+++ b/www/Changelog.html
@@ -34,6 +34,13 @@
</div>
<div class="document">
+<p>2022-03-26 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+* coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
+row length prior to reading data into fixed size buffer.
+Addresses SourceForge bug #664 &quot;[bug]Heap buffer overflow when
+parsing MIFF&quot;. This severe bug only impacts builds with BZLIB
+support.</blockquote>
<p>2019-04-17 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
<blockquote>
<ul class="simple">
--
2.23.0

12
GraphicsMagick-1.3.14-perl_linkage.patch
View File

@ -1,12 +0,0 @@
diff -up GraphicsMagick-1.3.14/PerlMagick/Makefile.PL.in.perl_linkage GraphicsMagick-1.3.14/PerlMagick/Makefile.PL.in
--- GraphicsMagick-1.3.14/PerlMagick/Makefile.PL.in.perl_linkage 2012-02-25 14:43:38.000000000 -0600
+++ GraphicsMagick-1.3.14/PerlMagick/Makefile.PL.in 2012-02-26 07:35:38.542731280 -0600
@@ -78,7 +78,7 @@ WriteMakefile
'INSTALLBIN' => $magick_BIN_DIR,
# Library specification
- 'LIBS' => ["-L$magick_LIB_DIR -lGraphicsMagick $magick_LDFLAGS $magick_DEP_LIBS"],
+ 'LIBS' => ["-L$magick_LIB_DIR -L../magick/.libs -lGraphicsMagick $magick_LDFLAGS $magick_DEP_LIBS"],
# Perl binary name (if a Perl binary is built)
'MAP_TARGET' => 'PerlMagick',

43
GraphicsMagick-1.3.16-multilib.patch
View File

@ -1,43 +0,0 @@
diff -up GraphicsMagick-1.3.16/Magick++/bin/GraphicsMagick++-config.in.multilib GraphicsMagick-1.3.16/Magick++/bin/GraphicsMagick++-config.in
--- GraphicsMagick-1.3.16/Magick++/bin/GraphicsMagick++-config.in.multilib 2011-11-12 14:39:22.000000000 -0600
+++ GraphicsMagick-1.3.16/Magick++/bin/GraphicsMagick++-config.in 2012-06-24 11:25:12.603862643 -0500
@@ -33,13 +33,13 @@ while test $# -gt 0; do
echo '@MAGICK_API_CPPFLAGS@'
;;
--cxxflags)
- echo '@CXXFLAGS@'
+ echo ''
;;
--ldflags)
- echo '@MAGICK_API_LDFLAGS@'
+ echo ''
;;
--libs)
- echo '-lGraphicsMagick++ @MAGICK_API_LIBS@'
+ echo '-lGraphicsMagick++'
;;
*)
echo "${usage}" 1>&2
diff -up GraphicsMagick-1.3.16/magick/GraphicsMagick-config.in.multilib GraphicsMagick-1.3.16/magick/GraphicsMagick-config.in
--- GraphicsMagick-1.3.16/magick/GraphicsMagick-config.in.multilib 2011-11-12 14:39:26.000000000 -0600
+++ GraphicsMagick-1.3.16/magick/GraphicsMagick-config.in 2012-06-24 11:14:55.947571850 -0500
@@ -30,16 +30,16 @@ while test $# -gt 0; do
echo @PACKAGE_VERSION@
;;
--cflags)
- echo '@CFLAGS@'
+ echo ''
;;
--cppflags)
echo '@MAGICK_API_CPPFLAGS@'
;;
--ldflags)
- echo '@MAGICK_API_LDFLAGS@'
+ echo ''
;;
--libs)
- echo '@MAGICK_API_LIBS@'
+ echo '-lGraphicsMagick'
;;
*)
echo "${usage}" 1>&2

BIN
GraphicsMagick-1.3.30.tar.xz
View File

Binary file not shown.

12
GraphicsMagick-1.3.31-perl_linkage.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up GraphicsMagick-1.3.31/PerlMagick/Makefile.PL.in.perl_linkage GraphicsMagick-1.3.31/PerlMagick/Makefile.PL.in
--- GraphicsMagick-1.3.31/PerlMagick/Makefile.PL.in.perl_linkage 2018-11-20 08:09:30.804633076 -0600
+++ GraphicsMagick-1.3.31/PerlMagick/Makefile.PL.in 2018-11-20 08:10:29.460027024 -0600
@@ -78,7 +78,7 @@ WriteMakefile
'INSTALLBIN' => $magick_BIN_DIR,
# Library specification
- 'LIBS' => ["-L$magick_LIB_DIR $magick_LDFLAGS $magick_API_LIBS"],
+ 'LIBS' => ["-L$magick_LIB_DIR -L../magick/.libs $magick_LDFLAGS $magick_API_LIBS"],
# Perl binary name (if a Perl binary is built)
'MAP_TARGET' => 'PerlMagick',

BIN
GraphicsMagick-1.3.41.tar.xz Normal file
View File

Binary file not shown.

350
GraphicsMagick.spec
View File

@ -1,166 +1,256 @@
%ifarch x86_64 %global _with_quantum_depth --with-quantum-depth=16
%global _enable_quantum_library_names --enable-quantum-library-names
%global libQ -Q16
# Disable automatic .la file removal
%global __brp_remove_la_files %nil
%if ! 0%{?flatpak}
%global perl 1
%endif
%global multilib_archs x86_64 %{ix86} ppc64 ppc64le ppc s390x s390 sparc64 sparcv9
# hack for older platforms/rpm-versions that do not support %%__isa_bits (like el5)
%ifarch %{multilib_archs}
%if ! 0%{?__isa_bits:1} %if ! 0%{?__isa_bits:1}
%ifarch x86_64 %ifarch x86_64 s390x ia64 ppc64 sparc64
%global __isa_bits 64 %global __isa_bits 64
%else
%global __isa_bits 32
%endif %endif
%endif %endif
%endif %endif
%global __provides_exclude_from ^%{_libdir}/GraphicsMagick-%{version}/.*\\.(la|so)$ %global __provides_exclude_from ^%{_libdir}/GraphicsMagick-%{version}/.*\\.(la|so)$
Name: GraphicsMagick Summary: An ImageMagick fork, offering faster image generation and better quality
Version: 1.3.30 Name: GraphicsMagick
Release: 9 Version: 1.3.41
Summary: Derived from ImageMagick, providing faster image generation speed and better quality Release: 1
License: MIT
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
Url: http://www.graphicsmagick.org/
Patch0000: GraphicsMagick-1.3.14-perl_linkage.patch License: MIT
Patch0001: GraphicsMagick-1.3.16-multilib.patch Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
Patch0002: CVE-2019-11007.patch Source1: urw-fonts-1.0.7pre44.tar.bz2
Patch0003: CVE-2019-11505.patch #S1 URL: http://svn.ghostscript.com/ghostscript/tags/urw-fonts-1.0.7pre44/ -- urw-fonts-2.4-16.el7.src.rpm
Patch0004: CVE-2019-11008.patch #S1 https://gitee.com/src-openeuler/urw-base35-fonts.git
Patch0005: CVE-2019-11506.patch Url: http://www.graphicsmagick.org/
Patch0006: CVE-2019-11009.patch
Patch0007: CVE-2018-18544.patch
Patch0008: CVE-2019-7397.patch
Patch0009: CVE-2019-11005.patch
Patch0010: CVE-2019-11006.patch
Patch0011: CVE-2019-11010.patch
Patch0012: CVE-2019-12921.patch
Patch0013: CVE-2020-10938.patch
Patch0014: CVE-2020-12672.patch
Patch0015: CVE-2019-11473-CVE-2019-11474.patch
Patch0016: CVE-2022-1270.patch
BuildRequires: bzip2-devel freetype-devel gcc-c++ giflib-devel lcms2-devel libjpeg-devel Patch002: GraphicsMagick-1.3.31-perl_linkage.patch
BuildRequires: libpng-devel librsvg2-devel libtiff-devel libtool-ltdl-devel libxml2-devel lpr
BuildRequires: libX11-devel libXext-devel libXt-devel perl-devel perl-generators perl(ExtUtils::MakeMaker)
BuildRequires: xdg-utils xz-devel zlib-devel time jbigkit-devel libwebp-devel
Requires: urw-fonts BuildRequires: bzip2-devel
BuildRequires: freetype-devel
BuildRequires: gcc-c++
BuildRequires: giflib-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: librsvg2-devel
BuildRequires: libtiff-devel
BuildRequires: libtool-ltdl-devel
BuildRequires: libwmf-devel
BuildRequires: libxml2-devel
BuildRequires: libX11-devel libXext-devel libXt-devel
BuildRequires: lpr
BuildRequires: make
BuildRequires: p7zip
%if 0%{?perl}
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: perl(ExtUtils::MakeMaker)
%endif
BuildRequires: xdg-utils
BuildRequires: xz-devel
BuildRequires: zlib-devel
## %%check stuff
BuildRequires: time
BuildRequires: libwebp-devel jbigkit-devel
# upgrade path for introduction of -doc subpkg in 1.3.19-4
Obsoletes: GraphicsMagick < 1.3.19-4
%global urw_font_bundle 1
%if 0%{?urw_font_bundle}
%global urw_font_path %{_datadir}/GraphicsMagick-%{version}/urw-fonts
%else
%global urw_font_path %{_datadir}/X11/fonts/urw-fonts
BuildRequires: urw-base35-fonts-legacy
Requires: urw-base35-fonts-legacy
%endif
%description %description
GraphicsMagick is the swiss army knife of image processing. Comprised of 267K physical lines GraphicsMagick is a comprehensive image processing package which is initially
(according to David A. Wheeler's SLOCCount) of source code in the base package based on ImageMagick 5.5.2, but which has undergone significant re-work by
(or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools the GraphicsMagick Group to significantly improve the quality and performance
and libraries which support reading, writing, and manipulating an image in over 89 major formats of the software.
including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, TIFF, and WebP.
%package devel %package devel
Summary: Libraries and header files for GraphicsMagick Summary: Libraries and header files for GraphicsMagick app development
Requires: %{name} = %{version}-%{release} Requires: %{name}%{?_isa} = %{version}-%{release}
%description devel %description devel
GraphicsMagick-devel contains libraries and header files needed to GraphicsMagick-devel contains the Libraries and header files you'll
develop GraphicsMagick applications. This is an image processing program. need to develop GraphicsMagick applications. GraphicsMagick is an image
manipulation program.
If you want to create an application that will use GraphicsMagick code If you want to create applications that will use GraphicsMagick code or
or API, you need to install GraphicsMagick-devel and GraphicsMagick. APIs, you need to install GraphicsMagick-devel as well as GraphicsMagick.
If you just want to use, don't install You do not need to install it if you just want to use GraphicsMagick,
however.
%if 0%{?perl}
%package perl
Summary: GraphicsMagick perl bindings
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%description perl
Perl bindings to GraphicsMagick.
Install GraphicsMagick-perl if you want to use any perl scripts that use
GraphicsMagick.
%endif
%package c++
Summary: GraphicsMagick Magick++ library (C++ bindings)
Requires: %{name}%{?_isa} = %{version}-%{release}
%description c++
This package contains the GraphicsMagick++ library, a C++ binding to the
GraphicsMagick graphics manipulation library.
Install GraphicsMagick-c++ if you want to use any applications that use
GraphicsMagick++.
%package c++-devel
Summary: C++ bindings for the GraphicsMagick library
Requires: %{name}-c++%{?_isa} = %{version}-%{release}
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
%description c++-devel
GraphicsMagick-devel contains the Libraries and header files you'll
need to develop GraphicsMagick applications using the Magick++ C++ bindings.
GraphicsMagick is an image manipulation program.
If you want to create applications that will use Magick++ code
or APIs, you'll need to install GraphicsMagick-c++-devel, ImageMagick-devel and
GraphicsMagick.
You don't need to install it if you just want to use GraphicsMagick, or if you
want to develop/compile applications using the GraphicsMagick C interface,
however.
%package help %package help
Provides: %{name}-doc = %{version}-%{release} Provides: %{name}-doc = %{version}-%{release}
Obsoletes: %{name}-doc < %{version}-%{release} Obsoletes: %{name}-doc < %{version}-%{release}
Summary: GraphicsMagick documentation and usage introduction Summary: GraphicsMagick documentation and usage introduction
Obsoletes: GraphicsMagick < 1.3.19-4 Obsoletes: GraphicsMagick < 1.3.19-4
BuildArch: noarch BuildArch: noarch
%description help %description help
GraphicsMagick documentation and usage introduction. GraphicsMagick documentation and usage introduction.
%package perl
Summary: GraphicsMagick perl package
Requires: %{name} = %{version}-%{release}
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%description perl
GraphicsMagick's perl package
Use GraphicsMagick's perl script to install the GraphicsMagick-perl package.
%package c++
Summary: GraphicsMagick c ++ package
Requires: %{name} = %{version}-%{release}
%description c++
This package contains the GraphicsMagick ++ library, which is
a C ++ library for the GraphicsMagick graphics manipulation library.
To use any application that uses GraphicsMagick ++,
install GraphicsMagick-c ++.
%package c++-devel
Summary: GraphicsMagick's C ++ Development Kit
Requires: %{name}-c++ = %{version}-%{release}
Requires: %{name}-devel = %{version}-%{release}
%description c++-devel
GraphicsMagick-devel contains libraries and header files needed to
develop GraphicsMagick applications using Magick ++ C ++ bindings.
If you want to create an application that uses Magick ++ code or API,
you need to install GraphicsMagick-c ++-devel, ImageMagick devel, and GraphicsMagick.
If you are just using GraphicsMagick, or you want to develop / compile
applications using the GraphicsMagick C interface, you do not need to install it.
%prep %prep
%autosetup -p1 %setup -q
%if 0%{?urw_font_bundle}
mkdir -p urw-fonts
tar --directory=urw-fonts/ -xf %{SOURCE1}
rm -f urw-fonts/ChangeLog urw-fonts/README* urw-fonts/fonts*
%endif
%patch002 -p1 -b .perl_linkage
for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do
iconv -f iso-8859-2 -t utf8 < $f > $f.utf8
touch -r $f $f.utf8 ; mv -f $f.utf8 $f
done
# Avoid lib64 rpaths (FIXME: recheck this on newer releases)
%if "%{_libdir}" != "/usr/lib" %if "%{_libdir}" != "/usr/lib"
sed -i -e 's|"/lib /usr/lib|"%{_lib} %{_libdir}|' configure sed -i.rpath -e 's|"/lib /usr/lib|"/%{_lib} %{_libdir}|' configure
%endif %endif
%build %build
%configure --enable-shared --disable-static --docdir=%{_pkgdocdir} --with-lcms2 --with-magick_plus_plus \ %configure \
--with-modules --with-perl --with-perl-options="INSTALLDIRS=vendor %{?perl_prefix}" \ --enable-shared --disable-static \
--with-quantum-depth=16 --enable-quantum-library-names --with-threads --with-wmf --with-x \ --docdir=%{_pkgdocdir} \
--with-xml --without-dps --without-gslib --with-gs-font-dir=%{_datadir}/fonts/default/Type1 --with-lcms2 \
--with-magick_plus_plus \
--with-modules \
%if 0%{?flatpak}
--without-perl \
%else
--with-perl \
--with-perl-options="INSTALLDIRS=vendor %{?perl_prefix}" \
%endif
%{?_with_quantum_depth} \
%{?_enable_quantum_library_names} \
--with-threads \
--with-wmf \
--with-x \
--with-xml \
--without-dps \
--without-gslib \
--with-gs-font-dir=%{urw_font_path}
%make_build %make_build
%if 0%{?perl}
%make_build perl-build %make_build perl-build
%endif
%install %install
%make_install %make_install
%if 0%{?perl}
%make_install -C PerlMagick %make_install -C PerlMagick
# perlmagick: fix perl path of demo files
%{__perl} -MExtUtils::MakeMaker -e 'MY->fixin(@ARGV)' PerlMagick/demo/*.pl %{__perl} -MExtUtils::MakeMaker -e 'MY->fixin(@ARGV)' PerlMagick/demo/*.pl
find %{buildroot} -type f -name "*.bs" -delete find %{buildroot} -name "*.bs" |xargs rm -fv
find %{buildroot} -type f -name ".packlist" -delete find %{buildroot} -name ".packlist" |xargs rm -fv
find %{buildroot} -type f -name "perllocal.pod" -delete find %{buildroot} -name "perllocal.pod" |xargs rm -fv
ls -l %{buildroot}%{perl_vendorarch}/auto/Graphics/Magick/Magick.so
chmod 755 %{buildroot}%{perl_vendorarch}/auto/Graphics/Magick/Magick.so chmod 755 %{buildroot}%{perl_vendorarch}/auto/Graphics/Magick/Magick.so
# perlmagick: build files list
find %{buildroot}/%{_libdir}/perl* -type f -print \ find %{buildroot}/%{_libdir}/perl* -type f -print \
| sed "s@^%{buildroot}@@g" > perl-pkg-files | sed "s@^%{buildroot}@@g" > perl-pkg-files
find %{buildroot}%{perl_vendorarch} -type d -print \ find %{buildroot}%{perl_vendorarch} -type d -print \
| sed "s@^%{buildroot}@%dir @g" \ | sed "s@^%{buildroot}@%dir @g" \
| grep -v '^%dir %{perl_vendorarch}$' \ | grep -v '^%dir %{perl_vendorarch}$' \
| grep -v '/auto$' >> perl-pkg-files | grep -v '/auto$' >> perl-pkg-files
if [ -z perl-pkg-files ] ; then if [ -z perl-pkg-files ] ; then
echo "ERROR: FILE LIST EMPTY" echo "ERROR: EMPTY FILE LIST"
exit -1 exit -1
fi fi
%endif
rm -rf %{buildroot}%{_datadir}/GraphicsMagick rm -rfv %{buildroot}%{_datadir}/GraphicsMagick
rm -rf %{buildroot}%{_datadir}/%{name}-%{version}/[a-b,d-z,A-Z]* # Keep config
find %{buildroot}%{_libdir} -type f -name "lib*.la" -delete rm -rfv %{buildroot}%{_datadir}/%{name}-%{version}/[a-b,d-z,A-Z]*
rm -fv %{buildroot}%{_libdir}/lib*.la
%ifarch x86_64 %if 0%{?urw_font_bundle}
mkdir -p %{buildroot}%{urw_font_path}/
install -p -m644 urw-fonts/* \
%{buildroot}%{urw_font_path}/
%endif
# fix multilib issues
%ifarch %{multilib_archs}
mv %{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types.h \ mv %{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types.h \
%{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types-%{__isa_bits}.h %{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types-%{__isa_bits}.h
cat >%{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types.h <<EOF cat >%{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types.h <<EOF
#ifndef MAGICK_TYPES_MULTILIB #ifndef MAGICK_TYPES_MULTILIB
#define MAGICK_TYPES_MULTILIB #define MAGICK_TYPES_MULTILIB
#include <bits/wordsize.h> #include <bits/wordsize.h>
#if __WORDSIZE == 32 #if __WORDSIZE == 32
# include "magick/magick_types-32.h" # include "magick/magick_types-32.h"
#elif __WORDSIZE == 64 #elif __WORDSIZE == 64
@ -168,14 +258,29 @@ cat >%{buildroot}%{_includedir}/GraphicsMagick/magick/magick_types.h <<EOF
#else #else
# error "unexpected value for __WORDSIZE macro" # error "unexpected value for __WORDSIZE macro"
#endif #endif
#endif #endif
EOF EOF
%endif %endif
%check %check
time %make_build check ||: %if 0%{?perl}
make test -C PerlMagick ||:
%endif
time \
%make_build check ||:
# multilib hack only supports 32/64 bits for now
%ifarch %{multilib_archs}
%if ! (%{__isa_bits} == 32 || %{__isa_bits} == 64)
echo "multilib hack currently only supports 64/32 bits, not %{__isa_bits} (yet)"
exit 1
%endif
%endif
%ldconfig_scriptlets
%post %post
/sbin/ldconfig /sbin/ldconfig
@ -188,8 +293,8 @@ time %make_build check ||:
%files %files
%dir %{_pkgdocdir} %dir %{_pkgdocdir}
%license %{_pkgdocdir}/Copyright.txt %license %{_pkgdocdir}/Copyright.txt
%{_libdir}/libGraphicsMagick-Q16.so.3* %{_libdir}/libGraphicsMagick%{?libQ}.so.3*
%{_libdir}/libGraphicsMagickWand-Q16.so.2* %{_libdir}/libGraphicsMagickWand%{?libQ}.so.2*
%{_bindir}/[a-z]* %{_bindir}/[a-z]*
%{_libdir}/GraphicsMagick-%{version}/ %{_libdir}/GraphicsMagick-%{version}/
%{_datadir}/GraphicsMagick-%{version}/ %{_datadir}/GraphicsMagick-%{version}/
@ -204,6 +309,22 @@ time %make_build check ||:
%dir %{_includedir}/GraphicsMagick/ %dir %{_includedir}/GraphicsMagick/
%{_includedir}/GraphicsMagick/magick/ %{_includedir}/GraphicsMagick/magick/
%{_includedir}/GraphicsMagick/wand/ %{_includedir}/GraphicsMagick/wand/
%ldconfig_scriptlets c++
%files c++
%{_libdir}/libGraphicsMagick++%{?libQ}.so.12*
%files c++-devel
%{_bindir}/GraphicsMagick++-config
%{_includedir}/GraphicsMagick/Magick++/
%{_includedir}/GraphicsMagick/Magick++.h
%{_libdir}/libGraphicsMagick++.so
%{_libdir}/pkgconfig/GraphicsMagick++.pc
%if 0%{?perl}
%files perl -f perl-pkg-files
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%endif
%files help %files help
%dir %{_pkgdocdir} %dir %{_pkgdocdir}
@ -216,21 +337,10 @@ time %make_build check ||:
%{_mandir}/man1/GraphicsMagick++-config.* %{_mandir}/man1/GraphicsMagick++-config.*
%{_mandir}/man3/* %{_mandir}/man3/*
%files c++
%{_libdir}/libGraphicsMagick++-Q16.so.12*
%files c++-devel
%{_bindir}/GraphicsMagick++-config
%{_includedir}/GraphicsMagick/Magick++/
%{_includedir}/GraphicsMagick/Magick++.h
%{_libdir}/libGraphicsMagick++.so
%{_libdir}/pkgconfig/GraphicsMagick++.pc
%files perl -f perl-pkg-files
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog %changelog
* Wed Sep 13 2023 wangkai <13474090681@163.com> - 1.3.41-1
- Update to 1.3.41 for fix CVE-2020-21679
* Mon Jul 11 2022 houyingchao <houyingchao@h-partners.com> - 1.3.30-9 * Mon Jul 11 2022 houyingchao <houyingchao@h-partners.com> - 1.3.30-9
- Fix CVE-2022-1270 - Fix CVE-2022-1270

BIN
urw-fonts-1.0.7pre44.tar.bz2 Normal file
View File

Binary file not shown.