packages/GraphicsMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 fix CVE-2019-11007 CVE-2019-11505 CVE-2019-11008 CVE-2019-11506 CVE-2019-11009

Browse Source 
Merge pull request !2 from seki099/shijian
This commit is contained in:
openeuler-ci-bot 2019-12-25 09:19:48 +08:00 committed by Gitee
commit dcab1dd57c
6 changed files with 773 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
CVE-2019-11007.patch Normal file
View File

@ -0,0 +1,111 @@
--- a/magick/colormap.c Tue Apr 02 18:38:00 2019 -0500
+++ b/magick/colormap.c Tue Apr 02 19:44:26 2019 -0500
@@ -35,11 +35,11 @@
% AllocateImageColormap() allocates an image colormap and initializes
% it to a linear gray colorspace with increasing intensity. If the image
% already has a colormap, it is replaced. AllocateImageColormap() returns
-% True if successful, otherwise False if there is not enough memory.
+% MagickPass if successful, otherwise MagickFail if there is not enough memory.
%
% The format of the AllocateImageColormap method is:
%
-% unsigned int AllocateImageColormap(Image *image,
+% MagickPassFail AllocateImageColormap(Image *image,
% const unsigned long colors)
%
% A description of each parameter follows:
@@ -109,7 +109,7 @@
%
% The format of the CycleColormapImage method is:
%
-% CycleColormapImage(Image *image,const int amount)
+% MagickPassFail CycleColormapImage(Image *image,const int amount)
%
% A description of each parameter follows:
%
@@ -250,6 +250,76 @@
% %
% %
% %
++ R e a l l o c a t e I m a g e C o l o r m a p %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% ReallocateImageColormap() reallocates an image colormap (or allocates it
+% if is not already allocated) and clears any added colormap entries
+% while preserving existing entries. ReallocateImageColormap() returns
+% MagickPass if successful, otherwise MagickFail if there is not enough
+% memory or the number of colormap entries is not supported.
+%
+% The image storage class is not modified by this function.
+%
+% The format of the ReallocateImageColormap method is:
+%
+% MagickPassFail ReallocateImageColormap(Image *image,
+% const unsigned int colors)
+%
+% A description of each parameter follows:
+%
+% o image: The image.
+%
+% o colors: The number of colors in the image colormap.
+%
+%
+*/
+MagickExport MagickPassFail ReallocateImageColormap(Image *image,
+ const unsigned int colors)
+{
+ register unsigned int
+ i;
+
+ unsigned int
+ prev_colors;
+
+ size_t
+ length;
+
+ /*
+ Allocate image colormap.
+ */
+ assert(image != (Image *) NULL);
+ assert(image->signature == MagickSignature);
+ if (colors > MaxColormapSize)
+ return (MagickFail);
+ prev_colors=image->colors;
+ length=MagickArraySize((size_t) colors,sizeof(PixelPacket));
+ MagickReallocMemory(PixelPacket *,image->colormap,length);
+ if (image->colormap == (PixelPacket *) NULL)
+ {
+ image->colors=0;
+ return(MagickFail);
+ }
+ image->colors=colors;
+ for (i=prev_colors; i < image->colors; i++)
+ {
+ image->colormap[i].red=0;
+ image->colormap[i].green=0;
+ image->colormap[i].blue=0;
+ image->colormap[i].opacity=OpaqueOpacity;
+ }
+ return(MagickPass);
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
% R e p l a c e I m a g e C o l o r m a p %
% %
% %
@@ -438,7 +508,7 @@
%
% The format of the SortColormapByIntensity method is:
%
-% unsigned int SortColormapByIntensity(Image *image)
+% MagickPassFail SortColormapByIntensity(Image *image)
%
% A description of each parameter follows:
%

488
CVE-2019-11008.patch Normal file
View File

@ -0,0 +1,488 @@
--- a/coders/xwd.c Fri Apr 05 08:43:15 2019 -0500
+++ b/coders/xwd.c Sun Apr 07 15:29:54 2019 -0500
@@ -96,6 +96,102 @@
#if defined(HasX11)
#include "magick/xwindow.h"
+
+static void TraceXWDHeader(const XWDFileHeader *header)
+{
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "XWDFileHeader:\n"
+ " header_size : %u\n"
+ " file_version : %u\n"
+ " pixmap_format : %s\n"
+ " pixmap_depth : %u\n"
+ " pixmap_width : %u\n"
+ " pixmap_height : %u\n"
+ " xoffset : %u\n"
+ " byte_order : %s\n"
+ " bitmap_unit : %u\n"
+ " bitmap_bit_order : %s\n"
+ " bitmap_pad : %u\n"
+ " bits_per_pixel : %u\n"
+ " bytes_per_line : %u\n"
+ " visual_class : %s\n"
+ " red_mask : 0x%06X\n"
+ " green_mask : 0x%06X\n"
+ " blue_mask : 0x%06X\n"
+ " bits_per_rgb : %u\n"
+ " colormap_entries : %u\n"
+ " ncolors : %u\n"
+ " window_width : %u\n"
+ " window_height : %u\n"
+ " window_x : %u\n"
+ " window_y : %u\n"
+ " window_bdrwidth : %u",
+ (unsigned int) header->header_size,
+ (unsigned int) header->file_version,
+ /* (unsigned int) header->pixmap_format, */
+ (header->pixmap_format == XYBitmap ? "XYBitmap" :
+ (header->pixmap_format == XYPixmap ? "XYPixmap" :
+ (header->pixmap_format == ZPixmap ? "ZPixmap" : "?"))),
+ (unsigned int) header->pixmap_depth,
+ (unsigned int) header->pixmap_width,
+ (unsigned int) header->pixmap_height,
+ (unsigned int) header->xoffset,
+ (header->byte_order == MSBFirst? "MSBFirst" :
+ (header->byte_order == LSBFirst ? "LSBFirst" : "?")),
+ (unsigned int) header->bitmap_unit,
+ (header->bitmap_bit_order == MSBFirst? "MSBFirst" :
+ (header->bitmap_bit_order == LSBFirst ? "LSBFirst" :
+ "?")),
+ (unsigned int) header->bitmap_pad,
+ (unsigned int) header->bits_per_pixel,
+ (unsigned int) header->bytes_per_line,
+ (header->visual_class == StaticGray ? "StaticGray" :
+ (header->visual_class == GrayScale ? "GrayScale" :
+ (header->visual_class == StaticColor ? "StaticColor" :
+ (header->visual_class == PseudoColor ? "PseudoColor" :
+ (header->visual_class == TrueColor ? "TrueColor" :
+ (header->visual_class == DirectColor ?
+ "DirectColor" : "?")))))),
+ (unsigned int) header->red_mask,
+ (unsigned int) header->green_mask,
+ (unsigned int) header->blue_mask,
+ (unsigned int) header->bits_per_rgb,
+ (unsigned int) header->colormap_entries,
+ (unsigned int) header->ncolors,
+ (unsigned int) header->window_width,
+ (unsigned int) header->window_height,
+ (unsigned int) header->window_x,
+ (unsigned int) header->window_y,
+ (unsigned int) header->window_bdrwidth
+ );
+}
+
+/*
+ Compute required allocation sizes
+
+ FIXME: This is still a work in progress.
+
+ BitmapUnit (pixmap_depth) is the size of each data unit in each
+ scan line. This value may be 8, 16, or 32.
+
+ BitmapPad (bitmap_pad) is the number of bits of padding added to
+ each scan line. This value may be 8, 16, or 32.
+*/
+static MagickPassFail BytesPerLine(size_t *bytes_per_line,
+ size_t *scanline_bits,
+ const size_t pixmap_width,
+ const size_t pixmap_depth,
+ const size_t bitmap_pad)
+{
+ *bytes_per_line=0;
+ *scanline_bits=MagickArraySize(pixmap_width,pixmap_depth);
+ if ((*scanline_bits > 0) && (((~(size_t)0) - *scanline_bits > (bitmap_pad)-1)))
+ *bytes_per_line=((((*scanline_bits)+((bitmap_pad)-1))/
+ (bitmap_pad))*((bitmap_pad) >> 3));
+
+ return (*bytes_per_line !=0 && *scanline_bits != 0) ? MagickPass : MagickFail;
+}
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -211,71 +307,11 @@
if (*(char *) &lsb_first)
MSBOrderLong((unsigned char *) &header,sz_XWDheader);
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
- "XWDFileHeader:\n"
- " header_size : %u\n"
- " file_version : %u\n"
- " pixmap_format : %s\n"
- " pixmap_depth : %u\n"
- " pixmap_width : %u\n"
- " pixmap_height : %u\n"
- " xoffset : %u\n"
- " byte_order : %s\n"
- " bitmap_unit : %u\n"
- " bitmap_bit_order : %s\n"
- " bitmap_pad : %u\n"
- " bits_per_pixel : %u\n"
- " bytes_per_line : %u\n"
- " visual_class : %s\n"
- " red_mask : 0x%06X\n"
- " green_mask : 0x%06X\n"
- " blue_mask : 0x%06X\n"
- " bits_per_rgb : %u\n"
- " colormap_entries : %u\n"
- " ncolors : %u\n"
- " window_width : %u\n"
- " window_height : %u\n"
- " window_x : %u\n"
- " window_y : %u\n"
- " window_bdrwidth : %u",
- (unsigned int) header.header_size,
- (unsigned int) header.file_version,
- /* (unsigned int) header.pixmap_format, */
- (header.pixmap_format == XYBitmap ? "XYBitmap" :
- (header.pixmap_format == XYPixmap ? "XYPixmap" :
- (header.pixmap_format == ZPixmap ? "ZPixmap" : "?"))),
- (unsigned int) header.pixmap_depth,
- (unsigned int) header.pixmap_width,
- (unsigned int) header.pixmap_height,
- (unsigned int) header.xoffset,
- (header.byte_order == MSBFirst? "MSBFirst" :
- (header.byte_order == LSBFirst ? "LSBFirst" : "?")),
- (unsigned int) header.bitmap_unit,
- (header.bitmap_bit_order == MSBFirst? "MSBFirst" :
- (header.bitmap_bit_order == LSBFirst ? "LSBFirst" :
- "?")),
- (unsigned int) header.bitmap_pad,
- (unsigned int) header.bits_per_pixel,
- (unsigned int) header.bytes_per_line,
- (header.visual_class == StaticGray ? "StaticGray" :
- (header.visual_class == GrayScale ? "GrayScale" :
- (header.visual_class == StaticColor ? "StaticColor" :
- (header.visual_class == PseudoColor ? "PseudoColor" :
- (header.visual_class == TrueColor ? "TrueColor" :
- (header.visual_class == DirectColor ?
- "DirectColor" : "?")))))),
- (unsigned int) header.red_mask,
- (unsigned int) header.green_mask,
- (unsigned int) header.blue_mask,
- (unsigned int) header.bits_per_rgb,
- (unsigned int) header.colormap_entries,
- (unsigned int) header.ncolors,
- (unsigned int) header.window_width,
- (unsigned int) header.window_height,
- (unsigned int) header.window_x,
- (unsigned int) header.window_y,
- (unsigned int) header.window_bdrwidth
- );
+ /*
+ Trace XWD header
+ */
+ if (image->logging)
+ TraceXWDHeader(&header);
/*
Check to see if the dump file is in the proper format.
@@ -283,7 +319,8 @@
if (header.file_version != XWD_FILE_VERSION)
ThrowXWDReaderException(CorruptImageError,InvalidFileFormatVersion,image);
if (header.header_size < sz_XWDheader)
- ThrowXWDReaderException(CorruptImageError,CorruptImage,image);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
switch (header.visual_class)
{
case StaticGray:
@@ -295,7 +332,7 @@
break;
default:
{
- ThrowXWDReaderException(CorruptImageError,CorruptImage,image);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
}
}
switch (header.pixmap_format)
@@ -306,10 +343,36 @@
break;
default:
{
- ThrowXWDReaderException(CorruptImageError,CorruptImage,image);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
}
}
+ if ((header.bits_per_pixel == 0) || (header.bits_per_pixel > 32))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ if ((header.bitmap_pad % 8 != 0) || (header.bitmap_pad > 32))
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
+ {
+ size_t
+ bytes_per_line=0,
+ scanline_bits;
+
+ if (BytesPerLine(&bytes_per_line,&scanline_bits,
+ header.pixmap_width,header.pixmap_depth,header.bitmap_pad)
+ == MagickFail)
+ ThrowReaderException(CoderError,ArithmeticOverflow,image);
+
+ if (header.bytes_per_line < bytes_per_line)
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Header bytes_per_line = %" MAGICK_SIZE_T_F "u,"
+ " expected %" MAGICK_SIZE_T_F "u",
+ (MAGICK_SIZE_T) header.bytes_per_line,
+ (MAGICK_SIZE_T) bytes_per_line);
+ ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+
/*
Retrieve comment (if any)
*/
@@ -366,6 +429,7 @@
/* Guard against buffer overflow in libX11. */
if (ximage->bits_per_pixel > 32 || ximage->bitmap_unit > 32)
ThrowXWDReaderException(CorruptImageError,ImproperImageHeader,image);
+
status=XInitImage(ximage);
if (status == False)
ThrowXWDReaderException(CorruptImageError,UnrecognizedXWDHeader,image);
@@ -456,6 +520,22 @@
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
}
+ {
+
+ magick_off_t
+ file_size;
+
+ file_size=GetBlobSize(image);
+
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "File size %" MAGICK_OFF_F "d,"
+ "Pixels allocation size %" MAGICK_SIZE_T_F "u",
+ file_size, (MAGICK_SIZE_T) length);
+
+ if ((file_size != 0) && ((size_t) file_size < length))
+ ThrowXWDReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+
ximage->data=MagickAllocateMemory(char *,length);
if (ximage->data == (char *) NULL)
ThrowXWDReaderException(ResourceLimitError,MemoryAllocationFailed,image);
@@ -725,16 +805,16 @@
*/
static unsigned int WriteXWDImage(const ImageInfo *image_info,Image *image)
{
- long
+ unsigned long
y;
register const PixelPacket
*p;
- register long
+ register unsigned long
x;
- register long
+ register unsigned int
i;
register unsigned char
@@ -743,17 +823,22 @@
unsigned char
*pixels;
+ unsigned int
+ bits_per_pixel;
+
size_t
- pixels_size;
+ bytes_per_line=0,
+ scanline_bits,
+ scanline_pad=0;
unsigned int
+ bitmap_pad;
+
+ MagickPassFail
status;
unsigned long
- bits_per_pixel,
- bytes_per_line,
- lsb_first,
- scanline_pad;
+ lsb_first;
XWDFileHeader
xwd_info;
@@ -766,7 +851,7 @@
assert(image != (Image *) NULL);
assert(image->signature == MagickSignature);
status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);
- if (status == False)
+ if (status == MagickFail)
ThrowWriterException(FileOpenError,UnableToOpenFile,image);
(void) TransformColorspace(image,RGBColorspace);
/*
@@ -774,6 +859,40 @@
*/
if ((image->storage_class == PseudoClass) && (image->colors > 256))
SetImageType(image,TrueColorType);
+
+ /*
+ Compute required allocation sizes
+
+ BitmapUnit is the size of each data unit in each scan line. This
+ value may be 8, 16, or 32.
+
+ BitmapPad is the number of bits of padding added to each scan
+ line. This value may be 8, 16, or 32.
+ */
+ bits_per_pixel=(image->storage_class == DirectClass ? 24 : 8);
+ bitmap_pad=(image->storage_class == DirectClass ? 32 : 8);
+
+ if (BytesPerLine(&bytes_per_line,&scanline_bits,image->columns,
+ bits_per_pixel,bitmap_pad) != MagickFail)
+ scanline_pad=(bytes_per_line-(scanline_bits >> 3));
+
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " image->columns=%lu,"
+ " bits_per_pixel=%u,"
+ " bytes_per_line=%" MAGICK_SIZE_T_F "u,"
+ " bitmap_pad=%u",
+ image->columns,
+ bits_per_pixel,
+ (MAGICK_SIZE_T) bytes_per_line,
+ bitmap_pad);
+ if ((scanline_bits == 0) || (bytes_per_line < (scanline_bits >> 3)))
+ ThrowWriterException(CoderError,ArithmeticOverflow,image);
+
+ if (((bytes_per_line & 0x7fffffff) != bytes_per_line) ||
+ ((image->rows & 0x7fffffff) != image->rows))
+ ThrowWriterException(CoderError,ImageColumnOrRowSizeIsNotSupported,image);
+
/*
Initialize XWD file header.
*/
@@ -788,19 +907,14 @@
xwd_info.byte_order=(CARD32) MSBFirst;
xwd_info.bitmap_unit=(CARD32) (image->storage_class == DirectClass ? 32 : 8);
xwd_info.bitmap_bit_order=(CARD32) MSBFirst;
- xwd_info.bitmap_pad=(CARD32) (image->storage_class == DirectClass ? 32 : 8);
- bits_per_pixel=(image->storage_class == DirectClass ? 24 : 8);
+ xwd_info.bitmap_pad=(CARD32) bitmap_pad;
xwd_info.bits_per_pixel=(CARD32) bits_per_pixel;
- bytes_per_line=(CARD32) ((((xwd_info.bits_per_pixel*
- xwd_info.pixmap_width)+((xwd_info.bitmap_pad)-1))/
- (xwd_info.bitmap_pad))*((xwd_info.bitmap_pad) >> 3));
xwd_info.bytes_per_line=(CARD32) bytes_per_line;
xwd_info.visual_class=(CARD32)
(image->storage_class == DirectClass ? DirectColor : PseudoColor);
xwd_info.red_mask=(CARD32)
(image->storage_class == DirectClass ? 0xff0000 : 0);
- xwd_info.green_mask=(CARD32)
- (image->storage_class == DirectClass ? 0xff00 : 0);
+ xwd_info.green_mask=(CARD32)(image->storage_class == DirectClass ? 0xff00 : 0);
xwd_info.blue_mask=(CARD32) (image->storage_class == DirectClass ? 0xff : 0);
xwd_info.bits_per_rgb=(CARD32) (image->storage_class == DirectClass ? 24 : 8);
xwd_info.colormap_entries=(CARD32)
@@ -812,6 +926,20 @@
xwd_info.window_x=0;
xwd_info.window_y=0;
xwd_info.window_bdrwidth=(CARD32) 0;
+
+ /*
+ Trace XWD header
+ */
+ if (image->logging)
+ TraceXWDHeader(&xwd_info);
+
+ /*
+ Allocate memory for pixels.
+ */
+ pixels=MagickAllocateMemory(unsigned char *,bytes_per_line);
+ if (pixels == (unsigned char *) NULL)
+ ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image);
+
/*
Write XWD header.
*/
@@ -835,7 +963,7 @@
colors=MagickAllocateArray(XColor *,image->colors,sizeof(XColor));
if (colors == (XColor *) NULL)
ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image);
- for (i=0; i < (long) image->colors; i++)
+ for (i=0; i < image->colors; i++)
{
colors[i].pixel=i;
colors[i].red=ScaleQuantumToShort(image->colormap[i].red);
@@ -849,30 +977,22 @@
MSBOrderShort((unsigned char *) &colors[i].red,3*sizeof(short));
}
}
- for (i=0; i < (long) image->colors; i++)
+ for (i=0; i < image->colors; i++)
{
color.pixel=(CARD32) colors[i].pixel;
color.red=colors[i].red;
color.green=colors[i].green;
color.blue=colors[i].blue;
color.flags=colors[i].flags;
- (void) WriteBlob(image,sz_XWDColor,(char *) &color);
+ if (WriteBlob(image,sz_XWDColor,(char *) &color) != sz_XWDColor)
+ break;
}
MagickFreeMemory(colors);
}
/*
- Allocate memory for pixels.
- */
- scanline_pad=(bytes_per_line-((image->columns*bits_per_pixel) >> 3));
- pixels_size=image->columns*(image->storage_class == PseudoClass ? 1 : 3)+scanline_pad;
- pixels=MagickAllocateMemory(unsigned char *,pixels_size);
- if (pixels == (unsigned char *) NULL)
- ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image);
- (void) memset(pixels,0,pixels_size);
- /*
Convert MIFF to XWD raster pixels.
*/
- for (y=0; y < (long) image->rows; y++)
+ for (y=0; y < image->rows; y++)
{
p=AcquireImagePixels(image,0,y,image->columns,1,&image->exception);
if (p == (const PixelPacket *) NULL)
@@ -885,12 +1005,12 @@
*indexes;
indexes=AccessImmutableIndexes(image);
- for (x=0; x < (long) image->columns; x++)
+ for (x=0; x < image->columns; x++)
*q++=(unsigned char) indexes[x];
}
else
{
- for (x=(long) image->columns; x > 0; x--)
+ for (x=0; x < image->columns; x++)
{
*q++=ScaleQuantumToChar(p->red);
@@ -901,7 +1021,8 @@
}
for (x=(long) scanline_pad; x > 0; x--)
*q++=0;
- (void) WriteBlob(image,(size_t) (q-pixels),(char *) pixels);
+ if (WriteBlob(image,(size_t) (q-pixels),(char *) pixels) != (size_t) (q-pixels))
+ break;
if (image->previous == (Image *) NULL)
if (QuantumTick(y,image->rows))
if (!MagickMonitorFormatted(y,image->rows,&image->exception,
@@ -911,6 +1032,6 @@
}
MagickFreeMemory(pixels);
CloseBlob(image);
- return(True);
+ return (y < image->rows ? MagickFail : MagickPass);
}
#endif

37
CVE-2019-11009.patch Normal file
View File

@ -0,0 +1,37 @@
--- a/coders/xwd.c Tue Apr 02 19:44:48 2019 -0500
+++ b/coders/xwd.c Wed Apr 03 19:42:39 2019 -0500
@@ -390,8 +390,8 @@
else
{
image->storage_class=PseudoClass;
+ image->colors=header.ncolors;
}
- image->colors=header.ncolors;
if (!image_info->ping)
{
/*
@@ -507,7 +507,7 @@
/*
Convert X image to DirectClass packets.
*/
- if (image->colors != 0)
+ if (header.ncolors != 0)
{
for (y=0; y < (long) image->rows; y++)
{
@@ -519,12 +519,15 @@
pixel=XGetPixel(ximage,(int) x,(int) y);
index_val=(unsigned short)
((pixel >> red_shift) & red_mask);
+ VerifyColormapIndexWithColors(image,index_val,header.ncolors);
q->red=ScaleShortToQuantum(colors[index_val].red);
index_val=(unsigned short)
((pixel >> green_shift) & green_mask);
+ VerifyColormapIndexWithColors(image,index_val,header.ncolors);
q->green=ScaleShortToQuantum(colors[index_val].green);
index_val=(unsigned short)
((pixel >> blue_shift) & blue_mask);
+ VerifyColormapIndexWithColors(image,index_val,header.ncolors);
q->blue=ScaleShortToQuantum(colors[index_val].blue);
q++;
}

59
CVE-2019-11505.patch Normal file
View File

@ -0,0 +1,59 @@
--- a/coders/pdb.c Wed Apr 10 11:27:35 2019 -0500
+++ b/coders/pdb.c Wed Apr 10 20:48:28 2019 -0500
@@ -30,6 +30,13 @@
%
%
*/
+/*
+ Some information on this format may be found at
+ http://fileformats.archiveteam.org/wiki/Palm_Database_ImageViewer
+
+ Round-trip tests do not pass so this format is not included in the
+ test suite.
+*/
/*
Include declarations.
@@ -733,6 +740,7 @@
entry->magick=(MagickHandler) IsPDB;
entry->description="Palm Database ImageViewer Format";
entry->module="PDB";
+ entry->coder_class=UnstableCoderClass;
(void) RegisterMagickInfo(entry);
}
@@ -842,7 +850,7 @@
status;
size_t
- packets;
+ packets;
unsigned long
literal,
@@ -867,6 +875,7 @@
if (status == False)
ThrowPDBWriterException(FileOpenError,UnableToOpenFile,image);
(void) TransformColorspace(image,RGBColorspace);
+ (void) SetImageType(image,GrayscaleType);
bits_per_pixel=image->depth;
if (GetImageType(image,&image->exception) == BilevelType)
bits_per_pixel=1;
@@ -939,7 +948,7 @@
if (buffer == (unsigned char *) NULL)
ThrowPDBWriterException(ResourceLimitWarning,MemoryAllocationFailed,image);
(void) memset(buffer,0,512);
- packet_size=image->depth > 8 ? 2: 1;
+ packet_size=bits_per_pixel > 8 ? 2: 1;
scanline=MagickAllocateArray(unsigned char *,image->columns,packet_size);
if (scanline == (unsigned char *) NULL)
ThrowPDBWriterException(ResourceLimitWarning,MemoryAllocationFailed,image);
@@ -956,7 +965,7 @@
{
if (!AcquireImagePixels(image,0,y,image->columns,1,&image->exception))
break;
- (void) ExportImagePixelArea(image,GrayQuantum,image->depth,scanline,0,0);
+ (void) ExportImagePixelArea(image,GrayQuantum,bits_per_pixel,scanline,0,0);
for (x=0; x < pdb_image.width; x++)
{
if (x < (long) image->columns)

66
CVE-2019-11506.patch Normal file
View File

@ -0,0 +1,66 @@
--- a/coders/mat.c Wed Apr 10 20:48:28 2019 -0500
+++ b/coders/mat.c Thu Apr 11 20:10:35 2019 -0500
@@ -1376,11 +1376,11 @@
% o image: A pointer to an Image structure.
%
*/
-static unsigned int WriteMATLABImage(const ImageInfo *image_info,Image *image)
+static MagickPassFail WriteMATLABImage(const ImageInfo *image_info,Image *image)
{
long y;
unsigned z;
- unsigned int status;
+ MagickPassFail status;
int logging;
unsigned long DataSize;
char padding;
@@ -1403,7 +1403,7 @@
assert(image->signature == MagickSignature);
logging = LogMagickEvent(CoderEvent,GetMagickModule(),"enter MAT");
status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception);
- if (status == False)
+ if (status == MagickFail)
ThrowWriterException(FileOpenError,UnableToOpenFile,image);
/*
@@ -1477,26 +1477,32 @@
for (y=0; y<(long)image->columns; y++)
{
progress_quantum++;
- (void) AcquireImagePixels(image,y,0,1,image->rows,&image->exception);
- (void) ExportImagePixelArea(image,z2qtype[z],8,pixels,0,0);
- (void) WriteBlob(image,image->rows,pixels);
+ if (AcquireImagePixels(image,y,0,1,image->rows,&image->exception) == (PixelPacket *) NULL)
+ break;
+ if (ExportImagePixelArea(image,z2qtype[z],8,pixels,0,0) == MagickFail)
+ break;
+ if (WriteBlob(image,image->rows,pixels) != image->rows)
+ break;
if (QuantumTick(progress_quantum,progress_span))
if (!MagickMonitorFormatted(progress_quantum,progress_span,&image->exception,
SaveImageText,image->filename,
image->columns,image->rows))
- goto BreakAll;
+ break;
}
+ if (y != (long)image->columns)
+ {
+ status=MagickFail;
+ goto BreakAll;
+ }
+
} while(z-- >= 2);
}
BreakAll:
while(padding-->0) (void) WriteBlobByte(image,0);
- status=True;
-
- if(pixels)
- {MagickFreeMemory(pixels);pixels=NULL;}
- if(image->next==NULL) break;
+ MagickFreeMemory(pixels);
+ if(status == MagickFail || image->next==NULL) break;
image=SyncNextImageInList(image);
}

14
GraphicsMagick.spec
View File

@ -10,7 +10,7 @@
Name: GraphicsMagick
Version: 1.3.30
Release: 4
Release: 5
Summary: Derived from ImageMagick, providing faster image generation speed and better quality
License: MIT
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@ -18,7 +18,11 @@ Url: http://www.graphicsmagick.org/
Patch0000: GraphicsMagick-1.3.14-perl_linkage.patch
Patch0001: GraphicsMagick-1.3.16-multilib.patch
Patch0002: CVE-2019-11007.patch
Patch0003: CVE-2019-11505.patch
Patch0004: CVE-2019-11008.patch
Patch0005: CVE-2019-11506.patch
Patch0006: CVE-2019-11009.patch
BuildRequires: bzip2-devel freetype-devel gcc-c++ giflib-devel jasper-devel lcms2-devel libjpeg-devel
BuildRequires: libpng-devel librsvg2-devel libtiff-devel libtool-ltdl-devel libxml2-devel lpr
@ -217,5 +221,11 @@ time %make_build check ||:
%changelog
* Tue Dec 24 2019 shijian<shijian16@huawei.com> - 1.3.30-5
- Type:cves
- ID:CVE-2019-11007.patch CVE-2019-11505.patch CVE-2019-11008.patch CVE-2019-11506.patch CVE-2019-11009.patch
- SUG:restart
- DESC: fix CVE-2019-11007.patch CVE-2019-11505.patch CVE-2019-11008.patch CVE-2019-11506.patch CVE-2019-11009.patch
* Fri Dec 13 2019 yangjian<yangjian79@huawei.com> - 1.3.30-4
- Package init