From a5646313975525c598527269bbfe4524909275f3 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 17:59:51 +0800
Subject: [PATCH] MNG: Fix small heap overwrite or assertion if magnifying and
 image to be magnified has rows or columns == 1. (CVE-2020-12672)

refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/50395430a371
---
 coders/png.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/coders/png.c b/coders/png.c
index ebb0a4a..b8b6c2b 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5571,7 +5571,28 @@ static Image *ReadMNGImage(const ImageInfo *image_info,
 
               if (logging)
                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-                                      "  Processing MNG MAGN chunk");
+                                      "  Processing MNG MAGN chunk: MB=%u, ML=%u,"
+                                      " MR=%u, MT=%u, MX=%u, MY=%u,"
+                                      " X_method=%u, Y_method=%u",
+                                      mng_info->magn_mb,mng_info->magn_ml,
+                                      mng_info->magn_mr,mng_info->magn_mt,
+                                      mng_info->magn_mx,mng_info->magn_my,
+                                      mng_info->magn_methx,
+                                      mng_info->magn_methy);
+
+              /*
+                If the image width is 1, then X magnification is done
+                by simple pixel replication.
+              */
+              if (image->columns == 1)
+                  mng_info->magn_methx = 1;
+
+              /*
+                If the image height is 1, then Y magnification is done
+                by simple pixel replication.
+              */
+              if (image->rows == 1)
+                  mng_info->magn_methy = 1;              
 
               if (mng_info->magn_methx == 1)
                 {
-- 
2.23.0