packages/GraphicsMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
GraphicsMagick/CVE-2022-1270.patch
houyingchao c05343b5b5 fix CVE-2022-1270 
(cherry picked from commit 1415a297ec393a54ba6bd173d13940c2be8a9be2)
2022-07-12 09:47:29 +08:00

90 lines
3.6 KiB
Diff
Raw Blame History

# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1648301533 18000
# Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12
# Parent 07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0
ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer.
---
ChangeLog | 7 +++++++
coders/miff.c | 11 +++++++++++
magick/version.h | 2 ++
www/Changelog.html | 7 +++++++
4 files changed, 27 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index a89c828..5116ad0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2022-03-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
+ row length prior to reading data into fixed size buffer.
+ Addresses SourceForge bug #664 "[bug]Heap buffer overflow when
+ parsing MIFF". This severe bug only impacts builds with BZLIB
+ support.
+
2019-04-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xwd.c (ReadXWDImage): Added even more XWD header
validation logic. Addresses problems noted by email from Hongxu
diff --git a/coders/miff.c b/coders/miff.c
index 00813c4..9149a15 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1674,9 +1674,20 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
else
{
length=ReadBlobMSBLong(image);
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "length = %"MAGICK_SIZE_T_F"u",
+ (MAGICK_SIZE_T) length);
+ if ((length == 0) || (length > compressed_length))
+ {
+ (void) BZ2_bzDecompressEnd(&bzip_info);
+ ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage,
+ image);
+ }
bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in);
if ((size_t) bzip_info.avail_in != length)
{
+ (void) BZ2_bzDecompressEnd(&bzip_info);
ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
image);
}
diff --git a/magick/version.h b/magick/version.h
index a9e0dca..1e17abc 100644
--- a/magick/version.h
+++ b/magick/version.h
@@ -40,6 +40,8 @@ extern "C" {
#define MagickLibVersionNumber 21,18,1
#define MagickChangeDate "20190417"
#define MagickReleaseDate "snapshot-20190417"
+#define MagickChangeDate "20220326"
+#define MagickReleaseDate "snapshot-20220326"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff --git a/www/Changelog.html b/www/Changelog.html
index e5a21da..5ec8096 100644
--- a/www/Changelog.html
+++ b/www/Changelog.html
@@ -34,6 +34,13 @@
</div>
<div class="document">
+<p>2022-03-26 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+* coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
+row length prior to reading data into fixed size buffer.
+Addresses SourceForge bug #664 &quot;[bug]Heap buffer overflow when
+parsing MIFF&quot;. This severe bug only impacts builds with BZLIB
+support.</blockquote>
<p>2019-04-17 Bob Friesenhahn &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
<blockquote>
<ul class="simple">
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink