packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!182 [sync] PR-177: Fix CVE-2023-34151 and CVE-2023-34153

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2023-06-09 01:59:20 +00:00 committed by Gitee
commit 0a45da6b6b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 425 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

281
CVE-2023-34151.patch Normal file
View File

@ -0,0 +1,281 @@
From 3d6d98d8a2be30d74172ab43b5b8e874d2deb158 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 17 May 2023 21:06:15 -0400
Subject: [PATCH] properly cast double to size_t
(https://github.com/ImageMagick/ImageMagick/issues/6341)
Link: https://github.com/ImageMagick/ImageMagick/commit/3d6d98d8a2be30d74172ab43b5b8e874d2deb158
---
MagickCore/annotate.c | 4 ++--
MagickCore/draw.c | 2 +-
MagickCore/geometry.c | 6 +++---
MagickCore/shear.c | 6 +++---
MagickCore/visual-effects.c | 4 ++--
coders/caption.c | 10 +++++-----
coders/label.c | 10 +++++-----
coders/pcl.c | 4 ++--
coders/pdf.c | 4 ++--
coders/ps.c | 4 ++--
coders/ps2.c | 4 ++--
coders/ps3.c | 4 ++--
coders/svg.c | 4 ++--
13 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/MagickCore/annotate.c b/MagickCore/annotate.c
index bd2da50f36..b635d36bfb 100644
--- a/MagickCore/annotate.c
+++ b/MagickCore/annotate.c
@@ -341,7 +341,7 @@ MagickExport MagickBooleanType AnnotateImage(Image *image,
(void) CloneString(&annotate->text,textlist[i]);
if ((metrics.width == 0) || (annotate->gravity != NorthWestGravity))
(void) GetTypeMetrics(image,annotate,&metrics,exception);
- height=(size_t) floor(metrics.ascent-metrics.descent+0.5);
+ height=CastDoubleToUnsigned(metrics.ascent-metrics.descent+0.5);
if (height == 0)
height=draw_info->pointsize;
height+=(size_t) floor(draw_info->interline_spacing+0.5);
@@ -673,7 +673,7 @@ MagickExport ssize_t FormatMagickCaption(Image *image,DrawInfo *draw_info,
status=GetTypeMetrics(image,draw_info,metrics,exception);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics->width+draw_info->stroke_width+0.5);
+ width=CastDoubleToUnsigned(metrics->width+draw_info->stroke_width+0.5);
if (width <= image->columns)
continue;
if (s != (char *) NULL)
diff --git a/MagickCore/draw.c b/MagickCore/draw.c
index 3d46ba2cb3..d88729d9da 100644
--- a/MagickCore/draw.c
+++ b/MagickCore/draw.c
@@ -3515,7 +3515,7 @@ static MagickBooleanType RenderMVGContent(Image *image,
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- region.height=(size_t) floor(GetDrawValue(token,&next_token)+
+ region.height=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+
0.5);
if (token == next_token)
ThrowPointExpectedException(token,exception);
diff --git a/MagickCore/geometry.c b/MagickCore/geometry.c
index 977183b576..4d201f36d6 100644
--- a/MagickCore/geometry.c
+++ b/MagickCore/geometry.c
@@ -1515,8 +1515,8 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x,
scale.y=geometry_info.sigma;
if ((percent_flags & SigmaValue) == 0)
scale.y=scale.x;
- *width=(size_t) floor(scale.x*stasis_width/100.0+0.5);
- *height=(size_t) floor(scale.y*stasis_height/100.0+0.5);
+ *width=CastDoubleToUnsigned(scale.x*stasis_width/100.0+0.5);
+ *height=CastDoubleToUnsigned(scale.y*stasis_height/100.0+0.5);
stasis_width=(*width);
stasis_height=(*height);
}
@@ -1536,7 +1536,7 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x,
if (geometry_ratio >= image_ratio)
{
*width=stasis_width;
- *height=(size_t) floor((double) (PerceptibleReciprocal(
+ *height=CastDoubleToUnsigned((double) (PerceptibleReciprocal(
geometry_ratio)*stasis_height*image_ratio)+0.5);
}
else
diff --git a/MagickCore/shear.c b/MagickCore/shear.c
index 5cfa7be965..04e785ea6c 100644
--- a/MagickCore/shear.c
+++ b/MagickCore/shear.c
@@ -1768,9 +1768,9 @@ MagickExport Image *ShearRotateImage(const Image *image,const double degrees,
*/
width=integral_image->columns;
height=integral_image->rows;
- bounds.width=(size_t) floor(fabs((double) height*shear.x)+width+0.5);
- bounds.height=(size_t) floor(fabs((double) bounds.width*shear.y)+height+0.5);
- shear_width=(size_t) floor(fabs((double) bounds.height*shear.x)+
+ bounds.width=CastDoubleToUnsigned(fabs((double) height*shear.x)+width+0.5);
+ bounds.height=CastDoubleToUnsigned(fabs((double) bounds.width*shear.y)+height+0.5);
+ shear_width=CastDoubleToUnsigned(fabs((double) bounds.height*shear.x)+
bounds.width+0.5);
bounds.x=CastDoubleToLong(floor((double) ((shear_width > bounds.width) ?
width : bounds.width-shear_width+2)/2.0+0.5));
diff --git a/MagickCore/visual-effects.c b/MagickCore/visual-effects.c
index 80024212e8..5257865ee3 100644
--- a/MagickCore/visual-effects.c
+++ b/MagickCore/visual-effects.c
@@ -2060,8 +2060,8 @@ MagickExport Image *ShadowImage(const Image *image,const double alpha,
(void) SetImageColorspace(clone_image,sRGBColorspace,exception);
(void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod,
exception);
- border_info.width=(size_t) floor(2.0*sigma+0.5);
- border_info.height=(size_t) floor(2.0*sigma+0.5);
+ border_info.width=CastDoubleToUnsigned(2.0*sigma+0.5);
+ border_info.height=CastDoubleToUnsigned(2.0*sigma+0.5);
border_info.x=0;
border_info.y=0;
(void) QueryColorCompliance("none",AllCompliance,&clone_image->border_color,
diff --git a/coders/caption.c b/coders/caption.c
index 81aeb15830..35f551b31d 100644
--- a/coders/caption.c
+++ b/coders/caption.c
@@ -169,7 +169,7 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info,
return(DestroyImageList(image));
(void) SetImageProperty(image,"caption",caption,exception);
draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL);
- width=(size_t) floor(0.5*draw_info->pointsize*strlen(caption)+0.5);
+ width=CastDoubleToUnsigned(0.5*draw_info->pointsize*strlen(caption)+0.5);
if (AcquireMagickResource(WidthResource,width) == MagickFalse)
{
caption=DestroyString(caption);
@@ -277,8 +277,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info,
if (status == MagickFalse)
break;
AdjustTypeMetricBounds(&metrics);
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->interline_spacing+draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
@@ -310,8 +310,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info,
if (status == MagickFalse)
break;
AdjustTypeMetricBounds(&metrics);
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->interline_spacing+draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
diff --git a/coders/label.c b/coders/label.c
index 1ec2508f60..5d08035a25 100644
--- a/coders/label.c
+++ b/coders/label.c
@@ -151,7 +151,7 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
return(DestroyImageList(image));
(void) SetImageProperty(image,"label",label,exception);
draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL);
- width=(size_t) floor(0.5*draw_info->pointsize*strlen(label)+0.5);
+ width=CastDoubleToUnsigned(0.5*draw_info->pointsize*strlen(label)+0.5);
if (AcquireMagickResource(WidthResource,width) == MagickFalse)
{
label=DestroyString(label);
@@ -214,8 +214,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
if (status == MagickFalse)
break;
AdjustTypeMetricBounds(&metrics);
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
@@ -249,8 +249,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
if (status == MagickFalse)
break;
AdjustTypeMetricBounds(&metrics);
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
diff --git a/coders/pcl.c b/coders/pcl.c
index b5f6818bd3..0dae2772fa 100644
--- a/coders/pcl.c
+++ b/coders/pcl.c
@@ -334,8 +334,8 @@ static Image *ReadPCLImage(const ImageInfo *image_info,ExceptionInfo *exception)
image->resolution.x,image->resolution.y);
if (image_info->ping != MagickFalse)
(void) FormatLocaleString(density,MagickPathExtent,"2.0x2.0");
- page.width=(size_t) floor(page.width*image->resolution.x/delta.x+0.5);
- page.height=(size_t) floor(page.height*image->resolution.y/delta.y+0.5);
+ page.width=CastDoubleToUnsigned(page.width*image->resolution.x/delta.x+0.5);
+ page.height=CastDoubleToUnsigned(page.height*image->resolution.y/delta.y+0.5);
(void) FormatLocaleString(options,MagickPathExtent,"-g%.20gx%.20g ",(double)
page.width,(double) page.height);
image=DestroyImage(image);
diff --git a/coders/pdf.c b/coders/pdf.c
index 2cf36bf1e9..5ba15aee2f 100644
--- a/coders/pdf.c
+++ b/coders/pdf.c
@@ -1867,9 +1867,9 @@ static MagickBooleanType WritePDFImage(const ImageInfo *image_info,Image *image,
(void) ParseMetaGeometry(temp,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=(double) (geometry.width*delta.x)/resolution.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=(double) (geometry.height*delta.y)/resolution.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(temp,&media_info);
(void) ParseGravityGeometry(image,temp,&page_info,exception);
if (image->gravity != UndefinedGravity)
diff --git a/coders/ps.c b/coders/ps.c
index ce2bb91765..47e48f1f38 100644
--- a/coders/ps.c
+++ b/coders/ps.c
@@ -1527,9 +1527,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image,
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,exception);
if (image->gravity != UndefinedGravity)
diff --git a/coders/ps2.c b/coders/ps2.c
index 766874dc02..eb2d7cbda2 100644
--- a/coders/ps2.c
+++ b/coders/ps2.c
@@ -533,9 +533,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image,
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,exception);
if (image->gravity != UndefinedGravity)
diff --git a/coders/ps3.c b/coders/ps3.c
index b75787bd02..fd547fff41 100644
--- a/coders/ps3.c
+++ b/coders/ps3.c
@@ -985,9 +985,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image,
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,exception);
if (image->gravity != UndefinedGravity)
diff --git a/coders/svg.c b/coders/svg.c
index 5a1e61c76a..1155133390 100644
--- a/coders/svg.c
+++ b/coders/svg.c
@@ -2826,10 +2826,10 @@ static void SVGStartElement(void *context,const xmlChar *name,
svg_info->view_box=svg_info->bounds;
svg_info->width=0;
if (svg_info->bounds.width >= MagickEpsilon)
- svg_info->width=(size_t) floor(svg_info->bounds.width+0.5);
+ svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5);
svg_info->height=0;
if (svg_info->bounds.height >= MagickEpsilon)
- svg_info->height=(size_t) floor(svg_info->bounds.height+0.5);
+ svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5);
(void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n",
(double) svg_info->width,(double) svg_info->height);
sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width;

138
CVE-2023-34153.patch Normal file
View File

@ -0,0 +1,138 @@
From d31c80d15a2c82fc1dd8e889e0f97b0219079a57 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Wed, 17 May 2023 23:33:30 +0200
Subject: [PATCH] Make sure options are properly quoted to resolve the issue
reported in #6338.
Link: https://github.com/ImageMagick/ImageMagick/commit/d31c80d15a2c82fc1dd8e889e0f97b0219079a57
---
MagickCore/delegate-private.h | 19 +++++++++++++++++++
coders/pdf.c | 14 +++-----------
coders/video.c | 24 ++++++++----------------
3 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/MagickCore/delegate-private.h b/MagickCore/delegate-private.h
index 2851316dd6..2d9a8d42ac 100644
--- a/MagickCore/delegate-private.h
+++ b/MagickCore/delegate-private.h
@@ -18,6 +18,7 @@
#ifndef MAGICKCORE_DELEGATE_PRIVATE_H
#define MAGICKCORE_DELEGATE_PRIVATE_H
+#include "MagickCore/locale_.h"
#include "MagickCore/string_.h"
#if defined(MAGICKCORE_GS_DELEGATE)
@@ -110,6 +111,24 @@ static inline char *SanitizeDelegateString(const char *source)
return(sanitize_source);
}
+static inline void FormatSanitizedDelegateOption(char *string,
+ const size_t length,const char *windows_format,
+ const char *non_windows_format,const char *option)
+{
+ char
+ *sanitized_option;
+
+ sanitized_option=SanitizeDelegateString(option);
+#if defined(MAGICKCORE_WINDOWS_SUPPORT)
+ magick_unreferenced(non_windows_format);
+ (void) FormatLocaleString(string,length,windows_format,sanitized_option);
+#else
+ magick_unreferenced(windows_format);
+ (void) FormatLocaleString(string,length,non_windows_format,sanitized_option);
+#endif
+ sanitized_option=DestroyString(sanitized_option);
+}
+
extern MagickPrivate MagickBooleanType
DelegateComponentGenesis(void);
diff --git a/coders/pdf.c b/coders/pdf.c
index 926661e023..2cf36bf1e9 100644
--- a/coders/pdf.c
+++ b/coders/pdf.c
@@ -625,18 +625,10 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception)
if (option != (char *) NULL)
{
char
- passphrase[MagickPathExtent],
- *sanitize_passphrase;
+ passphrase[MagickPathExtent];
- sanitize_passphrase=SanitizeDelegateString(option);
-#if defined(MAGICKCORE_WINDOWS_SUPPORT)
- (void) FormatLocaleString(passphrase,MagickPathExtent,
- "\"-sPDFPassword=%s\" ",sanitize_passphrase);
-#else
- (void) FormatLocaleString(passphrase,MagickPathExtent,
- "-sPDFPassword='%s' ",sanitize_passphrase);
-#endif
- sanitize_passphrase=DestroyString(sanitize_passphrase);
+ FormatSanitizedDelegateOption(passphrase,MagickPathExtent,
+ "\"-sPDFPassword=%s\" ","-sPDFPassword='%s' ",option);
(void) ConcatenateMagickString(options,passphrase,MagickPathExtent);
}
read_info=CloneImageInfo(image_info);
diff --git a/coders/video.c b/coders/video.c
index e7cfcc0d72..ab546448b2 100644
--- a/coders/video.c
+++ b/coders/video.c
@@ -217,8 +217,7 @@ static Image *ReadVIDEOImage(const ImageInfo *image_info,
message[MagickPathExtent];
char
- *options,
- *sanitized_option;
+ *options;
const char
*intermediate_format,
@@ -234,19 +233,15 @@ static Image *ReadVIDEOImage(const ImageInfo *image_info,
option=GetImageOption(image_info,"video:vsync");
if (option != (const char *) NULL)
{
- sanitized_option=SanitizeDelegateString(option);
- (void) FormatLocaleString(command,MagickPathExtent," -vsync %s",
- sanitized_option);
- DestroyString(sanitized_option);
+ FormatSanitizedDelegateOption(command,MagickPathExtent,
+ " -vsync \"%s\""," -vsync '%s'",option);
(void) ConcatenateMagickString(options,command,MagickPathExtent);
}
option=GetImageOption(image_info,"video:pixel-format");
if (option != (const char *) NULL)
{
- sanitized_option=SanitizeDelegateString(option);
- (void) FormatLocaleString(command,MagickPathExtent," -pix_fmt %s",
- sanitized_option);
- DestroyString(sanitized_option);
+ FormatSanitizedDelegateOption(command,MagickPathExtent,
+ " -pix_fmt \"%s\""," -pix_fmt '%s'",option);
(void) ConcatenateMagickString(options,command,MagickPathExtent);
}
else
@@ -685,8 +680,7 @@ static MagickBooleanType WriteVIDEOImage(const ImageInfo *image_info,
message[MagickPathExtent];
char
- *options,
- *sanitized_option;
+ *options;
const char
*option;
@@ -700,10 +694,8 @@ static MagickBooleanType WriteVIDEOImage(const ImageInfo *image_info,
option=GetImageOption(image_info,"video:pixel-format");
if (option != (const char *) NULL)
{
- sanitized_option=SanitizeDelegateString(option);
- (void) FormatLocaleString(command,MagickPathExtent," -pix_fmt %s",
- sanitized_option);
- DestroyString(sanitized_option);
+ FormatSanitizedDelegateOption(command,MagickPathExtent,
+ " -pix_fmt \"%s\""," -pix_fmt '%s'",option);
(void) ConcatenateMagickString(options,command,MagickPathExtent);
}
AcquireUniqueFilename(write_info->unique);

7
ImageMagick.spec
View File

@ -1,11 +1,13 @@
Name: ImageMagick
Epoch: 1
Version: 7.1.1.8
Release: 1
Release: 2
Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT
Url: http://www.imagemagick.org/
Source0: https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.1-8.tar.gz
Patch0: CVE-2023-34151.patch
Patch1: CVE-2023-34153.patch
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -160,6 +162,9 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick*
%changelog
* Thu Jun 08 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-2
- Fix CVE-2023-34151 and CVE-2023-34153
* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:7.1.1.8-1
- Update to 7.1.1.8 for Fix CVE-2023-1289,CVE-2023-1906