fix CVE-2022-1115

(cherry picked from commit cd8946deb6c4fed620add39ebfc350a5535bf92d)
2022-08-19 21:17:38 +08:00 · 2022-08-19 21:17:38 +08:00 · 3a9bf4e0ca
commit 3a9bf4e0ca
parent 9b8893e3ba
2 changed files with 30 additions and 1 deletions
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,13 +1,14 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        7.1.0.28
-Release:        2
+Release:        3
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
 Source0:        https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.0-28.tar.gz

 Patch0001: backport-fix-CVE-2022-2719.patch
+Patch0002: backport-fix-CVE-2022-1115.patch

 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -162,6 +163,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick*

 %changelog
+* Fri Aug 19 2022 cenhuilin <cenhuilin@kylinos.cn> - 1:7.1.0.28-3
+- fix CVE-2022-1115
+
 * Wed Aug 10 2022 cenhuilin <cenhuilin@kylinos.cn> - 1:7.1.0.28-2
 - fix CVE-2022-2719

--- a/backport-fix-CVE-2022-1115.patch
+++ b/backport-fix-CVE-2022-1115.patch
@ -0,0 +1,25 @@
+From 7c8ab995a65a32b8283297226e108ce828a5679a Mon Sep 17 00:00:00 2001
+From: cenhuilin <cenhuilin@kylinos.cn>
+Date: Fri, 19 Aug 2022 21:02:49 +0800
+Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel
+
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 31839f6..32ae00a 100644
+--- a/coders/tiff.c
+++ b/coders/tiff.c
+@@ -1987,7 +1987,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         number_pixels=(MagickSizeType) columns*rows;
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+-        extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ #if defined(TIFF_VERSION_BIG)
+         extent+=image->columns*sizeof(uint64);
+ #else
+-- 
+2.33.0
+