packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-25664 CVE-2020-27754

Browse Source
This commit is contained in:
zhanghua1831 2021-02-10 15:33:27 +08:00
parent 4c0b0abf64
commit 631ff3e8ef
5 changed files with 121 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2020-25664.patch Normal file
View File

@ -0,0 +1,27 @@
From 27d3ddedb73f63fa984ff5b4d66e07eef654070f Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 4 Oct 2019 19:08:29 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1716
---
coders/png.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/coders/png.c b/coders/png.c
index 410741059..ee6fba297 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -11177,11 +11177,11 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng_info,
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Allocating %.20g bytes of memory for pixels",(double) rowbytes);
}
- pixel_info=AcquireVirtualMemory(rowbytes,sizeof(*ping_pixels));
+ pixel_info=AcquireVirtualMemory(rowbytes+256,sizeof(*ping_pixels));
if (pixel_info == (MemoryInfo *) NULL)
png_error(ping,"Allocation of memory for pixels failed");
ping_pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
- (void) memset(ping_pixels,0,rowbytes*sizeof(*ping_pixels));
+ (void) memset(ping_pixels,0,(rowbytes+256)*sizeof(*ping_pixels));
/*
Initialize image scanlines.
*/

24
CVE-2020-27754-pre-1.patch Normal file
View File

@ -0,0 +1,24 @@
From 2000dd1a7da8098483b8937b53ff3b6ff3048c97 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 13 Oct 2019 12:16:40 -0400
Subject: [PATCH] ...
---
magick/quantize.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/magick/quantize.c b/magick/quantize.c
index 9c081d3f9..355d69de7 100644
--- a/magick/quantize.c
+++ b/magick/quantize.c
@@ -3218,8 +3218,8 @@ static int IntensityCompare(const void *x,const void *y)
color_1=(PixelPacket *) x;
color_2=(PixelPacket *) y;
- intensity=(ssize_t) (PixelPacketIntensity(color_1)-
- PixelPacketIntensity(color_2));
+ intensity=(ssize_t) PixelPacketIntensity(color_1)-
+ (ssize_t) PixelPacketIntensity(color_2));
return((int) intensity);
}

22
CVE-2020-27754-pre-2.patch Normal file
View File

@ -0,0 +1,22 @@
From 8c5cbc85c397fff55b859b50c4bc2ab7a79571da Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 13 Oct 2019 15:22:43 -0400
Subject: [PATCH] ...
---
magick/quantize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/magick/quantize.c b/magick/quantize.c
index 355d69de7..37f58914a 100644
--- a/magick/quantize.c
+++ b/magick/quantize.c
@@ -3219,7 +3219,7 @@ static int IntensityCompare(const void *x,const void *y)
color_1=(PixelPacket *) x;
color_2=(PixelPacket *) y;
intensity=(ssize_t) PixelPacketIntensity(color_1)-
- (ssize_t) PixelPacketIntensity(color_2));
+ (ssize_t) PixelPacketIntensity(color_2);
return((int) intensity);
}

40
CVE-2020-27754.patch Normal file
View File

@ -0,0 +1,40 @@
From d5df600d43c8706df513a3273d09aee6f54a9233 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 14 Oct 2019 19:56:17 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1754
---
magick/quantize.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/magick/quantize.c b/magick/quantize.c
index 37f58914a..1d8cc61ff 100644
--- a/magick/quantize.c
+++ b/magick/quantize.c
@@ -3207,6 +3207,15 @@ MagickExport MagickBooleanType RemapImages(const QuantizeInfo *quantize_info,
extern "C" {
#endif
+static inline double ConstrainPixelIntensity(double x)
+{
+ if (x < (double) -(SSIZE_MAX-512))
+ return((double) -(SSIZE_MAX-512));
+ if (x > (double) (SSIZE_MAX-512))
+ return((double) (SSIZE_MAX-512));
+ return(x);
+}
+
static int IntensityCompare(const void *x,const void *y)
{
PixelPacket
@@ -3218,8 +3227,8 @@ static int IntensityCompare(const void *x,const void *y)
color_1=(PixelPacket *) x;
color_2=(PixelPacket *) y;
- intensity=(ssize_t) PixelPacketIntensity(color_1)-
- (ssize_t) PixelPacketIntensity(color_2);
+ intensity=(ssize_t) ConstrainPixelIntensity(PixelPacketIntensity(color_1))-
+ (ssize_t) ConstrainPixelIntensity(PixelPacketIntensity(color_2));
return((int) intensity);
}

9
ImageMagick.spec
View File

@ -1,7 +1,7 @@
Name: ImageMagick Name: ImageMagick
Epoch: 1 Epoch: 1
Version: 6.9.10.67 Version: 6.9.10.67
Release: 10 Release: 11
Summary: Create, edit, compose, or convert bitmap images Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT License: ImageMagick and MIT
Url: http://www.imagemagick.org/ Url: http://www.imagemagick.org/
@ -28,6 +28,10 @@ Patch0018: CVE-2020-29599-7.patch
Patch0019: CVE-2020-29599-8.patch Patch0019: CVE-2020-29599-8.patch
Patch0020: CVE-2020-29599-9.patch Patch0020: CVE-2020-29599-9.patch
Patch0021: CVE-2020-29599-10.patch Patch0021: CVE-2020-29599-10.patch
Patch0022: CVE-2020-27754-pre-1.patch
Patch0023: CVE-2020-27754-pre-2.patch
Patch0024: CVE-2020-27754.patch
Patch0025: CVE-2020-25664.patch
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -184,6 +188,9 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick++* %{_libdir}/pkgconfig/ImageMagick++*
%changelog %changelog
* Wed Feb 10 2021 zhanghua <zhanghua40@huawei.com> - 6.9.10.67-11
- fix CVE-2020-25664 CVE-2020-27754
* Wed Jan 13 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-10 * Wed Jan 13 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-10
- add MIT license - add MIT license