!26 fix CVE-2020-25664 CVE-2020-27754

From: @zhanghua1831
Reviewed-by: @wang_yue111,@small_leek
Signed-off-by: @small_leek

CVE-2020-25664.patch

@@ -0,0 +1,27 @@
+From 27d3ddedb73f63fa984ff5b4d66e07eef654070f Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 4 Oct 2019 19:08:29 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1716
+
+---
+ coders/png.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/png.c b/coders/png.c
+index 410741059..ee6fba297 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -11177,11 +11177,11 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng_info,
+       (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+         "    Allocating %.20g bytes of memory for pixels",(double) rowbytes);
+     }
+-  pixel_info=AcquireVirtualMemory(rowbytes,sizeof(*ping_pixels));
++  pixel_info=AcquireVirtualMemory(rowbytes+256,sizeof(*ping_pixels));
+   if (pixel_info == (MemoryInfo *) NULL)
+     png_error(ping,"Allocation of memory for pixels failed");
+   ping_pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
+-  (void) memset(ping_pixels,0,rowbytes*sizeof(*ping_pixels));
++  (void) memset(ping_pixels,0,(rowbytes+256)*sizeof(*ping_pixels));
+   /*
+     Initialize image scanlines.
+   */

CVE-2020-27754-pre-1.patch

@@ -0,0 +1,24 @@
+From 2000dd1a7da8098483b8937b53ff3b6ff3048c97 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 13 Oct 2019 12:16:40 -0400
+Subject: [PATCH] ...
+
+---
+ magick/quantize.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/magick/quantize.c b/magick/quantize.c
+index 9c081d3f9..355d69de7 100644
+--- a/magick/quantize.c
++++ b/magick/quantize.c
+@@ -3218,8 +3218,8 @@ static int IntensityCompare(const void *x,const void *y)
+ 
+   color_1=(PixelPacket *) x;
+   color_2=(PixelPacket *) y;
+-  intensity=(ssize_t) (PixelPacketIntensity(color_1)-
+-    PixelPacketIntensity(color_2));
++  intensity=(ssize_t) PixelPacketIntensity(color_1)-
++    (ssize_t) PixelPacketIntensity(color_2));
+   return((int) intensity);
+ }
+ 

CVE-2020-27754-pre-2.patch

@@ -0,0 +1,22 @@
+From 8c5cbc85c397fff55b859b50c4bc2ab7a79571da Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 13 Oct 2019 15:22:43 -0400
+Subject: [PATCH] ...
+
+---
+ magick/quantize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/quantize.c b/magick/quantize.c
+index 355d69de7..37f58914a 100644
+--- a/magick/quantize.c
++++ b/magick/quantize.c
+@@ -3219,7 +3219,7 @@ static int IntensityCompare(const void *x,const void *y)
+   color_1=(PixelPacket *) x;
+   color_2=(PixelPacket *) y;
+   intensity=(ssize_t) PixelPacketIntensity(color_1)-
+-    (ssize_t) PixelPacketIntensity(color_2));
++    (ssize_t) PixelPacketIntensity(color_2);
+   return((int) intensity);
+ }
+ 

CVE-2020-27754.patch

@@ -0,0 +1,40 @@
+From d5df600d43c8706df513a3273d09aee6f54a9233 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 14 Oct 2019 19:56:17 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1754
+
+---
+ magick/quantize.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/magick/quantize.c b/magick/quantize.c
+index 37f58914a..1d8cc61ff 100644
+--- a/magick/quantize.c
++++ b/magick/quantize.c
+@@ -3207,6 +3207,15 @@ MagickExport MagickBooleanType RemapImages(const QuantizeInfo *quantize_info,
+ extern "C" {
+ #endif
+ 
++static inline double ConstrainPixelIntensity(double x)
++{
++  if (x < (double) -(SSIZE_MAX-512))
++    return((double) -(SSIZE_MAX-512));
++  if (x > (double) (SSIZE_MAX-512))
++    return((double) (SSIZE_MAX-512));
++  return(x);
++}
++
+ static int IntensityCompare(const void *x,const void *y)
+ {
+   PixelPacket
+@@ -3218,8 +3227,8 @@ static int IntensityCompare(const void *x,const void *y)
+ 
+   color_1=(PixelPacket *) x;
+   color_2=(PixelPacket *) y;
+-  intensity=(ssize_t) PixelPacketIntensity(color_1)-
+-    (ssize_t) PixelPacketIntensity(color_2);
++  intensity=(ssize_t) ConstrainPixelIntensity(PixelPacketIntensity(color_1))-
++    (ssize_t) ConstrainPixelIntensity(PixelPacketIntensity(color_2));
+   return((int) intensity);
+ }
+ 

ImageMagick.spec

@@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        10
+Release:        11
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@@ -28,6 +28,10 @@ Patch0018:      CVE-2020-29599-7.patch
 Patch0019:      CVE-2020-29599-8.patch
 Patch0020:      CVE-2020-29599-9.patch
 Patch0021:      CVE-2020-29599-10.patch
+Patch0022:      CVE-2020-27754-pre-1.patch
+Patch0023:      CVE-2020-27754-pre-2.patch
+Patch0024:      CVE-2020-27754.patch
+Patch0025:      CVE-2020-25664.patch
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -184,6 +188,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 
 %changelog
+* Wed Feb 10 2021 zhanghua <zhanghua40@huawei.com> - 6.9.10.67-11
+- fix CVE-2020-25664 CVE-2020-27754
+
 * Wed Jan 13 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-10
 - add MIT license