packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-27756 CVE-2020-25667 CVE-2020-27753

Browse Source
This commit is contained in:
wang_yue111 2021-06-03 15:25:26 +08:00
parent fcc1140da8
commit b0945eda09
4 changed files with 244 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2020-25667.patch Normal file
View File

@ -0,0 +1,36 @@
From 14ba3e46a66c4799d643c7b959792e185c6599c7 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 13 Oct 2019 11:20:29 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1748
---
coders/tiff.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index c21f546bce..e7e6b67aa0 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -648,9 +648,20 @@ static void TIFFGetProfiles(TIFF *tiff,Image *image)
if ((TIFFGetField(tiff,TIFFTAG_XMLPACKET,&length,&profile) == 1) &&
(profile != (unsigned char *) NULL))
{
+ StringInfo
+ *dng;
+
(void) ReadProfile(image,"xmp",profile,(ssize_t) length);
- if (strstr((char *) profile,"dc:format=\"image/dng\"") != (char *) NULL)
- (void) CopyMagickString(image->magick,"DNG",MagickPathExtent);
+ dng=BlobToStringInfo(profile,length);
+ if (dng != (StringInfo *) NULL)
+ {
+ const char
+ *target = "dc:format=\"image/dng\"";
+
+ if (strstr((char *) GetStringInfoDatum(dng),target) != (char *) NULL)
+ (void) CopyMagickString(image->magick,"DNG",MagickPathExtent);
+ dng=DestroyStringInfo(dng);
+ }
}
#endif
if ((TIFFGetField(tiff,34118,&length,&profile) == 1) &&

170
CVE-2020-27753.patch Normal file
View File

@ -0,0 +1,170 @@
From 6f5d3d2cd94eb8361e07546c4bf72cb60681b984 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 16 Oct 2019 19:36:11 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1757
---
coders/miff.c | 40 ++++++++++------------------------------
1 file changed, 10 insertions(+), 30 deletions(-)
diff --git a/coders/miff.c b/coders/miff.c
index d4a9b44bbe..3dfcbb73b2 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -224,6 +224,7 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
switch (image->depth)
{
case 32:
+ default:
{
*index=ConstrainColormapIndex(image,(ssize_t) (((size_t) *p << 24) |
((size_t) *(p+1) << 16) | ((size_t) *(p+2) << 8) |
@@ -244,9 +245,6 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
p++;
break;
}
- default:
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
}
*pixel=image->colormap[(ssize_t) *index];
switch (image->depth)
@@ -277,6 +275,7 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
break;
}
case 32:
+ default:
{
unsigned int
quantum;
@@ -289,9 +288,6 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
}
break;
}
- default:
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
}
*length=((size_t) *p++)+1;
return;
@@ -359,6 +355,7 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
break;
}
case 32:
+ default:
{
unsigned int
quantum;
@@ -390,9 +387,6 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
}
break;
}
- default:
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
}
*length=(size_t) (*p++)+1;
}
@@ -1120,7 +1114,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
(image->compression == UndefinedCompression) ||
(image->colorspace == UndefinedColorspace) ||
(image->columns == 0) || (image->rows == 0) ||
- (image->depth == 0) || (image->depth > 64))
+ (image->depth == 0) || (image->depth > 32))
{
if (profiles != (LinkedListInfo *) NULL)
profiles=DestroyLinkedList(profiles,RelinquishMagickMemory);
@@ -1239,9 +1233,6 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
p=colormap;
switch (image->depth)
{
- default:
- colormap=(unsigned char *) RelinquishMagickMemory(colormap);
- ThrowMIFFException(CorruptImageError,"ImageDepthNotSupported");
case 8:
{
unsigned char
@@ -1275,6 +1266,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
break;
}
case 32:
+ default:
{
unsigned int
pixel;
@@ -1855,6 +1847,7 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
switch (image->depth)
{
case 32:
+ default:
{
*pixels++=(unsigned char) (value >> 24);
*pixels++=(unsigned char) (value >> 16);
@@ -1866,13 +1859,11 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
*pixels++=(unsigned char) value;
break;
}
- default:
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
}
switch (image->depth)
{
case 32:
+ default:
{
unsigned int
value;
@@ -1908,9 +1899,6 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
}
break;
}
- default:
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
}
*pixels++=(unsigned char) length;
return(pixels);
@@ -1918,6 +1906,7 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
switch (image->depth)
{
case 32:
+ default:
{
unsigned int
value;
@@ -1995,9 +1984,6 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
}
break;
}
- default:
- (void) ThrowMagickException(&image->exception,GetMagickModule(),
- CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
}
*pixels++=(unsigned char) length;
return(pixels);
@@ -2091,8 +2077,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
if ((image->storage_class == PseudoClass) &&
(image->colors > (size_t) (GetQuantumRange(image->depth)+1)))
(void) SetImageStorageClass(image,DirectClass);
- image->depth=image->depth <= 8 ? 8UL : image->depth <= 16 ? 16UL :
- image->depth <= 32 ? 32UL : 64UL;
+ image->depth=image->depth <= 8 ? 8UL : image->depth <= 16 ? 16UL : 32UL;
quantum_info=AcquireQuantumInfo(image_info,image);
if (quantum_info == (QuantumInfo *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
@@ -2449,13 +2434,8 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
{
switch (quantum_info->depth)
{
- default:
- {
- colormap=(unsigned char *) RelinquishMagickMemory(colormap);
- ThrowWriterException(CorruptImageError,"ImageDepthNotSupported");
- break;
- }
case 32:
+ default:
{
register unsigned int
pixel;

31
CVE-2020-27756.patch Normal file
View File

@ -0,0 +1,31 @@
From d3d96f05950275b916207bf9df03640ef3e9fd6e Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 6 Oct 2019 09:31:02 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1725
---
magick/geometry.c | 8 ++++----
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/magick/geometry.c b/magick/geometry.c
index 27f99f8438..101810ca5e 100644
--- a/magick/geometry.c
+++ b/magick/geometry.c
@@ -1423,13 +1423,13 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x,
if (geometry_ratio >= image_ratio)
{
*width=former_width;
- *height=(size_t) floor((double) (former_height*image_ratio/
- geometry_ratio)+0.5);
+ *height=(size_t) floor((double) (PerceptibleReciprocal(
+ geometry_ratio)*former_height*image_ratio)+0.5);
}
else
{
- *width=(size_t) floor((double) (former_width*geometry_ratio/
- image_ratio)+0.5);
+ *width=(size_t) floor((double) (PerceptibleReciprocal(
+ image_ratio)*former_width*geometry_ratio)+0.5);
*height=former_height;
}
former_width=(*width);

8
ImageMagick.spec
View File

@ -1,7 +1,7 @@
Name: ImageMagick
Epoch: 1
Version: 6.9.10.67
Release: 24
Release: 25
Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT
Url: http://www.imagemagick.org/
@ -58,6 +58,9 @@ Patch0048: CVE-2020-27752.patch
Patch0049: CVE-2021-20309.patch
Patch0050: CVE-2021-20311-20312-20313.patch
Patch0051: CVE-2020-27769.patch
Patch0052: CVE-2020-27756.patch
Patch0053: CVE-2020-25667.patch
Patch0054: CVE-2020-27753.patch
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -214,6 +217,9 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick++*
%changelog
* Thu Jun 03 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-25
- Fix CVE-2020-27756 CVE-2020-25667 CVE-2020-27753
* Tue May 25 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-24
- Fix CVE-2020-27769