fix CVE-2022-2719

(cherry picked from commit c82779ef8c5dbaba80a4aeae64e10fa438e4b7bc)
2022-08-11 02:57:02 +00:00 · 2022-08-11 02:57:02 +00:00 · c916cb20c0
commit c916cb20c0
parent 684a7a9505
2 changed files with 133 additions and 1 deletions
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,12 +1,14 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        7.1.0.28
-Release:        1
+Release:        2
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
 Source0:        https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1.0-28.tar.gz

+Patch0001: backport-fix-CVE-2022-2719.patch
+
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
 BuildRequires:  libgs-devel ghostscript-x11 libwmf-devel 
@ -160,6 +162,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick*

 %changelog
+* Wed Aug 10 2022 cenhuilin <cenhuilin@kylinos.cn> - 1:7.1.0.28-2
+- fix CVE-2022-2719
+
 * Fri May 13 2022 houyingchao <houyingchao@h-partners.com> - 7.1.0.28-1
 - Upgrade to 7.1.0.28 for fix CVE-2022-1114

--- a/backport-fix-CVE-2022-2719.patch
+++ b/backport-fix-CVE-2022-2719.patch
@ -0,0 +1,127 @@
+From 7a358f02b613cdb22ca2461ad50275b9e77cb9bd Mon Sep 17 00:00:00 2001
+From: cenhuilin <cenhuilin@kylinos.cn>
+Date: Wed, 10 Aug 2022 03:55:57 +0000
+Subject: [PATCH] do not attempt to write a null image list
+
+---
+ MagickWand/operation.c |  3 ++-
+ coders/tim2.c          | 22 ++++++++++------------
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/MagickWand/operation.c b/MagickWand/operation.c
+index 383dc7c..9559603 100644
+--- a/MagickWand/operation.c
+++ b/MagickWand/operation.c
+@@ -4923,7 +4923,8 @@ WandPrivate void CLINoImageOperator(MagickCLI *cli_wand,
+       (void) DeleteImageRegistry(key);
+       write_images=CloneImageList(_images,_exception);
+       write_info=CloneImageInfo(_image_info);
+-      (void) WriteImages(write_info,write_images,arg1,_exception);
+      if (write_images != (Image *) NULL)
+        (void) WriteImages(write_info,write_images,arg1,_exception);
+       write_info=DestroyImageInfo(write_info);
+       write_images=DestroyImageList(write_images);
+       break;
+diff --git a/coders/tim2.c b/coders/tim2.c
+index e55170d..c333b86 100644
+--- a/coders/tim2.c
+++ b/coders/tim2.c
+@@ -61,7 +61,6 @@
+ #include "MagickCore/string_.h"
+ #include "MagickCore/module.h"
+ 
+-
+ /*
+  Typedef declarations
+ */
+@@ -124,7 +123,6 @@ typedef enum
+   RGBA16=2,
+ } TIM2ColorEncoding;
+ 
+-
+ /*
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %                                                                             %
+@@ -142,7 +140,8 @@ typedef enum
+ %
+ %  The format of the ReadTIM2Image method is:
+ %
+-%      Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception)
+%      Image *ReadTIM2Image(const ImageInfo *image_info,
+%        ExceptionInfo *exception)
+ %
+ %  A description of each parameter follows:
+ %
+@@ -600,13 +599,13 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
+           image_info->filename);
+         break;
+     }
+-    if (csm==CSM1)
+    if (csm == CSM1)
+       {
+         PixelInfo
+           *oldColormap;
+ 
+-        oldColormap=(PixelInfo *) AcquireQuantumMemory((size_t)(image->colors)+1,
+-          sizeof(*image->colormap));
+        oldColormap=(PixelInfo *) AcquireQuantumMemory((size_t)(image->colors)+
+          1,sizeof(*image->colormap));
+         if (oldColormap == (PixelInfo *) NULL)
+           ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+             image_info->filename);
+@@ -617,7 +616,8 @@ static MagickBooleanType ReadTIM2ImageData(const ImageInfo *image_info,
+   return(status);
+ }
+ 
+-static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception)
+static Image *ReadTIM2Image(const ImageInfo *image_info,
+  ExceptionInfo *exception)
+ {
+   Image
+     *image;
+@@ -626,6 +626,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
+     status;
+ 
+   ssize_t
+    i,
+     str_read;
+ 
+   TIM2FileHeader
+@@ -685,7 +686,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
+    */
+   if (file_header.image_count != 1)
+     ThrowReaderException(CoderError,"NumberOfImagesIsNotSupported");
+-  for (int i=0; i < file_header.image_count; ++i)
+  for (i=0; i < (ssize_t) file_header.image_count; i++)
+   {
+     char
+       clut_depth,
+@@ -780,8 +781,7 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
+         break;
+       }
+     image=SyncNextImageInList(image);
+-    status=SetImageProgress(image,LoadImagesTag,image->scene-1,
+-      image->scene);
+    status=SetImageProgress(image,LoadImagesTag,image->scene-1,image->scene);
+     if (status == MagickFalse)
+       break;
+   }
+@@ -791,7 +791,6 @@ static Image *ReadTIM2Image(const ImageInfo *image_info,ExceptionInfo *exception
+   return(GetFirstImageInList(image));
+ }
+ 
+-
+ /*
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %                                                                             %
+@@ -826,7 +825,6 @@ ModuleExport size_t RegisterTIM2Image(void)
+   return(MagickImageCoderSignature);
+ }
+ 
+-
+ /*
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %                                                                             %
+-- 
+2.33.0
+