!48 fix CVE-2020-27768

From: @wang_yue111 Reviewed-by: @wangxiao65,@small_leek Signed-off-by: @small_leek
2021-03-03 15:44:28 +08:00 · 2021-03-03 15:44:28 +08:00 · cc2def3fce
commit cc2def3fce
parent b399c305e1 53bf9fbc8f
4 changed files with 219 additions and 1 deletions
--- a/CVE-2020-27768-pre1.patch
+++ b/CVE-2020-27768-pre1.patch
@ -0,0 +1,25 @@
 From 3123c4298aab5ae2c0d5016d2b92bbb7896b3a29 Mon Sep 17 00:00:00 2001
 From: wang_yue111 <648774160@qq.com>
 Date: Wed, 3 Mar 2021 10:31:02 +0800
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1712
 ---
 magick/quantum-private.h | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/magick/quantum-private.h b/magick/quantum-private.h
 index 6ce4038..6654c1d 100644
 --- a/magick/quantum-private.h
 +++ b/magick/quantum-private.h
@@ -324,6 +324,8 @@ static inline Quantum ScaleAnyToQuantum(const QuantumAny quantum,
 static inline QuantumAny ScaleQuantumToAny(const Quantum quantum,
   const QuantumAny range)
 {
 +  if (quantum < 0)
 +    return((QuantumAny) 0);
   return((QuantumAny) (((MagickRealType) range*quantum)/QuantumRange+0.5));
 }
 -- 
 2.23.0
--- a/CVE-2020-27768-pre2.patch
+++ b/CVE-2020-27768-pre2.patch
@ -0,0 +1,49 @@
 From 89cd11f012ee5322746e307efd3089dcfc9fa129 Mon Sep 17 00:00:00 2001
 From: wang_yue111 <648774160@qq.com>
 Date: Wed, 3 Mar 2021 10:38:53 +0800
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1727
 ---
 magick/quantum-private.h | 12 +++++++++---
 magick/quantum.c         |  2 +-
 2 files changed, 10 insertions(+), 4 deletions(-)
 diff --git a/magick/quantum-private.h b/magick/quantum-private.h
 index 6654c1d..7d51397 100644
 --- a/magick/quantum-private.h
 +++ b/magick/quantum-private.h
@@ -324,9 +324,15 @@ static inline Quantum ScaleAnyToQuantum(const QuantumAny quantum,
 static inline QuantumAny ScaleQuantumToAny(const Quantum quantum,
   const QuantumAny range)
 {
 -  if (quantum < 0)
 -    return((QuantumAny) 0);
 -  return((QuantumAny) (((MagickRealType) range*quantum)/QuantumRange+0.5));
 +#if !defined(MAGICKCORE_HDRI_SUPPORT)
 +  return((QuantumAny) ((MagickRealType) range*quantum/QuantumRange));
 +#else
 +  if (quantum <= 0.0)
 +    return((QuantumAny) 0UL);
 +  if (((MagickRealType) range*quantum/QuantumRange) >= 18446744073709551615.0)
 +    return((QuantumAny) MagickULLConstant(18446744073709551615));
 +  return((QuantumAny) ((MagickRealType) range*quantum/QuantumRange+0.5));
 +#endif
 }
 #if (MAGICKCORE_QUANTUM_DEPTH == 8)
 diff --git a/magick/quantum.c b/magick/quantum.c
 index 8edd7e3..37ae6db 100644
 --- a/magick/quantum.c
 +++ b/magick/quantum.c
@@ -674,7 +674,7 @@ MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
     (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
   assert(quantum_info != (QuantumInfo *) NULL);
   assert(quantum_info->signature == MagickCoreSignature);
 -  quantum_info->depth=depth;
 +  quantum_info->depth=MagickMin(depth,64);
   if (quantum_info->format == FloatingPointQuantumFormat)
     {
       if (quantum_info->depth > 32)
 -- 
 2.23.0
--- a/CVE-2020-27768.patch
+++ b/CVE-2020-27768.patch
@ -0,0 +1,138 @@
 From 6f4e6ab0e4dd78460e04aca3c8f38bbf8de837b5 Mon Sep 17 00:00:00 2001
 From: wang_yue111 <648774160@qq.com>
 Date: Wed, 3 Mar 2021 11:01:31 +0800
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1751
 ---
 magick/quantum-private.h | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)
 diff --git a/magick/quantum-private.h b/magick/quantum-private.h
 index 7d51397..d4b0143 100644
 --- a/magick/quantum-private.h
 +++ b/magick/quantum-private.h
@@ -327,7 +327,7 @@ static inline QuantumAny ScaleQuantumToAny(const Quantum quantum,
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((QuantumAny) ((MagickRealType) range*quantum/QuantumRange));
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return((QuantumAny) 0UL);
   if (((MagickRealType) range*quantum/QuantumRange) >= 18446744073709551615.0)
     return((QuantumAny) MagickULLConstant(18446744073709551615));
@@ -368,8 +368,8 @@ static inline unsigned int ScaleQuantumToLong(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned int) (16843009UL*quantum));
 #else
 -  if (quantum <= 0.0)
 -    return(0UL);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   if ((16843009.0*quantum) >= 4294967295.0)
     return(4294967295UL);
   return((unsigned int) (16843009.0*quantum+0.5));
@@ -383,8 +383,8 @@ static inline unsigned int ScaleQuantumToMap(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned int) quantum);
 #else
 -  if (quantum < 0.0)
 -    return(0UL);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   return((unsigned int) (quantum+0.5));
 #endif
 }
@@ -394,7 +394,7 @@ static inline unsigned short ScaleQuantumToShort(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned short) (257UL*quantum));
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if ((257.0*quantum) >= 65535.0)
     return(65535);
@@ -447,8 +447,8 @@ static inline unsigned int ScaleQuantumToLong(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned int) (65537UL*quantum));
 #else
 -  if (quantum <= 0.0)
 -    return(0UL);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   if ((65537.0*quantum) >= 4294967295.0)
     return(4294967295U);
   return((unsigned int) (65537.0*quantum+0.5));
@@ -462,8 +462,8 @@ static inline unsigned int ScaleQuantumToMap(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned int) quantum);
 #else
 -  if (quantum < 0.0)
 -    return(0UL);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   return((unsigned int) (quantum+0.5));
 #endif
 }
@@ -473,7 +473,7 @@ static inline unsigned short ScaleQuantumToShort(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned short) quantum);
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if (quantum >= 65535.0)
     return(65535);
@@ -518,8 +518,8 @@ static inline unsigned int ScaleQuantumToLong(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned int) quantum);
 #else
 -  if (quantum <= 0.0)
 -    return(0);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   if ((quantum) >= 4294967295.0)
     return(4294967295);
   return((unsigned int) (quantum+0.5));
@@ -528,8 +528,8 @@ static inline unsigned int ScaleQuantumToLong(const Quantum quantum)
 static inline unsigned int ScaleQuantumToMap(const Quantum quantum)
 {
 -  if (quantum < 0.0)
 -    return(0UL);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   if ((quantum/65537) >= (Quantum) MaxMap)
     return((unsigned int) MaxMap);
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
@@ -546,7 +546,7 @@ static inline unsigned short ScaleQuantumToShort(const Quantum quantum)
   return((unsigned short) ((quantum+MagickULLConstant(32768))/
     MagickULLConstant(65537)));
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if ((quantum/65537.0) >= 65535.0)
     return(65535);
@@ -589,8 +589,8 @@ static inline unsigned int ScaleQuantumToLong(const Quantum quantum)
 static inline unsigned int ScaleQuantumToMap(const Quantum quantum)
 {
 -  if (quantum <= 0.0)
 -    return(0UL);
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
 +    return(0U);
   if ((quantum/281479271743489.0) >= MaxMap)
     return((unsigned int) MaxMap);
   return((unsigned int) (quantum/281479271743489.0+0.5));
@@ -598,7 +598,7 @@ static inline unsigned int ScaleQuantumToMap(const Quantum quantum)
 static inline unsigned short ScaleQuantumToShort(const Quantum quantum)
 {
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if ((quantum/281479271743489.0) >= 65535.0)
     return(65535);
 -- 
 2.23.0
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        13
+Release:        14
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@ -35,6 +35,9 @@ Patch0025:      CVE-2020-25664.patch
 Patch0026:      CVE-2021-20176.patch
 Patch0027:      CVE-2020-27763.patch
 Patch0028:      CVE-2020-27773.patch
 Patch0029:      CVE-2020-27768-pre1.patch
 Patch0030:      CVE-2020-27768-pre2.patch
 Patch0031:      CVE-2020-27768.patch
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -191,6 +194,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 %changelog
 * Wed Mar 03 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-14
 - Fix CVE-2020-27768
 * Mon Mar 01 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-13
 - Fix CVE-2020-27773 CVE-2020-27763