!88 Fix CVE-2020-25666 CVE-2020-25675

From: @wangxiao65
Reviewed-by: @small_leek
Signed-off-by: @small_leek

CVE-2020-25666-1.patch

@@ -0,0 +1,30 @@
+From 91ae12c57f3b9b23f2072462c27a8378b59f395e Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 13 Oct 2019 11:56:58 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1750
+
+---
+ magick/histogram.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/magick/histogram.c b/magick/histogram.c
+index 36b803a77..68e25fc83 100644
+--- a/magick/histogram.c
++++ b/magick/histogram.c
+@@ -1157,12 +1157,12 @@ static int HistogramCompare(const void *x,const void *y)
+   color_1=(const ColorPacket *) x;
+   color_2=(const ColorPacket *) y;
+   if (color_2->pixel.red != color_1->pixel.red)
+-    return((int) color_1->pixel.red-(int) color_2->pixel.red);
++    return((int) ((ssize_t) color_1->red-(ssize_t) color_2->red));
+   if (color_2->pixel.green != color_1->pixel.green)
+-    return((int) color_1->pixel.green-(int) color_2->pixel.green);
++    return((int) ((ssize_t) color_1->green-(ssize_t) color_2->green));
+   if (color_2->pixel.blue != color_1->pixel.blue)
+-    return((int) color_1->pixel.blue-(int) color_2->pixel.blue);
+-  return((int) color_2->count-(int) color_1->count);
++    return((int) ((ssize_t) color_1->blue-(ssize_t) color_2->blue));
++  return((int) ((ssize_t) color_2->count-(ssize_t) color_1->count));
+ }
+ 
+ #if defined(__cplusplus) || defined(c_plusplus)

CVE-2020-25666-2.patch

@@ -0,0 +1,28 @@
+From 245d884e1868ff9b932adad5fcacf9e3e1eb4c7f Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 13 Oct 2019 14:44:54 -0400
+Subject: [PATCH] ...
+
+---
+ magick/histogram.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/magick/histogram.c b/magick/histogram.c
+index 68e25fc83..ca210f71c 100644
+--- a/magick/histogram.c
++++ b/magick/histogram.c
+@@ -1157,11 +1157,11 @@ static int HistogramCompare(const void *x,const void *y)
+   color_1=(const ColorPacket *) x;
+   color_2=(const ColorPacket *) y;
+   if (color_2->pixel.red != color_1->pixel.red)
+-    return((int) ((ssize_t) color_1->red-(ssize_t) color_2->red));
++    return((int) ((ssize_t) color_1->pixel.red-(ssize_t) color_2->pixel.red));
+   if (color_2->pixel.green != color_1->pixel.green)
+-    return((int) ((ssize_t) color_1->green-(ssize_t) color_2->green));
++    return((int) ((ssize_t) color_1->pixel.green-(ssize_t) color_2->pixel.green));
+   if (color_2->pixel.blue != color_1->pixel.blue)
+-    return((int) ((ssize_t) color_1->blue-(ssize_t) color_2->blue));
++    return((int) ((ssize_t) color_1->pixel.blue-(ssize_t) color_2->pixel.blue));
+   return((int) ((ssize_t) color_2->count-(ssize_t) color_1->count));
+ }
+ 

CVE-2020-25675.patch

@@ -0,0 +1,86 @@
+From 6b169173585127299f4724f7880b575879c7f033 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 8 Oct 2019 19:06:11 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1731
+
+---
+ magick/transform.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+diff --git a/magick/transform.c b/magick/transform.c
+index 9edac6210..bbf351aa8 100644
+--- a/magick/transform.c
++++ b/magick/transform.c
+@@ -829,14 +829,23 @@ MagickExport Image *CropImage(const Image *image,const RectangleInfo *geometry,
+ %
+ */
+ 
+-static inline double MagickRound(double x)
++static inline double ConstrainPixelOffset(double x)
++{
++  if (x < (double) -(SSIZE_MAX-512))
++    return((double) -(SSIZE_MAX-512));
++  if (x > (double) (SSIZE_MAX-512))
++    return((double) (SSIZE_MAX-512));
++  return(x);
++}
++
++static inline ssize_t PixelRoundOffset(double x)
+ {
+   /*
+     Round the fraction to nearest integer.
+   */
+   if ((x-floor(x)) < (ceil(x)-x))
+-    return(floor(x));
+-  return(ceil(x));
++    return((ssize_t) floor(ConstrainPixelOffset(x)));
++  return((ssize_t) ceil(ConstrainPixelOffset(x)));
+ }
+ 
+ MagickExport Image *CropImageToTiles(const Image *image,
+@@ -901,18 +910,18 @@ MagickExport Image *CropImageToTiles(const Image *image,
+       {
+         if ((flags & AspectValue) == 0)
+           {
+-            crop.y=(ssize_t) MagickRound((MagickRealType) (offset.y-
++            crop.y=PixelRoundOffset((MagickRealType) (offset.y-
+               (geometry.y > 0 ? 0 : geometry.y)));
+             offset.y+=delta.y;   /* increment now to find width */
+-            crop.height=(size_t) MagickRound((MagickRealType) (offset.y+
++            crop.height=(size_t) PixelRoundOffset((MagickRealType) (offset.y+
+               (geometry.y < 0 ? 0 : geometry.y)));
+           }
+         else
+           {
+-            crop.y=(ssize_t) MagickRound((MagickRealType) (offset.y-
++            crop.y=PixelRoundOffset((MagickRealType) (offset.y-
+               (geometry.y > 0 ? geometry.y : 0)));
+             offset.y+=delta.y;  /* increment now to find width */
+-            crop.height=(size_t) MagickRound((MagickRealType) (offset.y+
++            crop.height=(size_t) PixelRoundOffset((MagickRealType) (offset.y+
+               (geometry.y < 0 ? geometry.y : 0)));
+           }
+         crop.height-=crop.y;
+@@ -921,18 +930,18 @@ MagickExport Image *CropImageToTiles(const Image *image,
+         {
+           if ((flags & AspectValue) == 0)
+             {
+-              crop.x=(ssize_t) MagickRound((MagickRealType) (offset.x-
++              crop.x=PixelRoundOffset((MagickRealType) (offset.x-
+                 (geometry.x > 0 ? 0 : geometry.x)));
+               offset.x+=delta.x;  /* increment now to find height */
+-              crop.width=(size_t) MagickRound((MagickRealType) (offset.x+
++              crop.width=(size_t) PixelRoundOffset((MagickRealType) (offset.x+
+                 (geometry.x < 0 ? 0 : geometry.x)));
+             }
+           else
+             {
+-              crop.x=(ssize_t) MagickRound((MagickRealType) (offset.x-
++              crop.x=PixelRoundOffset((MagickRealType) (offset.x-
+                 (geometry.x > 0 ? geometry.x : 0)));
+               offset.x+=delta.x;  /* increment now to find height */
+-              crop.width=(size_t) MagickRound((MagickRealType) (offset.x+
++              crop.width=(size_t) PixelRoundOffset((MagickRealType) (offset.x+
+                 (geometry.x < 0 ? geometry.x : 0)));
+             }
+           crop.width-=crop.x;

ImageMagick.spec

@@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        19
+Release:        20
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@@ -49,6 +49,9 @@ Patch0039:      CVE-2020-27758.patch
 Patch0040:      CVE-2020-27771.patch
 Patch0041:      CVE-2020-27772.patch
 Patch0042:      CVE-2020-27775.patch
+Patch0043:      CVE-2020-25666-1.patch
+Patch0044:      CVE-2020-25666-2.patch
+Patch0045:      CVE-2020-25675.patch
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -205,6 +208,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 
 %changelog
+* Tue Apr 6 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-20
+- Fix CVE-2020-25666 CVE-2020-25675
+
 * Wed Mar 31 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-19
 - Fix CVE-2020-25676 CVE-2020-27757 CVE-2020-27758 CVE-2020-27771
   CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2020-27751