!61 fix CVE-2021-20241 CVE-2021-20243

From: @wangxiao65
Reviewed-by: @zhanghua1831,@small_leek
Signed-off-by: @small_leek

CVE-2021-20241-CVE-2021-20243.patch

@@ -0,0 +1,64 @@
+From 53cb91b3e7bf95d0e372cbc745e0055ac6054745 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Wed, 3 Feb 2021 15:30:39 -0500
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/3177
+
+---
+ coders/dcm.c            | 12 ++++++------
+ coders/jp2.c            |  6 ++++--
+ magick/resize.c         |  2 +-
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index d274ad54c..29eed9618 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -2982,12 +2982,12 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info,
+         }
+       else
+         {
+-          SetPixelRed(q,(((size_t) pixel.red) |
+-            (((size_t) GetPixelRed(q)) << 8)));
+-          SetPixelGreen(q,(((size_t) pixel.green) |
+-            (((size_t) GetPixelGreen(q)) << 8)));
+-          SetPixelBlue(q,(((size_t) pixel.blue) |
+-            (((size_t) GetPixelBlue(q)) << 8)));
++          SetPixelRed(q,(Quantum) (((ssize_t) pixel.red) |
++            (((ssize_t) GetPixelRed(q)) << 8)));
++          SetPixelGreen(q,(Quantum) (((ssize_t) pixel.green) |
++            (((ssize_t) GetPixelGreen(q)) << 8)));
++          SetPixelBlue(q,(Quantum) (((ssize_t) pixel.blue) |
++            (((ssize_t) GetPixelBlue(q)) << 8)));
+         }
+       q++;
+     }
+diff --git a/coders/jp2.c b/coders/jp2.c
+index 0354f8298..7dd0f1332 100644
+--- a/coders/jp2.c
++++ b/coders/jp2.c
+@@ -1047,8 +1047,10 @@ static MagickBooleanType WriteJP2Image(const ImageInfo *image_info,Image *image)
+ 
+         scale=(double) (((size_t) 1UL << jp2_image->comps[i].prec)-1)/
+           QuantumRange;
+-        q=jp2_image->comps[i].data+(y/jp2_image->comps[i].dy*
+-          image->columns/jp2_image->comps[i].dx+x/jp2_image->comps[i].dx);
++        q=jp2_image->comps[i].data+(ssize_t) (y*PerceptibleReciprocal(
++          jp2_image->comps[i].dy)*image->columns*PerceptibleReciprocal(
++          jp2_image->comps[i].dx)+x*PerceptibleReciprocal(
++          jp2_image->comps[i].dx));
+         switch (i)
+         {
+           case 0:
+diff --git a/magick/resize.c b/magick/resize.c
+index fe662c144..1f3e16928 100644
+--- a/magick/resize.c
++++ b/magick/resize.c
+@@ -1612,7 +1612,7 @@ MagickExport MagickRealType GetResizeFilterWeight(
+   */
+   assert(resize_filter != (ResizeFilter *) NULL);
+   assert(resize_filter->signature == MagickCoreSignature);
+-  x_blur=fabs((double) x)/resize_filter->blur;  /* X offset with blur scaling */
++  x_blur=fabs((double) x)*PerceptibleReciprocal(resize_filter->blur);  /* X offset with blur scaling */
+   if ((resize_filter->window_support < MagickEpsilon) ||
+       (resize_filter->window == Box))
+     scale=1.0;  /* Point or Box Filter -- avoid division by zero */

ImageMagick.spec

@@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        15
+Release:        16
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@@ -41,6 +41,7 @@ Patch0031:      CVE-2020-27768.patch
 Patch0032:      CVE-2020-27750.patch
 Patch0033:      CVE-2020-25665.patch
 Patch0034:      CVE-2020-25674.patch
+Patch0035:      CVE-2021-20241-CVE-2021-20243.patch
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -197,6 +198,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 
 %changelog
+* Tue Mar 16 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-16
+- Fix CVE-2021-20241 CVE-2021-20243
+
 * Mon Mar 8 2021 zhanghua <zhanghua40@huawei.com> - 6.9.10.67-15
 - Fix CVE-2020-27750 CVE-2020-25665 CVE-2020-25674