!81 Fix CVE-2020-25676 CVE-2020-27757 CVE-2020-27758 CVE-2020-27771 CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2020-27751

From: @wangxiao65 Reviewed-by: @wang_yue111,@wang_yue111,@small_leek Signed-off-by: @small_leek
2021-03-31 14:07:16 +08:00 · 2021-03-31 14:07:16 +08:00 · e2a6883a37
commit e2a6883a37
parent 1313f1aff0 127811142a
9 changed files with 254 additions and 4 deletions
--- a/CVE-2020-25676.patch
+++ b/CVE-2020-25676.patch
@ -0,0 +1,51 @@
+From 94aeb3c40d25aee1051ba8eb3a31601558ef2506 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 8 Oct 2019 18:35:50 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1732
+
+---
+ magick/pixel.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/magick/pixel.c b/magick/pixel.c
+index 96eaf95db..1450a93e2 100644
+--- a/magick/pixel.c
+++ b/magick/pixel.c
+@@ -4418,6 +4418,15 @@ static inline void CatromWeights(const MagickRealType x,
+   (*weights)[2]=x-(*weights)[3]-gamma;
+ }
+ 
+static inline double ConstrainPixelOffset(double x)
+{
+  if (x < (double) -(SSIZE_MAX-512))
+    return((double) -(SSIZE_MAX-512));
+  if (x > (double) (SSIZE_MAX-512))
+    return((double) (SSIZE_MAX-512));
+  return(x);
+}
+
+ static inline void SplineWeights(const MagickRealType x,
+   MagickRealType (*weights)[4])
+ {
+@@ -4483,8 +4492,8 @@ MagickExport MagickBooleanType InterpolateMagickPixelPacket(
+   assert(image->signature == MagickCoreSignature);
+   assert(image_view != (CacheView *) NULL);
+   status=MagickTrue;
+-  x_offset=(ssize_t) floor(x);
+-  y_offset=(ssize_t) floor(y);
+  x_offset=(ssize_t) floor(ConstrainPixelOffset(x));
+  y_offset=(ssize_t) floor(ConstrainPixelOffset(y));
+   interpolate = method;
+   if (interpolate == UndefinedInterpolatePixel)
+     interpolate=image->interpolate;
+@@ -4502,8 +4511,8 @@ MagickExport MagickBooleanType InterpolateMagickPixelPacket(
+       if (interpolate == Average9InterpolatePixel)
+         {
+           count=3;
+-          x_offset=(ssize_t) (floor(x+0.5)-1);
+-          y_offset=(ssize_t) (floor(y+0.5)-1);
+          x_offset=(ssize_t) (floor(ConstrainPixelOffset(x)+0.5)-1);
+          y_offset=(ssize_t) (floor(ConstrainPixelOffset(y)+0.5)-1);
+         }
+       else
+         if (interpolate == Average16InterpolatePixel)
--- a/CVE-2020-27768-pre2.patch
+++ b/CVE-2020-27768-pre2.patch
--- a/CVE-2020-27768-pre1.patch
+++ b/CVE-2020-27768-pre1.patch
--- a/CVE-2020-27758.patch
+++ b/CVE-2020-27758.patch
@ -0,0 +1,40 @@
+From e5e15b4456c825f78554e2ef1cc6344fa1218448 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 5 Oct 2019 09:44:24 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1719
+
+---
+ coders/txt.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/coders/txt.c b/coders/txt.c
+index 3a57bcece..9f0354ffb 100644
+--- a/coders/txt.c
+++ b/coders/txt.c
+@@ -572,16 +572,16 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
+             green+=(range+1)/2.0;
+             blue+=(range+1)/2.0;
+           }
+-        pixel.red=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (red+0.5),
+-          range);
+-        pixel.green=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (green+0.5),
+-          range);
+-        pixel.blue=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (blue+0.5),
+-          range);
+-        pixel.index=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (index+0.5),
+-          range);
+-        pixel.opacity=(MagickRealType) ScaleAnyToQuantum((QuantumAny) (opacity+
+-          0.5),range);
+        pixel.red=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+          MagickMax(red+0.5,0.0),range);
+        pixel.green=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+          MagickMax(green+0.5,0.0),range);
+        pixel.blue=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+          MagickMax(blue+0.5,0.0),range);
+        pixel.index=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+          MagickMax(index+0.5,0.0),range);
+        pixel.opacity=(MagickRealType) ScaleAnyToQuantum((QuantumAny)
+          MagickMax(opacity+0.5,0.0),range);
+         q=GetAuthenticPixels(image,(ssize_t) x_offset,(ssize_t) y_offset,1,1,
+           exception);
+         if (q == (PixelPacket *) NULL)
--- a/CVE-2020-27766-CVE-2020-27774.patch
+++ b/CVE-2020-27766-CVE-2020-27774.patch
--- a/CVE-2020-27771.patch
+++ b/CVE-2020-27771.patch
@ -0,0 +1,50 @@
+From a07ecde4c1c3a3efaa628434adc903295f6bb2b3 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 14 Oct 2019 19:41:20 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1753
+
+---
+ coders/pdf.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/coders/pdf.c b/coders/pdf.c
+index 4da13db33..dd1a504e5 100644
+--- a/coders/pdf.c
+++ b/coders/pdf.c
+@@ -1991,7 +1991,7 @@ RestoreMSCWarning
+                   break;
+                 indexes=GetVirtualIndexQueue(image);
+                 for (x=0; x < (ssize_t) image->columns; x++)
+-                  *q++=(unsigned char) GetPixelIndex(indexes+x);
+                  *q++=(unsigned char) ((ssize_t) GetPixelIndex(indexes+x));
+                 if (image->previous == (Image *) NULL)
+                   {
+                     status=SetImageProgress(image,SaveImageTag,
+@@ -2033,7 +2033,7 @@ RestoreMSCWarning
+                 indexes=GetVirtualIndexQueue(image);
+                 for (x=0; x < (ssize_t) image->columns; x++)
+                   Ascii85Encode(image,(unsigned char)
+-                    GetPixelIndex(indexes+x));
+                    ((ssize_t) GetPixelIndex(indexes+x)));
+                 if (image->previous == (Image *) NULL)
+                   {
+                     status=SetImageProgress(image,SaveImageTag,
+@@ -2491,7 +2491,7 @@ RestoreMSCWarning
+                   break;
+                 indexes=GetVirtualIndexQueue(tile_image);
+                 for (x=0; x < (ssize_t) tile_image->columns; x++)
+-                  *q++=(unsigned char) GetPixelIndex(indexes+x);
+                  *q++=(unsigned char) ((ssize_t) GetPixelIndex(indexes+x));
+               }
+ #if defined(MAGICKCORE_ZLIB_DELEGATE)
+               if (compression == ZipCompression)
+@@ -2525,7 +2525,8 @@ RestoreMSCWarning
+                   break;
+                 indexes=GetVirtualIndexQueue(tile_image);
+                 for (x=0; x < (ssize_t) tile_image->columns; x++)
+-                  Ascii85Encode(image,(unsigned char) GetPixelIndex(indexes+x));
+                  Ascii85Encode(image,(unsigned char)
+                    ((ssize_t) GetPixelIndex(indexes+x)));
+               }
+               Ascii85Flush(image);
+               break;
--- a/CVE-2020-27772.patch
+++ b/CVE-2020-27772.patch
@ -0,0 +1,72 @@
+From 7f819ef8855608d9cb1ded5e4f30cdfff1da7c11 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 13 Oct 2019 11:50:29 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1749
+
+---
+ PerlMagick/t/write.t |  2 +-
+ coders/bmp.c         | 24 ++++++++++++------------
+ 2 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/PerlMagick/t/write.t b/PerlMagick/t/write.t
+index 3c530f154..d410fa48e 100644
+--- a/PerlMagick/t/write.t
+++ b/PerlMagick/t/write.t
+@@ -107,7 +107,7 @@ print("Portable bitmap format (black and white), binary format ...\n");
+ testReadWrite( 'PBM:input_p4.pbm',
+   'PBM:output_p4.pbm',
+   q//,
+-  '83175f7bcc43fb71212dee254c85e355c18bcd25f35d3b9caba66fff7341fa64');
+  '217921c0cce7fff17eea865d2ee2075afbc054ce7f4209b3cfeb22f58d8b3e3e');
+ 
+ print("ZSoft IBM PC Paintbrush file ...\n");
+ ++$test;
+diff --git a/coders/bmp.c b/coders/bmp.c
+index 13ccefcfc..f7104a212 100644
+--- a/coders/bmp.c
+++ b/coders/bmp.c
+@@ -2311,32 +2311,32 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image)
+           (void) WriteBlobLSBLong(image,0x73524742U);  /* sRGB */
+         }
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (image->chromaticity.red_primary.x*0x40000000));
+          ((ssize_t) image->chromaticity.red_primary.x*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (image->chromaticity.red_primary.y*0x40000000));
+          ((ssize_t) image->chromaticity.red_primary.y*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          ((1.000f-(image->chromaticity.red_primary.x+
+          ((ssize_t) (1.000f-(image->chromaticity.red_primary.x+
+           image->chromaticity.red_primary.y))*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (image->chromaticity.green_primary.x*0x40000000));
+          ((ssize_t) image->chromaticity.green_primary.x*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (image->chromaticity.green_primary.y*0x40000000));
+          ((ssize_t) image->chromaticity.green_primary.y*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          ((1.000f-(image->chromaticity.green_primary.x+
+          ((ssize_t) (1.000f-(image->chromaticity.green_primary.x+
+           image->chromaticity.green_primary.y))*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (image->chromaticity.blue_primary.x*0x40000000));
+          ((ssize_t) image->chromaticity.blue_primary.x*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (image->chromaticity.blue_primary.y*0x40000000));
+          ((ssize_t) image->chromaticity.blue_primary.y*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          ((1.000f-(image->chromaticity.blue_primary.x+
+          ((ssize_t) (1.000f-(image->chromaticity.blue_primary.x+
+           image->chromaticity.blue_primary.y))*0x40000000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (bmp_info.gamma_scale.x*0x10000));
+          ((ssize_t) bmp_info.gamma_scale.x*0x10000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (bmp_info.gamma_scale.y*0x10000));
+          ((ssize_t) bmp_info.gamma_scale.y*0x10000));
+         (void) WriteBlobLSBLong(image,(unsigned int)
+-          (bmp_info.gamma_scale.z*0x10000));
+          ((ssize_t) bmp_info.gamma_scale.z*0x10000));
+         if ((image->rendering_intent != UndefinedIntent) ||
+             (profile != (StringInfo *) NULL))
+           {
--- a/CVE-2020-27775.patch
+++ b/CVE-2020-27775.patch
@ -0,0 +1,28 @@
+From 78d9987ae80a95865c9f139afde0dcf3fd832ddc Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 9 Oct 2019 19:34:55 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1737
+
+---
+ magick/statistic.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/magick/statistic.c b/magick/statistic.c
+index 87a9a42f4..2db7c858f 100644
+--- a/magick/statistic.c
+++ b/magick/statistic.c
+@@ -353,8 +353,12 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
+     }
+     case PowEvaluateOperator:
+     {
+-      result=(MagickRealType) (QuantumRange*pow((double) (QuantumScale*pixel),
+-        (double) value));
+      if (pixel < 0)
+        result=(MagickRealType) -(QuantumRange*pow((double) -(QuantumScale*
+          pixel),(double) value));
+      else
+        result=(MagickRealType) (QuantumRange*pow((double) (QuantumScale*pixel),
+          (double) value));
+       break;
+     }
+     case RightShiftEvaluateOperator:
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        18
+Release:        19
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@ -15,7 +15,7 @@ Patch0005:      CVE-2020-27761.patch
 Patch0006:      CVE-2020-27762.patch
 Patch0007:      CVE-2020-27764.patch
 Patch0008:      CVE-2020-27765.patch
-Patch0009:      CVE-2020-27766.patch
+Patch0009:      CVE-2020-27766-CVE-2020-27774.patch
 Patch0010:      CVE-2020-27767.patch
 Patch0011:      CVE-2020-27770.patch
 Patch0012:      CVE-2020-29599-1.patch
@ -35,8 +35,8 @@ Patch0025:      CVE-2020-25664.patch
 Patch0026:      CVE-2021-20176.patch
 Patch0027:      CVE-2020-27763.patch
 Patch0028:      CVE-2020-27773.patch
-Patch0029:      CVE-2020-27768-pre1.patch
-Patch0030:      CVE-2020-27768-pre2.patch
+Patch0029:      CVE-2020-27757.patch
+Patch0030:      CVE-2020-27751.patch
 Patch0031:      CVE-2020-27768.patch
 Patch0032:      CVE-2020-27750.patch
 Patch0033:      CVE-2020-25665.patch
@ -44,6 +44,11 @@ Patch0034:      CVE-2020-25674.patch
 Patch0035:      CVE-2021-20241-CVE-2021-20243.patch
 Patch0036:      CVE-2021-20244.patch
 Patch0037:      CVE-2021-20246.patch
+Patch0038:      CVE-2020-25676.patch
+Patch0039:      CVE-2020-27758.patch
+Patch0040:      CVE-2020-27771.patch
+Patch0041:      CVE-2020-27772.patch
+Patch0042:      CVE-2020-27775.patch

 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -200,6 +205,10 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*

 %changelog
+* Wed Mar 31 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-19
+- Fix CVE-2020-25676 CVE-2020-27757 CVE-2020-27758 CVE-2020-27771
+  CVE-2020-27772 CVE-2020-27774 CVE-2020-27775 CVE-2020-27751
+
 * Tue Mar 23 2021 zhanghua <zhanghua40@huawei.com> - 6.9.10.67-18
 - Fix CVE-2021-20246