!12 fix CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764 CVE-2020-27765 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27770

From: @wangxiao65 Reviewed-by: @zhanghua1831,@small_leek Signed-off-by: @small_leek
2021-01-04 16:32:37 +08:00 · 2021-01-04 16:32:37 +08:00 · e42c93a607
commit e42c93a607
parent 3cf7c3da47 3d33b8bf2b
10 changed files with 418 additions and 1 deletions
--- a/CVE-2020-27759.patch
+++ b/CVE-2020-27759.patch
@ -0,0 +1,35 @@
 From 460dea07066e2001bc4671fcd8d53233f0fc29b3 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Sat, 5 Oct 2019 09:53:19 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1720
 ---
 magick/quantize.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
 diff --git a/magick/quantize.c b/magick/quantize.c
 index d4c841b68..fb0646661 100644
 --- a/magick/quantize.c
 +++ b/magick/quantize.c
@@ -3212,16 +3212,17 @@ extern "C" {
 static int IntensityCompare(const void *x,const void *y)
 {
 -  double
 -    intensity;
 -
   PixelPacket
     *color_1,
     *color_2;
 +  ssize_t
 +    intensity;
 +
   color_1=(PixelPacket *) x;
   color_2=(PixelPacket *) y;
 -  intensity=PixelPacketIntensity(color_1)-PixelPacketIntensity(color_2);
 +  intensity=(ssize_t) (PixelPacketIntensity(color_1)-
 +    PixelPacketIntensity(color_2));
   return((int) intensity);
 }
--- a/CVE-2020-27760.patch
+++ b/CVE-2020-27760.patch
@ -0,0 +1,86 @@
 From 83cd04f580ccf4cc194813777c1fcfba78e602aa Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Fri, 4 Oct 2019 18:04:09 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1717
 ---
 magick/enhance.c | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)
 diff --git a/magick/enhance.c b/magick/enhance.c
 index a100cf8b7..614269e3a 100644
 --- a/magick/enhance.c
 +++ b/magick/enhance.c
@@ -2207,7 +2207,8 @@ MagickExport MagickBooleanType GammaImageChannel(Image *image,
   if (gamma != 0.0)
     for (i=0; i <= (ssize_t) MaxMap; i++)
       gamma_map[i]=ClampToQuantum((MagickRealType) ScaleMapToQuantum((
 -        MagickRealType) (MaxMap*pow((double) i/MaxMap,1.0/gamma))));
 +        MagickRealType) (MaxMap*pow((double) i/MaxMap,
 +        PerceptibleReciprocal(gamma)))));
   if (image->storage_class == PseudoClass)
     {
       /*
@@ -2238,18 +2239,18 @@ MagickExport MagickBooleanType GammaImageChannel(Image *image,
 #else
         if ((channel & RedChannel) != 0)
           image->colormap[i].red=QuantumRange*gamma_pow(QuantumScale*
 -            image->colormap[i].red,1.0/gamma);
 +            image->colormap[i].red,PerceptibleReciprocal(gamma));
         if ((channel & GreenChannel) != 0)
           image->colormap[i].green=QuantumRange*gamma_pow(QuantumScale*
 -            image->colormap[i].green,1.0/gamma);
 +            image->colormap[i].green,PerceptibleReciprocal(gamma));
         if ((channel & BlueChannel) != 0)
           image->colormap[i].blue=QuantumRange*gamma_pow(QuantumScale*
 -            image->colormap[i].blue,1.0/gamma);
 +            image->colormap[i].blue,PerceptibleReciprocal(gamma));
         if ((channel & OpacityChannel) != 0)
           {
             if (image->matte == MagickFalse)
               image->colormap[i].opacity=QuantumRange*gamma_pow(QuantumScale*
 -                image->colormap[i].opacity,1.0/gamma);
 +                image->colormap[i].opacity,PerceptibleReciprocal(gamma));
             else
               image->colormap[i].opacity=QuantumRange-QuantumRange*gamma_pow(
                 QuantumScale*(QuantumRange-image->colormap[i].opacity),1.0/
@@ -2319,31 +2320,31 @@ MagickExport MagickBooleanType GammaImageChannel(Image *image,
       if ((channel & SyncChannels) != 0)
         {
           SetPixelRed(q,QuantumRange*gamma_pow(QuantumScale*GetPixelRed(q),
 -            1.0/gamma));
 +            PerceptibleReciprocal(gamma)));
           SetPixelGreen(q,QuantumRange*gamma_pow(QuantumScale*GetPixelGreen(q),
 -            1.0/gamma));
 +            PerceptibleReciprocal(gamma)));
           SetPixelBlue(q,QuantumRange*gamma_pow(QuantumScale*GetPixelBlue(q),
 -            1.0/gamma));
 +            PerceptibleReciprocal(gamma)));
         }
       else
         {
           if ((channel & RedChannel) != 0)
             SetPixelRed(q,QuantumRange*gamma_pow(QuantumScale*GetPixelRed(q),
 -            1.0/gamma));
 +            PerceptibleReciprocal(gamma)));
           if ((channel & GreenChannel) != 0)
             SetPixelGreen(q,QuantumRange*gamma_pow(QuantumScale*
 -              GetPixelGreen(q),1.0/gamma));
 +              GetPixelGreen(q),PerceptibleReciprocal(gamma)));
           if ((channel & BlueChannel) != 0)
             SetPixelBlue(q,QuantumRange*gamma_pow(QuantumScale*GetPixelBlue(q),
 -              1.0/gamma));
 +              PerceptibleReciprocal(gamma)));
           if ((channel & OpacityChannel) != 0)
             {
               if (image->matte == MagickFalse)
                 SetPixelOpacity(q,QuantumRange*gamma_pow(QuantumScale*
 -                  GetPixelOpacity(q),1.0/gamma));
 +                  GetPixelOpacity(q),PerceptibleReciprocal(gamma)));
               else
                 SetPixelAlpha(q,QuantumRange*gamma_pow(QuantumScale*
 -                  GetPixelAlpha(q),1.0/gamma));
 +                  GetPixelAlpha(q),PerceptibleReciprocal(gamma)));
             }
         }
 #endif
--- a/CVE-2020-27761.patch
+++ b/CVE-2020-27761.patch
@ -0,0 +1,28 @@
 From 14c90fb315eb3666a4cf6d784cbde74c69c934ec Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Mon, 7 Oct 2019 18:13:37 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1726
 ---
 coders/palm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 diff --git a/coders/palm.c b/coders/palm.c
 index 4cd5522a4..a3eae1d82 100644
 --- a/coders/palm.c
 +++ b/coders/palm.c
@@ -908,10 +908,10 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
         {
           for (x=0; x < (ssize_t) image->columns; x++)
           {
 -            color16=(unsigned short) ((((31*(size_t) GetPixelRed(p))/
 -              (size_t) QuantumRange) << 11) |
 -              (((63*(size_t) GetPixelGreen(p))/(size_t) QuantumRange) << 5) |
 -              ((31*(size_t) GetPixelBlue(p))/(size_t) QuantumRange));
 +            color16=(unsigned short) ((((31*(ssize_t) GetPixelRed(p))/
 +              (ssize_t) QuantumRange) << 11) |
 +              (((63*(ssize_t) GetPixelGreen(p))/(ssize_t) QuantumRange) << 5) |
 +              ((31*(ssize_t) GetPixelBlue(p))/(ssize_t) QuantumRange));
             if (GetPixelOpacity(p) == (Quantum) TransparentOpacity)
               {
                 transpix.red=GetPixelRed(p);
--- a/CVE-2020-27762.patch
+++ b/CVE-2020-27762.patch
@ -0,0 +1,29 @@
 From 3e10f7c3c9f0394dfd6ebd372bc34a172dabc8ff Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Thu, 3 Oct 2019 18:24:44 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1713
 ---
 coders/hdr.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/coders/hdr.c b/coders/hdr.c
 index ab02f8e52..77e3c6336 100644
 --- a/coders/hdr.c
 +++ b/coders/hdr.c
@@ -786,9 +786,12 @@ static MagickBooleanType WriteHDRImage(const ImageInfo *image_info,Image *image)
             exponent;
           gamma=frexp(gamma,&exponent)*256.0/gamma;
 -          pixel[0]=(unsigned char) (gamma*QuantumScale*GetPixelRed(p));
 -          pixel[1]=(unsigned char) (gamma*QuantumScale*GetPixelGreen(p));
 -          pixel[2]=(unsigned char) (gamma*QuantumScale*GetPixelBlue(p));
 +          if (GetPixelRed(p) > 0)
 +            pixel[0]=(unsigned char) (gamma*QuantumScale*GetPixelRed(p));
 +          if (GetPixelGreen(p) > 0)
 +            pixel[1]=(unsigned char) (gamma*QuantumScale*GetPixelGreen(p));
 +          if (GetPixelBlue(p) > 0)
 +            pixel[2]=(unsigned char) (gamma*QuantumScale*GetPixelBlue(p));
           pixel[3]=(unsigned char) (exponent+128);
         }
       if ((image->columns >= 8) && (image->columns <= 0x7ffff))
--- a/CVE-2020-27764.patch
+++ b/CVE-2020-27764.patch
@ -0,0 +1,58 @@
 From 3e21bc8a58b4ae38d24c7e283837cc279f35b6a5 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Wed, 9 Oct 2019 18:44:16 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1735
 ---
 magick/statistic.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/magick/statistic.c b/magick/statistic.c
 index 7bc816360..87a9a42f4 100644
 --- a/magick/statistic.c
 +++ b/magick/statistic.c
@@ -259,7 +259,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case AndEvaluateOperator:
     {
 -      result=(MagickRealType) ((size_t) pixel & (size_t) (value+0.5));
 +      result=(MagickRealType) ((ssize_t) pixel & (ssize_t) (value+0.5));
       break;
     }
     case CosineEvaluateOperator:
@@ -299,7 +299,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case LeftShiftEvaluateOperator:
     {
 -      result=(MagickRealType) ((size_t) pixel << (size_t) (value+0.5));
 +      result=(MagickRealType) ((ssize_t) pixel << (ssize_t) (value+0.5));
       break;
     }
     case LogEvaluateOperator:
@@ -342,7 +342,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case OrEvaluateOperator:
     {
 -      result=(MagickRealType) ((size_t) pixel | (size_t) (value+0.5));
 +      result=(MagickRealType) ((ssize_t) pixel | (ssize_t) (value+0.5));
       break;
     }
     case PoissonNoiseEvaluateOperator:
@@ -359,7 +359,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case RightShiftEvaluateOperator:
     {
 -      result=(MagickRealType) ((size_t) pixel >> (size_t) (value+0.5));
 +      result=(MagickRealType) ((ssize_t) pixel >> (ssize_t) (value+0.5));
       break;
     }
     case RootMeanSquareEvaluateOperator:
@@ -413,7 +413,7 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case XorEvaluateOperator:
     {
 -      result=(MagickRealType) ((size_t) pixel ^ (size_t) (value+0.5));
 +      result=(MagickRealType) ((ssize_t) pixel ^ (ssize_t) (value+0.5));
       break;
     }
   }
--- a/CVE-2020-27765.patch
+++ b/CVE-2020-27765.patch
@ -0,0 +1,22 @@
 From 4321934be544bc2888c6799fd6b50d8188a3d832 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Tue, 8 Oct 2019 17:27:35 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1730
 ---
 magick/segment.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/magick/segment.c b/magick/segment.c
 index 8f03c22ef..46fae277f 100644
 --- a/magick/segment.c
 +++ b/magick/segment.c
@@ -1696,7 +1696,7 @@ static MagickRealType OptimalTau(const ssize_t *histogram,const double max_tau,
   average_tau=0.0;
   for (i=0; i < number_nodes; i++)
     average_tau+=list[i]->tau;
 -  average_tau/=(MagickRealType) number_nodes;
 +  average_tau*=PerceptibleReciprocal((MagickRealType) number_nodes);
   /*
     Relinquish resources.
   */
--- a/CVE-2020-27766.patch
+++ b/CVE-2020-27766.patch
@ -0,0 +1,45 @@
 From 052175e4b190598141fbcc64641cd5ee4db3602d Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Thu, 10 Oct 2019 20:40:18 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1743
 ---
 magick/statistic.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)
 diff --git a/magick/statistic.c b/magick/statistic.c
 index 2db7c858f..827d87fa6 100644
 --- a/magick/statistic.c
 +++ b/magick/statistic.c
@@ -230,6 +230,9 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
   MagickRealType
     result;
 +  register ssize_t
 +    i;
 +
   result=0.0;
   switch (op)
   {
@@ -299,7 +302,9 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case LeftShiftEvaluateOperator:
     {
 -      result=(MagickRealType) ((ssize_t) pixel << (ssize_t) (value+0.5));
 +      result=(double) pixel;
 +      for (i=0; i < (ssize_t) value; i++)
 +        result*=2.0;
       break;
     }
     case LogEvaluateOperator:
@@ -359,7 +364,9 @@ static MagickRealType ApplyEvaluateOperator(RandomInfo *random_info,
     }
     case RightShiftEvaluateOperator:
     {
 -      result=(MagickRealType) ((ssize_t) pixel >> (ssize_t) (value+0.5));
 +      result=(MagickRealType) pixel;
 +      for (i=0; i < (ssize_t) value; i++)
 +        result/=2.0;
       break;
     }
     case RootMeanSquareEvaluateOperator:
--- a/CVE-2020-27767.patch
+++ b/CVE-2020-27767.patch
@ -0,0 +1,68 @@
 From c2f66e7fc9189a652f77a021bd047c4146d634d1 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Thu, 10 Oct 2019 21:03:00 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1741
 ---
 magick/quantum.h | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)
 diff --git a/magick/quantum.h b/magick/quantum.h
 index 821680de0..6c05c212a 100644
 --- a/magick/quantum.h
 +++ b/magick/quantum.h
@@ -18,6 +18,7 @@
 #ifndef MAGICKCORE_QUANTUM_H
 #define MAGICKCORE_QUANTUM_H
 +#include <float.h>
 #include "magick/image.h"
 #include "magick/semaphore.h"
@@ -87,6 +88,10 @@ typedef struct _QuantumInfo
 static inline Quantum ClampToQuantum(const MagickRealType value)
 {
 #if defined(MAGICKCORE_HDRI_SUPPORT)
 +  if (value < FLT_MIN)
 +    return((Quantum) FLT_MIN);
 +  if (value > FLT_MAX)
 +    return((Quantum) FLT_MAX);
   return((Quantum) value);
 #else
   if (value <= 0.0f)
@@ -103,7 +108,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned char) quantum);
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if (quantum >= 255.0)
     return(255);
@@ -116,7 +121,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned char) (((quantum+128UL)-((quantum+128UL) >> 8)) >> 8));
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if ((quantum/257.0) >= 255.0)
     return(255);
@@ -130,7 +135,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum)
   return((unsigned char) ((quantum+MagickULLConstant(8421504))/
     MagickULLConstant(16843009)));
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if ((quantum/16843009.0) >= 255.0)
     return(255);
@@ -143,7 +148,7 @@ static inline unsigned char ScaleQuantumToChar(const Quantum quantum)
 #if !defined(MAGICKCORE_HDRI_SUPPORT)
   return((unsigned char) (quantum/72340172838076673.0+0.5));
 #else
 -  if (quantum <= 0.0)
 +  if ((IsNaN(quantum) != MagickFalse) || (quantum <= 0.0))
     return(0);
   if ((quantum/72340172838076673.0) >= 255.0)
     return(255);
--- a/CVE-2020-27770.patch
+++ b/CVE-2020-27770.patch
@ -0,0 +1,33 @@
 From c01495f91ac71c5205f52713430b68e80d851149 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Sat, 5 Oct 2019 08:56:29 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1721
 ---
 magick/string.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/magick/string.c b/magick/string.c
 index f6f7b9318..1b47f562e 100644
 --- a/magick/string.c
 +++ b/magick/string.c
@@ -2534,7 +2534,7 @@ MagickExport MagickBooleanType SubstituteString(char **string,
   {
     if (search_extent == 0)
       search_extent=strlen(search);
 -    if (strncmp(p,search,search_extent) != 0)
 +    if ((*p == *search) && (strncmp(p,search,search_extent) != 0))
       continue;
     /*
       We found a match.
@@ -2562,7 +2562,9 @@ MagickExport MagickBooleanType SubstituteString(char **string,
       (void) memmove(p+replace_extent,p+search_extent,
         strlen(p+search_extent)+1);
     (void) memcpy(p,replace,replace_extent);
 -    p+=replace_extent-1;
 +    p+=replace_extent;
 +    if (replace_extent != 0)
 +      p--;
   }
   return(status);
 }
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        7
+Release:        8
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick
 Url:            http://www.imagemagick.org/
@ -9,6 +9,15 @@ Source0:        https://mirrors.sohu.com/gentoo/distfiles/db/ImageMagick-6.9.10-
 Patch0001:      CVE-2019-7397.patch
 Patch0002:      CVE-2018-16329.patch
 Patch0003:      CVE-2020-27759.patch
 Patch0004:      CVE-2020-27760.patch
 Patch0005:      CVE-2020-27761.patch
 Patch0006:      CVE-2020-27762.patch
 Patch0007:      CVE-2020-27764.patch
 Patch0008:      CVE-2020-27765.patch
 Patch0009:      CVE-2020-27766.patch
 Patch0010:      CVE-2020-27767.patch
 Patch0011:      CVE-2020-27770.patch
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -165,6 +174,10 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 %changelog
 * Mon Jan 04 2021 wangxiao <wangxiao65@huawei.com> - 6.9.10.67-8
 - fix CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27764
  CVE-2020-27765 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27770
 * Sun Apr 26 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.10.67-7
 - Type:cves
 - ID:CVE-2018-16329