!106 Fix CVE-2021-20309 CVE-2021-20311 CVE-2021-20312 CVE-2021-20313

From: @wang_yue111 Reviewed-by: @small_leek Signed-off-by: @small_leek
2021-05-20 09:52:56 +08:00 · 2021-05-20 09:52:56 +08:00 · ed4584b893
commit ed4584b893
parent 7b70776d51 250dbd05fd
3 changed files with 214 additions and 1 deletions
--- a/CVE-2021-20309.patch
+++ b/CVE-2021-20309.patch
@ -0,0 +1,25 @@
+From 946d0afdcc34f461c68396b4b377832bcdccf095 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Feb 2021 19:34:36 -0500
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/3296
+
+---
+ magick/fx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/fx.c b/magick/fx.c
+index 5041de6..6fedf83 100644
+--- a/magick/fx.c
+++ b/magick/fx.c
+@@ -5702,7 +5702,7 @@ MagickExport Image *WaveImage(const Image *image,const double amplitude,
+     }
+   for (i=0; i < (ssize_t) wave_image->columns; i++)
+     sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)
+-      ((2.0*MagickPI*i)/wave_length));
+      ((2.0*MagickPI*i)*PerceptibleReciprocal(wave_length)));
+   /*
+     Wave image.
+   */
+-- 
+2.23.0
+
--- a/CVE-2021-20311-20312-20313.patch
+++ b/CVE-2021-20311-20312-20313.patch
@ -0,0 +1,183 @@
+From 1e48a746b0b1c34b2bdc2ae8cfa094d69ce50aa3 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Feb 2021 17:03:18 -0500
+Subject: [PATCH] possible divide by zero + clear buffers
+
+---
+ coders/thumbnail.c  |  3 ++-
+ configure           |  2 +-
+ magick/cipher.c     | 12 ++++++------
+ magick/colorspace.c | 16 ++++++++--------
+ magick/memory.c     | 21 ++++++++++++++++-----
+ magick/signature.c  |  2 +-
+ 6 files changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index 21895a9..73917fc 100644
+--- a/coders/thumbnail.c
+++ b/coders/thumbnail.c
+@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
+       break;
+     q++;
+   }
+-  if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
+  if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
+     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+   thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
+   if (thumbnail_image == (Image *) NULL)
+diff --git a/configure b/configure
+index 6f61a2f..65efc18 100755
+--- a/configure
+++ b/configure
+@@ -4573,7 +4573,7 @@ MAGICK_PATCHLEVEL_VERSION=67
+ 
+ MAGICK_VERSION=6.9.10-67
+ 
+-MAGICK_GIT_REVISION=14843:618d759:20190929
+MAGICK_GIT_REVISION=16484:c5e7a8bbe:20210225
+ 
+ 
+ # Substitute library versioning
+diff --git a/magick/cipher.c b/magick/cipher.c
+index da97378..6c74c51 100644
+--- a/magick/cipher.c
+++ b/magick/cipher.c
+@@ -483,8 +483,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext,
+     Reset registers.
+   */
+   alpha=0;
+-  (void) memset(key,0,sizeof(key));
+-  (void) memset(text,0,sizeof(text));
+  (void) ResetMagickMemory(key,0,sizeof(key));
+  (void) ResetMagickMemory(text,0,sizeof(text));
+ }
+ 
+ /*
+@@ -706,8 +706,8 @@ MagickExport MagickBooleanType PasskeyDecipherImage(Image *image,
+   */
+   quantum_info=DestroyQuantumInfo(quantum_info);
+   aes_info=DestroyAESInfo(aes_info);
+-  (void) memset(input_block,0,sizeof(input_block));
+-  (void) memset(output_block,0,sizeof(output_block));
+  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
+   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
+ }
+ 
+@@ -923,8 +923,8 @@ MagickExport MagickBooleanType PasskeyEncipherImage(Image *image,
+   */
+   quantum_info=DestroyQuantumInfo(quantum_info);
+   aes_info=DestroyAESInfo(aes_info);
+-  (void) memset(input_block,0,sizeof(input_block));
+-  (void) memset(output_block,0,sizeof(output_block));
+  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
+   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
+ }
+ 
+diff --git a/magick/colorspace.c b/magick/colorspace.c
+index 4e68c21..0a3e368 100644
+--- a/magick/colorspace.c
+++ b/magick/colorspace.c
+@@ -737,15 +737,15 @@ MagickExport MagickBooleanType RGBTransformImage(Image *image,
+       if (logmap == (Quantum *) NULL)
+         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+           image->filename);
+-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
+-        film_gamma);
+      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+        PerceptibleReciprocal(film_gamma));
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+       #pragma omp parallel for schedule(static)
+ #endif
+       for (i=0; i <= (ssize_t) MaxMap; i++)
+         logmap[i]=ScaleMapToQuantum((MagickRealType) (MaxMap*(reference_white+
+-          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002/
+-          film_gamma))/1024.0));
+          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002*
+          PerceptibleReciprocal(film_gamma)))/1024.0));
+       image_view=AcquireAuthenticCacheView(image,exception);
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+       #pragma omp parallel for schedule(static) shared(status) \
+@@ -2396,14 +2396,14 @@ MagickExport MagickBooleanType TransformRGBImage(Image *image,
+       if (logmap == (Quantum *) NULL)
+         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+           image->filename);
+-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
+-        film_gamma);
+      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+        PerceptibleReciprocal(film_gamma));
+       for (i=0; i <= (ssize_t) (reference_black*MaxMap/1024.0); i++)
+         logmap[i]=(Quantum) 0;
+       for ( ; i < (ssize_t) (reference_white*MaxMap/1024.0); i++)
+         logmap[i]=ClampToQuantum((MagickRealType) QuantumRange/(1.0-black)*
+-          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002/
+-          film_gamma)-black));
+          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002*
+          PerceptibleReciprocal(film_gamma))-black));
+       for ( ; i <= (ssize_t) MaxMap; i++)
+         logmap[i]=QuantumRange;
+       if (image->storage_class == PseudoClass)
+diff --git a/magick/memory.c b/magick/memory.c
+index 487eaa7..791c1a4 100644
+--- a/magick/memory.c
+++ b/magick/memory.c
+@@ -1190,25 +1190,36 @@ MagickExport MemoryInfo *RelinquishVirtualMemory(MemoryInfo *memory_info)
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %
+ %  ResetMagickMemory() fills the first size bytes of the memory area pointed to
+-%  by memory with the constant byte c.
+%  by memory with the constant byte c.  We use a volatile pointer when
+%  updating the byte string.  Most compilers will avoid optimizing away access
+%  to a volatile pointer, even if the pointer appears to be unused after the
+%  call.
+ %
+ %  The format of the ResetMagickMemory method is:
+ %
+-%      void *ResetMagickMemory(void *memory,int byte,const size_t size)
+%      void *ResetMagickMemory(void *memory,int c,const size_t size)
+ %
+ %  A description of each parameter follows:
+ %
+ %    o memory: a pointer to a memory allocation.
+ %
+-%    o byte: set the memory to this value.
+%    o c: set the memory to this value.
+ %
+ %    o size: size of the memory to reset.
+ %
+ */
+-MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size)
+MagickExport void *ResetMagickMemory(void *memory,int c,const size_t size)
+ {
+  volatile unsigned char
+    *p = memory;
+
+  size_t
+    n = size;
+
+   assert(memory != (void *) NULL);
+-  return(memset(memory,byte,size));
+  while (n-- != 0)
+    *p++=(unsigned char) c;
+  return(memory);
+ }
+ 
+ /*
+diff --git a/magick/signature.c b/magick/signature.c
+index d8b100b..7edc295 100644
+--- a/magick/signature.c
+++ b/magick/signature.c
+@@ -720,7 +720,7 @@ RestoreMSCWarning
+   T=0;
+   T1=0;
+   T2=0;
+-  (void) memset(W,0,sizeof(W));
+  (void) ResetMagickMemory(W,0,sizeof(W));
+ }
+ 
+ /*
+-- 
+2.23.0
+
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        22
+Release:        23
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@ -55,6 +55,8 @@ Patch0045:      CVE-2020-25675.patch
 Patch0046:      CVE-2020-27755.patch
 Patch0047:      CVE-2019-18853.patch
 Patch0048:      CVE-2020-27752.patch
+Patch0049:      CVE-2021-20309.patch
+Patch0050:      CVE-2021-20311-20312-20313.patch

 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -211,6 +213,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*

 %changelog
+* Thu May 20 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-23
+- Fix CVE-2021-20309 CVE-2021-20311 CVE-2021-20312 CVE-2021-20313
+
 * Thu Apr 29 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-22
 - Fix CVE-2020-27752