Fix CVE-2020-27750 CVE-2020-25665 CVE-2020-25674

2021-03-08 14:42:25 +08:00 · 2021-03-08 14:42:25 +08:00 · fab4e5d592
commit fab4e5d592
parent cc2def3fce
4 changed files with 95 additions and 1 deletions
--- a/CVE-2020-25665.patch
+++ b/CVE-2020-25665.patch
@ -0,0 +1,40 @@
 From ca80e93cc887fb8971ceba2eead2c74e2b927df4 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Fri, 4 Oct 2019 18:19:20 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1714
 ---
 coders/palm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/coders/palm.c b/coders/palm.c
 index 125bab8ff..4cd5522a4 100644
 --- a/coders/palm.c
 +++ b/coders/palm.c
@@ -779,7 +779,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
   {
     (void) TransformImageColorspace(image,sRGBColorspace);
     count=GetNumberColors(image,NULL,exception);
 -    for (bits_per_pixel=1;  (one << bits_per_pixel) < count; bits_per_pixel*=2) ;
 +    for (bits_per_pixel=1; (one << bits_per_pixel) < count; bits_per_pixel*=2) ;
     if (bits_per_pixel > 16)
       bits_per_pixel=16;
     else
@@ -879,7 +879,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
     last_row=(unsigned char *) NULL;
     if (image_info->compression == FaxCompression)
       {
 -        last_row=(unsigned char *) AcquireQuantumMemory(bytes_per_row,
 +        last_row=(unsigned char *) AcquireQuantumMemory(bytes_per_row+256,
           sizeof(*last_row));
         if (last_row == (unsigned char *) NULL)
           {
@@ -887,7 +887,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
             ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
           }
       }
 -    one_row=(unsigned char *) AcquireQuantumMemory(bytes_per_row,
 +    one_row=(unsigned char *) AcquireQuantumMemory(bytes_per_row+256,
       sizeof(*one_row));
     if (one_row == (unsigned char *) NULL)
       {
--- a/CVE-2020-25674.patch
+++ b/CVE-2020-25674.patch
@ -0,0 +1,22 @@
 From 2fdff8e040cd4401498d89f3c3d1f89cffd118b0 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Fri, 4 Oct 2019 19:00:10 -0400
 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1715
 ---
 coders/png.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/coders/png.c b/coders/png.c
 index af50b863d..410741059 100644
 --- a/coders/png.c
 +++ b/coders/png.c
@@ -8790,7 +8790,7 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng_info,
          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
              "        i    (red,green,blue,opacity)");
 -         for (i=0; i < 256; i++)
 +         for (i=0; i < MagickMin(image->colors,256); i++)
          {
                (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                    "        %d    (%d,%d,%d,%d)",
--- a/CVE-2020-27750.patch
+++ b/CVE-2020-27750.patch
@ -0,0 +1,26 @@
 From c7038e710ad0204d6cb37a0229fc55f6f8a8662f Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Thu, 3 Oct 2019 17:39:55 -0400
 Subject: [PATCH] ://github.com/ImageMagick/ImageMagick/issues/1711
 ---
 magick/colorspace-private.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/magick/colorspace-private.h b/magick/colorspace-private.h
 index 652e44547..090723756 100644
 --- a/magick/colorspace-private.h
 +++ b/magick/colorspace-private.h
@@ -75,9 +75,9 @@ static inline void ConvertRGBToCMYK(MagickPixelPacket *pixel)
     black=magenta;
   if (yellow < black)
     black=yellow;
 -  cyan=(MagickRealType) ((cyan-black)/(1.0-black));
 -  magenta=(MagickRealType) ((magenta-black)/(1.0-black));
 -  yellow=(MagickRealType) ((yellow-black)/(1.0-black));
 +  cyan=(MagickRealType) (PerceptibleReciprocal(1.0-black)*(cyan-black));
 +  magenta=(MagickRealType) (PerceptibleReciprocal(1.0-black)*(magenta-black));
 +  yellow=(MagickRealType) (PerceptibleReciprocal(1.0-black)*(yellow-black));
   pixel->colorspace=CMYKColorspace;
   pixel->red=QuantumRange*cyan;
   pixel->green=QuantumRange*magenta;
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        14
+Release:        15
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@ -38,6 +38,9 @@ Patch0028:      CVE-2020-27773.patch
 Patch0029:      CVE-2020-27768-pre1.patch
 Patch0030:      CVE-2020-27768-pre2.patch
 Patch0031:      CVE-2020-27768.patch
 Patch0032:      CVE-2020-27750.patch
 Patch0033:      CVE-2020-25665.patch
 Patch0034:      CVE-2020-25674.patch
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -194,6 +197,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 %changelog
 * Mon Mar 8 2021 zhanghua <zhanghua40@huawei.com> - 6.9.10.67-15
 - Fix CVE-2020-27750 CVE-2020-25665 CVE-2020-25674
 * Wed Mar 03 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-14
 - Fix CVE-2020-27768