packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ImageMagick/CVE-2021-20311-20312-20313.patch

184 lines
6.8 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 1e48a746b0b1c34b2bdc2ae8cfa094d69ce50aa3 Mon Sep 17 00:00:00 2001
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Thu, 25 Feb 2021 17:03:18 -0500
Subject: [PATCH] possible divide by zero + clear buffers
---
coders/thumbnail.c | 3 ++-
configure | 2 +-
magick/cipher.c | 12 ++++++------
magick/colorspace.c | 16 ++++++++--------
magick/memory.c | 21 ++++++++++++++++-----
magick/signature.c | 2 +-
6 files changed, 34 insertions(+), 22 deletions(-)
diff --git a/coders/thumbnail.c b/coders/thumbnail.c
index 21895a9..73917fc 100644
--- a/coders/thumbnail.c
+++ b/coders/thumbnail.c
@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
break;
q++;
}
- if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
+ if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+ (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
if (thumbnail_image == (Image *) NULL)
diff --git a/configure b/configure
index 6f61a2f..65efc18 100755
--- a/configure
+++ b/configure
@@ -4573,7 +4573,7 @@ MAGICK_PATCHLEVEL_VERSION=67
MAGICK_VERSION=6.9.10-67
-MAGICK_GIT_REVISION=14843:618d759:20190929
+MAGICK_GIT_REVISION=16484:c5e7a8bbe:20210225
# Substitute library versioning
diff --git a/magick/cipher.c b/magick/cipher.c
index da97378..6c74c51 100644
--- a/magick/cipher.c
+++ b/magick/cipher.c
@@ -483,8 +483,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext,
Reset registers.
*/
alpha=0;
- (void) memset(key,0,sizeof(key));
- (void) memset(text,0,sizeof(text));
+ (void) ResetMagickMemory(key,0,sizeof(key));
+ (void) ResetMagickMemory(text,0,sizeof(text));
}
/*
@@ -706,8 +706,8 @@ MagickExport MagickBooleanType PasskeyDecipherImage(Image *image,
*/
quantum_info=DestroyQuantumInfo(quantum_info);
aes_info=DestroyAESInfo(aes_info);
- (void) memset(input_block,0,sizeof(input_block));
- (void) memset(output_block,0,sizeof(output_block));
+ (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+ (void) ResetMagickMemory(output_block,0,sizeof(output_block));
return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
}
@@ -923,8 +923,8 @@ MagickExport MagickBooleanType PasskeyEncipherImage(Image *image,
*/
quantum_info=DestroyQuantumInfo(quantum_info);
aes_info=DestroyAESInfo(aes_info);
- (void) memset(input_block,0,sizeof(input_block));
- (void) memset(output_block,0,sizeof(output_block));
+ (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+ (void) ResetMagickMemory(output_block,0,sizeof(output_block));
return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
}
diff --git a/magick/colorspace.c b/magick/colorspace.c
index 4e68c21..0a3e368 100644
--- a/magick/colorspace.c
+++ b/magick/colorspace.c
@@ -737,15 +737,15 @@ MagickExport MagickBooleanType RGBTransformImage(Image *image,
if (logmap == (Quantum *) NULL)
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image->filename);
- black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
- film_gamma);
+ black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+ PerceptibleReciprocal(film_gamma));
#if defined(MAGICKCORE_OPENMP_SUPPORT)
#pragma omp parallel for schedule(static)
#endif
for (i=0; i <= (ssize_t) MaxMap; i++)
logmap[i]=ScaleMapToQuantum((MagickRealType) (MaxMap*(reference_white+
- log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002/
- film_gamma))/1024.0));
+ log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002*
+ PerceptibleReciprocal(film_gamma)))/1024.0));
image_view=AcquireAuthenticCacheView(image,exception);
#if defined(MAGICKCORE_OPENMP_SUPPORT)
#pragma omp parallel for schedule(static) shared(status) \
@@ -2396,14 +2396,14 @@ MagickExport MagickBooleanType TransformRGBImage(Image *image,
if (logmap == (Quantum *) NULL)
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image->filename);
- black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
- film_gamma);
+ black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+ PerceptibleReciprocal(film_gamma));
for (i=0; i <= (ssize_t) (reference_black*MaxMap/1024.0); i++)
logmap[i]=(Quantum) 0;
for ( ; i < (ssize_t) (reference_white*MaxMap/1024.0); i++)
logmap[i]=ClampToQuantum((MagickRealType) QuantumRange/(1.0-black)*
- (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002/
- film_gamma)-black));
+ (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002*
+ PerceptibleReciprocal(film_gamma))-black));
for ( ; i <= (ssize_t) MaxMap; i++)
logmap[i]=QuantumRange;
if (image->storage_class == PseudoClass)
diff --git a/magick/memory.c b/magick/memory.c
index 487eaa7..791c1a4 100644
--- a/magick/memory.c
+++ b/magick/memory.c
@@ -1190,25 +1190,36 @@ MagickExport MemoryInfo *RelinquishVirtualMemory(MemoryInfo *memory_info)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
% ResetMagickMemory() fills the first size bytes of the memory area pointed to
-% by memory with the constant byte c.
+% by memory with the constant byte c. We use a volatile pointer when
+% updating the byte string. Most compilers will avoid optimizing away access
+% to a volatile pointer, even if the pointer appears to be unused after the
+% call.
%
% The format of the ResetMagickMemory method is:
%
-% void *ResetMagickMemory(void *memory,int byte,const size_t size)
+% void *ResetMagickMemory(void *memory,int c,const size_t size)
%
% A description of each parameter follows:
%
% o memory: a pointer to a memory allocation.
%
-% o byte: set the memory to this value.
+% o c: set the memory to this value.
%
% o size: size of the memory to reset.
%
*/
-MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size)
+MagickExport void *ResetMagickMemory(void *memory,int c,const size_t size)
{
+ volatile unsigned char
+ *p = memory;
+
+ size_t
+ n = size;
+
assert(memory != (void *) NULL);
- return(memset(memory,byte,size));
+ while (n-- != 0)
+ *p++=(unsigned char) c;
+ return(memory);
}
/*
diff --git a/magick/signature.c b/magick/signature.c
index d8b100b..7edc295 100644
--- a/magick/signature.c
+++ b/magick/signature.c
@@ -720,7 +720,7 @@ RestoreMSCWarning
T=0;
T1=0;
T2=0;
- (void) memset(W,0,sizeof(W));
+ (void) ResetMagickMemory(W,0,sizeof(W));
}
/*
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink