Hello community, here is the log from the commit of package GraphicsMagick checked in at Thu Apr 19 21:38:26 CEST 2007. -------- --- GraphicsMagick/GraphicsMagick.changes 2007-02-27 22:49:49.000000000 +0100 +++ /mounts/work_src_done/STABLE/GraphicsMagick/GraphicsMagick.changes 2007-04-19 14:16:51.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Apr 19 14:15:49 CEST 2007 - nadvornik@suse.cz + +- fixed various crashes on malformed input, including + CVE-2007-1797 and CVE-2007-1667 [#258253] +- adjusted BuildRequires for libjasper-devel + +------------------------------------------------------------------- New: ---- GraphicsMagick-1.1.7-bug258253.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ GraphicsMagick.spec ++++++ --- /var/tmp/diff_new_pack.X15735/_old 2007-04-19 21:30:31.000000000 +0200 +++ /var/tmp/diff_new_pack.X15735/_new 2007-04-19 21:30:31.000000000 +0200 @@ -10,13 +10,18 @@ Name: GraphicsMagick -BuildRequires: cups-client dcraw freetype2-devel gcc-c++ ghostscript-fonts-other ghostscript-fonts-std ghostscript-library glib libjasper liblcms-devel libtiff-devel libwmf-devel libxml2-devel pkgconfig +BuildRequires: cups-client dcraw freetype2-devel gcc-c++ ghostscript-fonts-other ghostscript-fonts-std ghostscript-library glib liblcms-devel libtiff-devel libwmf-devel libxml2-devel pkgconfig +%if %suse_version > 1020 +BuildRequires: libjasper-devel +%else +BuildRequires: libjasper +%endif # Define Quantum depth %define quant 8 %define base_version 1.1.7 Summary: Viewer and Converter for Images Version: 1.1.7 -Release: 40 +Release: 46 License: X11/MIT Group: Productivity/Graphics/Convertors Source: ftp://ftp.GraphicsMagick.org/pub/%{name}/%{name}-%{version}.tar.bz2 @@ -24,6 +29,7 @@ Patch2: %{name}-%{version}-debian-fixed.patch Patch3: %{name}-%{version}-array.patch Patch4: %{name}-%{version}-perl.patch +Patch5: %{name}-%{version}-bug258253.patch URL: http://www.GraphicsMagick.org/ Autoreqprov: on BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -161,6 +167,7 @@ %patch2 -p1 %patch3 %patch4 +%patch5 %build # do not run autoreconf @@ -247,8 +254,8 @@ %{_includedir}/%{name}/wand/* %dir %{_includedir}/%{name}/magick %{_includedir}/%{name}/magick/* -%{_libdir}/lib%{name}Wand.*a -%{_libdir}/lib%{name}.*a +%{_libdir}/lib%{name}Wand.la +%{_libdir}/lib%{name}.la %{_libdir}/lib%{name}.so %dir %{_libdir}/%{name}-%{base_version}/modules-Q%{quant} %{_libdir}/pkgconfig/%{name}.pc @@ -277,13 +284,17 @@ %dir %{_includedir}/%{name}/Magick++ %{_includedir}/%{name}/Magick++.h %{_includedir}/%{name}/Magick++/* -%{_libdir}/lib%{name}++.*a +%{_libdir}/lib%{name}++.la %{_libdir}/lib%{name}++.so %{_libdir}/pkgconfig/%{name}++.pc %attr(755, root, root) %{_bindir}/%{name}++-config %doc %{_mandir}/man1/%{name}++-config.1.gz %changelog +* Thu Apr 19 2007 - nadvornik@suse.cz +- fixed various crashes on malformed input, including + CVE-2007-1797 and CVE-2007-1667 [#258253] +- adjusted BuildRequires for libjasper-devel * Tue Feb 27 2007 - dmueller@suse.de - reduce buildrequires * Thu Feb 22 2007 - nadvornik@suse.cz ++++++ GraphicsMagick-1.1.7-bug258253.patch ++++++ --- coders/bmp.c +++ coders/bmp.c @@ -841,7 +841,8 @@ packet_size=3; else packet_size=4; - (void) SeekBlob(image,start_position+14+bmp_info.size,SEEK_SET); + if (SeekBlob(image,start_position+14+bmp_info.size,SEEK_SET) == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image) (void) ReadBlob(image,packet_size*image->colors,(char *) bmp_colormap); p=bmp_colormap; for (i=0; i < (long) image->colors; i++) @@ -860,7 +861,8 @@ /* Read image data. */ - (void) SeekBlob(image,start_position+bmp_info.offset_bits,SEEK_SET); + if (SeekBlob(image,start_position+bmp_info.offset_bits,SEEK_SET) == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image) if (bmp_info.compression == BI_RLE4) bmp_info.bits_per_pixel<<=1; bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); @@ -1262,7 +1264,8 @@ break; *magick='\0'; if (bmp_info.ba_offset != 0) - (void) SeekBlob(image,bmp_info.ba_offset,SEEK_SET); + if (SeekBlob(image,bmp_info.ba_offset,SEEK_SET) == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image) (void) ReadBlob(image,2,(char *) magick); if (IsBMP(magick,2)) { --- coders/cineon.c +++ coders/cineon.c @@ -216,7 +216,8 @@ (void) ReadBlobByte(image); image->columns= ReadBlobMSBLong(image); image->rows= ReadBlobMSBLong(image); - (void) SeekBlob(image,headersize,SEEK_SET); + if (SeekBlob(image,headersize,SEEK_SET) == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); if (image_info->ping) { CloseBlob(image); --- coders/dcm.c +++ coders/dcm.c @@ -2890,6 +2890,9 @@ else if ((quantum != 0) && (length != 0)) { + /* new check for CVE-2007-1797 */ + if (length > ((~0UL)/quantum)) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); data=MagickAllocateMemory(unsigned char *,quantum*(length+1)); if (data == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); --- coders/icon.c +++ coders/icon.c @@ -196,12 +196,15 @@ /* Verify Icon identifier. */ - (void) SeekBlob(image,icon_file.directory[i].offset,SEEK_SET); + if (SeekBlob(image,icon_file.directory[i].offset,SEEK_SET) == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); icon_info.size=ReadBlobLSBLong(image); icon_info.width=ReadBlobLSBLong(image); icon_info.height=ReadBlobLSBLong(image); icon_info.planes=ReadBlobLSBShort(image); icon_info.bits_per_pixel=ReadBlobLSBShort(image); + if (icon_info.bits_per_pixel > 32) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); icon_info.compression=ReadBlobLSBLong(image); icon_info.image_size=ReadBlobLSBLong(image); icon_info.x_pixels=ReadBlobLSBLong(image); @@ -212,7 +215,7 @@ image->columns=icon_info.width; image->rows=icon_info.height; image->depth=8; - if ((icon_info.number_colors != 0) || (icon_info.bits_per_pixel < 16)) + if ((icon_info.number_colors != 0) || (icon_info.bits_per_pixel <= 16)) { image->storage_class=PseudoClass; image->colors=icon_info.number_colors; --- coders/pcx.c +++ coders/pcx.c @@ -277,7 +277,9 @@ } } if (page_table != (ExtendedSignedIntegralType *) NULL) - (void) SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET); + if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET) + == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); count=ReadBlob(image,1,(char *) &pcx_info.identifier); for (id=1; id < 1024; id++) { @@ -314,7 +316,11 @@ if ((pcx_info.bits_per_pixel != 8) || (pcx_info.planes == 1)) if ((pcx_info.version == 3) || (pcx_info.version == 5) || ((pcx_info.bits_per_pixel*pcx_info.planes) == 1)) - image->colors=1 << (pcx_info.bits_per_pixel*pcx_info.planes); + { + image->colors=1 << (pcx_info.bits_per_pixel*pcx_info.planes); + if (image->colors > 256) + image->colors = 256; + } if (!AllocateImageColormap(image,image->colors)) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); if ((pcx_info.bits_per_pixel >= 8) && (pcx_info.planes != 1)) @@ -339,7 +345,7 @@ pcx_packets=(unsigned long) image->rows*pcx_info.bytes_per_line*pcx_info.planes; pcx_pixels=MagickAllocateMemory(unsigned char *,pcx_packets); scanline=MagickAllocateMemory(unsigned char *,Max(image->columns, - (unsigned long) pcx_info.bytes_per_line)*pcx_info.planes); + (unsigned long) pcx_info.bytes_per_line)*Max(pcx_info.planes,8)); if ((pcx_pixels == (unsigned char *) NULL) || (scanline == (unsigned char *) NULL)) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); @@ -594,7 +600,9 @@ break; if (page_table[id] == 0) break; - (void) SeekBlob(image,(ExtendedSignedIntegralType) page_table[id],SEEK_SET); + if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[id],SEEK_SET) + == -1) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); count=ReadBlob(image,1,(char *) &pcx_info.identifier); if ((count != 0) && (pcx_info.identifier == 0x0a)) { --- coders/pict.c +++ coders/pict.c @@ -65,6 +65,10 @@ pixmap.plane_bytes=ReadBlobMSBLong(image); \ pixmap.table=ReadBlobMSBLong(image); \ pixmap.reserved=ReadBlobMSBLong(image); \ + if (pixmap.bits_per_pixel <= 0 || pixmap.bits_per_pixel > 32 || \ + pixmap.component_count <= 0 || pixmap.component_count > 4 || \ + pixmap.component_size <= 0) \ + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); \ } #define ReadRectangle(rectangle) \ @@ -73,6 +77,9 @@ rectangle.left=ReadBlobMSBShort(image); \ rectangle.bottom=ReadBlobMSBShort(image); \ rectangle.right=ReadBlobMSBShort(image); \ + if (rectangle.top > rectangle.bottom || \ + rectangle.left > rectangle.right) \ + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); \ } typedef struct _PICTCode --- coders/png.c +++ coders/png.c @@ -4622,6 +4622,8 @@ continue; } #ifdef MNG_INSERT_LAYERS + if (length < 8) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); image_width=mng_get_long(p); image_height=mng_get_long(&p[4]); #endif --- coders/pnm.c +++ coders/pnm.c @@ -204,6 +204,20 @@ return(value); } +#define ValidateScalingIndex(image, index, max) \ + do { \ + if (index < 0 || index > max) \ + ThrowReaderException(CorruptImageError,CorruptImage, \ + image); \ + } while (0) + +#define ValidateScalingPixel(image, pixel, max) \ + do { \ + ValidateScalingIndex(image, pixel.red, max); \ + ValidateScalingIndex(image, pixel.green, max); \ + ValidateScalingIndex(image, pixel.blue, max); \ + } while (0) + static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception) { char @@ -387,6 +401,7 @@ for (x=0; x < (long) image->columns; x++) { intensity=PNMInteger(image,10); + ValidateScalingIndex(image, intensity, max_value); if (scale != (unsigned long *) NULL) intensity=scale[intensity]; index=intensity; @@ -418,6 +433,7 @@ pixel.red=PNMInteger(image,10); pixel.green=PNMInteger(image,10); pixel.blue=PNMInteger(image,10); + ValidateScalingPixel(image, pixel, max_value); if (scale != (unsigned long *) NULL) { pixel.red=scale[pixel.red]; @@ -562,6 +578,7 @@ pixel.red=(*p++); pixel.green=(*p++); pixel.blue=(*p++); + ValidateScalingPixel(image, pixel, max_value); if (scale != (unsigned long *) NULL) { pixel.red=scale[pixel.red]; @@ -582,6 +599,7 @@ p+=2; pixel.blue=(*p << 8) | *(p+1); p+=2; + ValidateScalingPixel(image, pixel, max_value); if (scale != (unsigned long *) NULL) { pixel.red=scale[pixel.red]; --- coders/sun.c +++ coders/sun.c @@ -290,6 +290,8 @@ sun_info.maplength=ReadBlobMSBLong(image); image->columns= sun_info.width; image->rows= sun_info.height; + if (sun_info.depth == 0 || sun_info.depth > 32) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); image->depth=sun_info.depth <= 8 ? 8 : QuantumDepth; if (sun_info.depth < 24) { @@ -427,62 +429,75 @@ } else if (image->storage_class == PseudoClass) - for (y=0; y < (long) image->rows; y++) { - q=SetImagePixels(image,0,y,image->columns,1); - if (q == (PixelPacket *) NULL) - break; - indexes=GetIndexes(image); - for (x=0; x < (long) image->columns; x++) - indexes[x]=(*p++); - if ((image->columns % 2) != 0) - p++; - if (!SyncImagePixels(image)) - break; - if (image->previous == (Image *) NULL) - if (QuantumTick(y,image->rows)) - if (!MagickMonitor(LoadImageText,y,image->rows,exception)) - break; - } + unsigned long n = image->rows*(image->columns+image->columns%2); + if ((sun_info.type == RT_ENCODED && n > bytes_per_line*image->rows) || + (sun_info.type != RT_ENCODED && n > sun_info.length)) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + for (y=0; y < (long) image->rows; y++) + { + q=SetImagePixels(image,0,y,image->columns,1); + if (q == (PixelPacket *) NULL) + break; + indexes=GetIndexes(image); + for (x=0; x < (long) image->columns; x++) + indexes[x]=(*p++); + if ((image->columns % 2) != 0) + p++; + if (!SyncImagePixels(image)) + break; + if (image->previous == (Image *) NULL) + if (QuantumTick(y,image->rows)) + if (!MagickMonitor(LoadImageText,y,image->rows,exception)) + break; + } + } else - for (y=0; y < (long) image->rows; y++) { - q=SetImagePixels(image,0,y,image->columns,1); - if (q == (PixelPacket *) NULL) - break; - for (x=0; x < (long) image->columns; x++) + unsigned long n = image->columns*((image->matte) ? 4 : 3); + n = image->rows*(n+image->columns%2); + if ((sun_info.type == RT_ENCODED && n > bytes_per_line*image->rows) || + (sun_info.type != RT_ENCODED && n > sun_info.length)) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + for (y=0; y < (long) image->rows; y++) { - if (image->matte) - q->opacity=(Quantum) (MaxRGB-ScaleCharToQuantum(*p++)); - if (sun_info.type == RT_STANDARD) - { - q->blue=ScaleCharToQuantum(*p++); - q->green=ScaleCharToQuantum(*p++); - q->red=ScaleCharToQuantum(*p++); - } - else - { - q->red=ScaleCharToQuantum(*p++); - q->green=ScaleCharToQuantum(*p++); - q->blue=ScaleCharToQuantum(*p++); - } - if (image->colors != 0) - { - q->red=image->colormap[q->red].red; - q->green=image->colormap[q->green].green; - q->blue=image->colormap[q->blue].blue; - } - q++; + q=SetImagePixels(image,0,y,image->columns,1); + if (q == (PixelPacket *) NULL) + break; + for (x=0; x < (long) image->columns; x++) + { + if (image->matte) + q->opacity=(Quantum) (MaxRGB-ScaleCharToQuantum(*p++)); + if (sun_info.type == RT_STANDARD) + { + q->blue=ScaleCharToQuantum(*p++); + q->green=ScaleCharToQuantum(*p++); + q->red=ScaleCharToQuantum(*p++); + } + else + { + q->red=ScaleCharToQuantum(*p++); + q->green=ScaleCharToQuantum(*p++); + q->blue=ScaleCharToQuantum(*p++); + } + if (image->colors != 0) + { + q->red=image->colormap[q->red].red; + q->green=image->colormap[q->green].green; + q->blue=image->colormap[q->blue].blue; + } + q++; + } + if (((image->columns % 2) != 0) && (image->matte == False)) + p++; + if (!SyncImagePixels(image)) + break; + if (image->previous == (Image *) NULL) + if (QuantumTick(y,image->rows)) + if (!MagickMonitor(LoadImageText,y,image->rows,exception)) + break; } - if (((image->columns % 2) != 0) && (image->matte == False)) - p++; - if (!SyncImagePixels(image)) - break; - if (image->previous == (Image *) NULL) - if (QuantumTick(y,image->rows)) - if (!MagickMonitor(LoadImageText,y,image->rows,exception)) - break; - } + } if (image->storage_class == PseudoClass) SyncImage(image); MagickFreeMemory(sun_pixels); --- coders/xwd.c +++ coders/xwd.c @@ -208,6 +208,10 @@ if (header.header_size < sz_XWDheader) ThrowReaderException(CorruptImageError,CorruptImage,image); length=header.header_size-sz_XWDheader; + /* new check for CVE-2007-1797 */ + if (length > ((~0UL)/sizeof(*comment))) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + comment=MagickAllocateMemory(char *,length+1); if (comment == (char *) NULL) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); @@ -239,6 +243,13 @@ ximage->red_mask=header.red_mask; ximage->green_mask=header.green_mask; ximage->blue_mask=header.blue_mask; + /* Why those are signed ints is beyond me. */ + if (ximage->depth < 0 || ximage->width < 0 || ximage->height < 0 || + ximage->bitmap_pad < 0 || ximage->bytes_per_line < 0) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + /* Guard against buffer overflow in libX11. */ + if (ximage->bits_per_pixel > 32 || ximage->bitmap_unit > 32) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); status=XInitImage(ximage); if (status == False) ThrowReaderException(CorruptImageError,UnrecognizedXWDHeader,image); @@ -251,6 +262,10 @@ XWDColor color; + /* new check for CVE-2007-1797 */ + if (length > ((~0UL)/sizeof(*colors))) + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + colors=MagickAllocateMemory(XColor *,header.ncolors*sizeof(XColor)); if (colors == (XColor *) NULL) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); @@ -281,11 +296,23 @@ /* Allocate the pixel buffer. */ - if (ximage->format == ZPixmap) - length=ximage->bytes_per_line*ximage->height; - else - length=ximage->bytes_per_line*ximage->height*ximage->depth; - ximage->data=MagickAllocateMemory(char *,length); + { +#define OVERFLOW(c,a,b) ((b) != 0 && ((c)/(b) != (a))) + int overflow=0; + length=ximage->bytes_per_line*ximage->height; + if (OVERFLOW(length, ximage->bytes_per_line, ximage->height)) overflow=1; + if (ximage->format != ZPixmap) { + size_t l1=length*ximage->depth; + if (OVERFLOW(l1, length, ximage->depth)) overflow=1; + length=l1; + } + if (overflow) { + ximage->data = (char *) NULL; + } else { + ximage->data=MagickAllocateMemory(char *,length); + } +#undef OVERFLOW + } if (ximage->data == (char *) NULL) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); count=ReadBlob(image,length,ximage->data); --- magick/blob.c +++ magick/blob.c @@ -267,6 +267,11 @@ size_t available; + if (image->blob->offset >= image->blob->length) + { + image->blob->eof=MagickTrue; + return 0; + } *data=(void *)(image->blob->data+image->blob->offset); available=Min(length,image->blob->length-image->blob->offset); image->blob->offset+=available; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org