!157 [sync] PR-156: Fix CVE-2022-3213

From: @openeuler-sync-bot Reviewed-by: @gitee-cmd Signed-off-by: @gitee-cmd
2022-10-14 01:20:00 +00:00 · 2022-10-14 01:20:00 +00:00 · d06dabbe10
commit d06dabbe10
parent 802008c097 acf82c594c
4 changed files with 137 additions and 1 deletions
--- a/CVE-2022-3213-pre1.patch
+++ b/CVE-2022-3213-pre1.patch
@ -0,0 +1,53 @@
 From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Tue, 21 Jun 2022 15:06:40 -0400
 Subject: [PATCH] prevent possible buffer overrun
 ---
 coders/tiff.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)
 diff --git a/coders/tiff.c b/coders/tiff.c
 index e278ca7c0a..d5e30293db 100644
 --- a/coders/tiff.c
 +++ b/coders/tiff.c
@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         */
         extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
 #if defined(TIFF_VERSION_BIG)
 -        extent+=image->columns*sizeof(uint64);
 +        extent+=samples_per_pixel*sizeof(uint64);
 #else
 -        extent+=image->columns*sizeof(uint32);
 +        extent+=samples_per_pixel*sizeof(uint32);
 #endif
         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*strip_pixels));
@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         number_pixels=(MagickSizeType) columns*rows;
         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
 -        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
 +        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
 +          TIFFTileSize(tiff));
 #if defined(TIFF_VERSION_BIG)
 -        extent+=image->columns*sizeof(uint64);
 +        extent+=samples_per_pixel*sizeof(uint64);
 #else
 -        extent+=image->columns*sizeof(uint32);
 +        extent+=samples_per_pixel*sizeof(uint32);
 #endif
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));
@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         number_pixels=(MagickSizeType) image->columns*image->rows;
 #if defined(TIFF_VERSION_BIG)
 -        number_pixels+=image->columns*sizeof(uint64);
 +        number_pixels+=samples_per_pixel*sizeof(uint64);
 #else
 -        number_pixels+=image->columns*sizeof(uint32);
 +        number_pixels+=samples_per_pixel*sizeof(uint32);
 #endif
         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
         if (generic_info == (MemoryInfo *) NULL)
--- a/CVE-2022-3213-pre2.patch
+++ b/CVE-2022-3213-pre2.patch
@ -0,0 +1,54 @@
 From 2b4eabb9d09b278f16727c635e928bd951c58773 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Wed, 29 Jun 2022 19:41:14 -0400
 Subject: [PATCH] eliminate possible buffer overflow
 ---
 coders/tiff.c | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)
 diff --git a/coders/tiff.c b/coders/tiff.c
 index d5e30293db..d88711f941 100644
 --- a/coders/tiff.c
 +++ b/coders/tiff.c
@@ -1794,12 +1794,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         /*
           Convert stripped TIFF image.
         */
 -        extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
 -#if defined(TIFF_VERSION_BIG)
 -        extent+=samples_per_pixel*sizeof(uint64);
 -#else
 -        extent+=samples_per_pixel*sizeof(uint32);
 -#endif
 +        extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*strip_pixels));
         if (strip_pixels == (unsigned char *) NULL)
@@ -1894,13 +1889,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         number_pixels=(MagickSizeType) columns*rows;
         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
 -        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
 +        extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
           TIFFTileSize(tiff));
 -#if defined(TIFF_VERSION_BIG)
 -        extent+=samples_per_pixel*sizeof(uint64);
 -#else
 -        extent+=samples_per_pixel*sizeof(uint32);
 -#endif
         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*tile_pixels));
         if (tile_pixels == (unsigned char *) NULL)
@@ -1996,11 +1986,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         number_pixels=(MagickSizeType) image->columns*image->rows;
 -#if defined(TIFF_VERSION_BIG)
 -        number_pixels+=samples_per_pixel*sizeof(uint64);
 -#else
 -        number_pixels+=samples_per_pixel*sizeof(uint32);
 -#endif
         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
         if (generic_info == (MemoryInfo *) NULL)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
--- a/CVE-2022-3213.patch
+++ b/CVE-2022-3213.patch
@ -0,0 +1,22 @@
 From 1aea203eb36409ce6903b9e41fe7cb70030e8750 Mon Sep 17 00:00:00 2001
 From: Cristy <urban-warrior@imagemagick.org>
 Date: Sat, 27 Aug 2022 08:38:18 -0400
 Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik
 ---
 coders/tiff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/coders/tiff.c b/coders/tiff.c
 index 3165ab925..05549f9e5 100644
 --- a/coders/tiff.c
 +++ b/coders/tiff.c
@@ -1798,7 +1798,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         /*
           Convert stripped TIFF image.
         */
 -        extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
 +        extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff);
         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
           sizeof(*strip_pixels));
         if (strip_pixels == (unsigned char *) NULL)
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@ -1,13 +1,17 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.12.43
-Release:        2
+Release:        3
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
 Source0:        https://www.imagemagick.org/download/ImageMagick-6.9.12-43.tar.xz
 Patch0001: backport-fix-CVE-2022-1115.patch
 Patch0002: CVE-2022-3213-pre1.patch
 Patch0003: CVE-2022-3213-pre2.patch
 Patch0004: CVE-2022-3213.patch
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -165,6 +169,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 %changelog
 * Thu Oct 13 2022 chenwenjie <chenwenjie@ncti-gba.cn> - 1:6.9.12.43-3
 - fix CVE-2022-3213
 * Mon Sep 5 2022 cenhuilin <cenhuilin@kylinos.cn> - 1:6.9.12.43-2
 - fix CVE-2022-1115