packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:4e184b8aa52e5aff3c87ba70c43e5e4d4bd18e67
Branches Tags
packages:main
...
compare: packages:e248a16fe570961823d34d9c773f555a024a2004
Branches Tags
packages:main

10 Commits
4e184b8aa5 ... e248a16fe5

Author SHA1 Message Date
openeuler-ci-bot
e248a16fe5
!199 [sync] PR-198: Fix CVE-2023-5341 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2023-10-07 08:01:32 +00:00
liningjie
64afdf3b42 Fix CVE-2023-5341 
(cherry picked from commit d747ae558752842905189b21b2f0fab825cadd76)
 2023-10-07 14:11:57 +08:00
openeuler-ci-bot
8da97a2f31
!195 [sync] PR-194: Fix CVE-2023-39978 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2023-08-14 09:00:45 +00:00
wk333
0e5c72cc6a Fix CVE-2023-39978 
(cherry picked from commit e74b4252910eabdf237b9c5465bc8ec4eb4633a3)
 2023-08-14 14:06:08 +08:00
openeuler-ci-bot
82ecaf8780
!190 [sync] PR-188: Fix CVE-2023-3428 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2023-07-25 00:57:40 +00:00
wk333
6df0c43b52 Fix CVE-2023-3428 
(cherry picked from commit 67954f75f88ee3ff9894a01371edfa92a7c23000)
 2023-07-24 15:00:30 +08:00
openeuler-ci-bot
64461435bc
!179 [sync] PR-178: Fix CVE-2023-34151 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2023-06-09 01:58:17 +00:00
wk333
034aff714e Fix CVE-2023-34151 
(cherry picked from commit 68993275fcdfac9b9d3c3da23cbb64410ba0ea59)
 2023-06-08 16:16:26 +08:00
openeuler-ci-bot
3aa35e2e94
!174 [sync] PR-170: Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906 
From: @openeuler-sync-bot 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
 2023-04-25 02:38:27 +00:00
wk333
0d171f0093 Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906 
(cherry picked from commit 334839d62096bca5b6feed4929464239d4296d32)
 2023-04-25 09:23:07 +08:00
12 changed files with 407 additions and 226 deletions
Show Stats Expand all files Collapse all files

53
CVE-2022-3213-pre1.patch
View File

@ -1,53 +0,0 @@
From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 21 Jun 2022 15:06:40 -0400
Subject: [PATCH] prevent possible buffer overrun
---
coders/tiff.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index e278ca7c0a..d5e30293db 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
*/
extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=image->columns*sizeof(uint32);
+ extent+=samples_per_pixel*sizeof(uint32);
#endif
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
- extent+=image->columns*sizeof(uint64);
+ extent+=samples_per_pixel*sizeof(uint64);
#else
- extent+=image->columns*sizeof(uint32);
+ extent+=samples_per_pixel*sizeof(uint32);
#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
#if defined(TIFF_VERSION_BIG)
- number_pixels+=image->columns*sizeof(uint64);
+ number_pixels+=samples_per_pixel*sizeof(uint64);
#else
- number_pixels+=image->columns*sizeof(uint32);
+ number_pixels+=samples_per_pixel*sizeof(uint32);
#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
if (generic_info == (MemoryInfo *) NULL)

54
CVE-2022-3213-pre2.patch
View File

@ -1,54 +0,0 @@
From 2b4eabb9d09b278f16727c635e928bd951c58773 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 29 Jun 2022 19:41:14 -0400
Subject: [PATCH] eliminate possible buffer overflow
---
coders/tiff.c | 19 ++-----------------
1 file changed, 2 insertions(+), 17 deletions(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index d5e30293db..d88711f941 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1794,12 +1794,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
/*
Convert stripped TIFF image.
*/
- extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
-#if defined(TIFF_VERSION_BIG)
- extent+=samples_per_pixel*sizeof(uint64);
-#else
- extent+=samples_per_pixel*sizeof(uint32);
-#endif
+ extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)
@@ -1894,13 +1889,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
TIFFTileSize(tiff));
-#if defined(TIFF_VERSION_BIG)
- extent+=samples_per_pixel*sizeof(uint64);
-#else
- extent+=samples_per_pixel*sizeof(uint32);
-#endif
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));
if (tile_pixels == (unsigned char *) NULL)
@@ -1996,11 +1986,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
number_pixels=(MagickSizeType) image->columns*image->rows;
-#if defined(TIFF_VERSION_BIG)
- number_pixels+=samples_per_pixel*sizeof(uint64);
-#else
- number_pixels+=samples_per_pixel*sizeof(uint32);
-#endif
generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
if (generic_info == (MemoryInfo *) NULL)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");

22
CVE-2022-3213.patch
View File

@ -1,22 +0,0 @@
From 1aea203eb36409ce6903b9e41fe7cb70030e8750 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 27 Aug 2022 08:38:18 -0400
Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 3165ab925..05549f9e5 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1798,7 +1798,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
/*
Convert stripped TIFF image.
*/
- extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
+ extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff);
strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*strip_pixels));
if (strip_pixels == (unsigned char *) NULL)

30
CVE-2022-32547.patch
View File

@ -1,30 +0,0 @@
From dc070da861a015d3c97488fdcca6063b44d47a7b Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 9 Apr 2022 08:40:54 -0400
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/5034
---
magick/property.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/magick/property.c b/magick/property.c
index 2d80493dd2..bfc689466d 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1526,12 +1526,14 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
}
case EXIF_FMT_SINGLE:
{
- EXIFMultipleValues(4,"%f",(double) *(float *) p1);
+ EXIFMultipleValues(4,"%.20g",(double)
+ ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_DOUBLE:
{
- EXIFMultipleValues(8,"%f",*(double *) p1);
+ EXIFMultipleValues(8,"%.20g",(double)
+ ReadPropertySignedLong(endian,p1));
break;
}
case EXIF_FMT_STRING:

30
CVE-2022-44267_CVE-2022-44268.patch
View File

@ -1,30 +0,0 @@
From 3c5188b41902a909e163492fb0c19e49efefcefe Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 22 Oct 2022 13:28:51 -0400
Subject: [PATCH] possible DoS @ stdin (OCE-2022-70); possible arbitrary file
leak (OCE-2022-72)
---
coders/png.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/coders/png.c b/coders/png.c
index dae894d9c..887827636 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -3793,13 +3793,14 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
*/
if (!png_get_valid(ping,ping_info,PNG_INFO_pHYs) ||
(LocaleCompare(text[i].key,"density") != 0 &&
- LocaleCompare(text[i].key,"units") != 0))
+ LocaleCompare(text[i].key,"units") != 0))
{
char
key[MaxTextExtent];
(void) FormatLocaleString(key,MaxTextExtent,"%s",text[i].key);
if ((LocaleCompare(key,"version") == 0) ||
+ (LocaleCompare(key,"profile") == 0) ||
(LocaleCompare(key,"width") == 0))
(void) FormatLocaleString(key,MagickPathExtent,"png:%s",
text[i].key);

309
CVE-2023-34151.patch Normal file
View File

@ -0,0 +1,309 @@
From 133089f716f23ce0b80d89ccc1fd680960235512 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 17 May 2023 21:06:18 -0400
Subject: [PATCH] properly cast double to size_t
(https://github.com/ImageMagick/ImageMagick/issues/6341)
Link: https://github.com/ImageMagick/ImageMagick6/commit/133089f716f23ce0b80d89ccc1fd680960235512
---
coders/caption.c | 10 +++++-----
coders/label.c | 10 +++++-----
coders/pcl.c | 4 ++--
coders/pdf.c | 4 ++--
coders/ps.c | 4 ++--
coders/ps2.c | 4 ++--
coders/ps3.c | 4 ++--
coders/svg.c | 4 ++--
magick/annotate.c | 4 ++--
magick/draw.c | 8 ++++----
magick/geometry.c | 4 ++--
magick/shear.c | 10 +++++-----
magick/visual-effects.c | 4 ++--
13 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/coders/caption.c b/coders/caption.c
index b6219617e..23cf4eacf 100644
--- a/coders/caption.c
+++ b/coders/caption.c
@@ -168,7 +168,7 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info,
return(DestroyImageList(image));
(void) SetImageProperty(image,"caption",caption);
draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL);
- width=(size_t) floor(draw_info->pointsize*strlen(caption)+0.5);
+ width=CastDoubleToUnsigned(draw_info->pointsize*strlen(caption)+0.5);
if (AcquireMagickResource(WidthResource,width) == MagickFalse)
{
caption=DestroyString(caption);
@@ -259,8 +259,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info,
AdjustTypeMetricBounds(&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->interline_spacing+draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
@@ -289,8 +289,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info,
AdjustTypeMetricBounds(&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->interline_spacing+draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
diff --git a/coders/label.c b/coders/label.c
index cc6af9472..389ae8d14 100644
--- a/coders/label.c
+++ b/coders/label.c
@@ -149,7 +149,7 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
return(DestroyImageList(image));
(void) SetImageProperty(image,"label",label);
draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL);
- width=(size_t) floor(0.5*draw_info->pointsize*strlen(label)+0.5);
+ width=CastDoubleToUnsigned(0.5*draw_info->pointsize*strlen(label)+0.5);
if (AcquireMagickResource(WidthResource,width) == MagickFalse)
{
label=DestroyString(label);
@@ -190,8 +190,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
AdjustTypeMetricBounds(&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
@@ -222,8 +222,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
AdjustTypeMetricBounds(&metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
- height=(size_t) floor(metrics.height-metrics.underline_position+
+ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5);
+ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+
draw_info->stroke_width+0.5);
if ((image->columns != 0) && (image->rows != 0))
{
diff --git a/coders/pcl.c b/coders/pcl.c
index 0606df854..17a020d3c 100644
--- a/coders/pcl.c
+++ b/coders/pcl.c
@@ -334,9 +334,9 @@ static Image *ReadPCLImage(const ImageInfo *image_info,ExceptionInfo *exception)
image->x_resolution,image->y_resolution);
if (image_info->ping != MagickFalse)
(void) FormatLocaleString(density,MagickPathExtent,"2.0x2.0");
- page.width=(size_t) floor((double) page.width*image->x_resolution/delta.x+
+ page.width=CastDoubleToUnsigned((double) page.width*image->x_resolution/delta.x+
0.5);
- page.height=(size_t) floor((double) page.height*image->y_resolution/delta.y+
+ page.height=CastDoubleToUnsigned((double) page.height*image->y_resolution/delta.y+
0.5);
(void) FormatLocaleString(options,MaxTextExtent,"-g%.20gx%.20g ",(double)
page.width,(double) page.height);
diff --git a/coders/pdf.c b/coders/pdf.c
index 35d9e8f9b..7097586e9 100644
--- a/coders/pdf.c
+++ b/coders/pdf.c
@@ -1674,9 +1674,9 @@ static MagickBooleanType WritePDFImage(const ImageInfo *image_info,Image *image)
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=(double) (geometry.width*delta.x)/resolution.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=(double) (geometry.height*delta.y)/resolution.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
diff --git a/coders/ps.c b/coders/ps.c
index 942c7f793..b359de50d 100644
--- a/coders/ps.c
+++ b/coders/ps.c
@@ -1552,9 +1552,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image)
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
diff --git a/coders/ps2.c b/coders/ps2.c
index 1a704e570..e81a6e200 100644
--- a/coders/ps2.c
+++ b/coders/ps2.c
@@ -531,9 +531,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image)
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
diff --git a/coders/ps3.c b/coders/ps3.c
index d3c49d624..945aca73c 100644
--- a/coders/ps3.c
+++ b/coders/ps3.c
@@ -980,9 +980,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image)
(void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y,
&geometry.width,&geometry.height);
scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x;
- geometry.width=(size_t) floor(scale.x+0.5);
+ geometry.width=CastDoubleToUnsigned(scale.x+0.5);
scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y;
- geometry.height=(size_t) floor(scale.y+0.5);
+ geometry.height=CastDoubleToUnsigned(scale.y+0.5);
(void) ParseAbsoluteGeometry(page_geometry,&media_info);
(void) ParseGravityGeometry(image,page_geometry,&page_info,
&image->exception);
diff --git a/coders/svg.c b/coders/svg.c
index 6d6e38798..309a72683 100644
--- a/coders/svg.c
+++ b/coders/svg.c
@@ -2830,10 +2830,10 @@ static void SVGStartElement(void *context,const xmlChar *name,
svg_info->view_box=svg_info->bounds;
svg_info->width=0;
if (svg_info->bounds.width >= MagickEpsilon)
- svg_info->width=(size_t) floor(svg_info->bounds.width+0.5);
+ svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5);
svg_info->height=0;
if (svg_info->bounds.height >= MagickEpsilon)
- svg_info->height=(size_t) floor(svg_info->bounds.height+0.5);
+ svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5);
(void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n",
(double) svg_info->width,(double) svg_info->height);
sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width;
diff --git a/magick/annotate.c b/magick/annotate.c
index 3068f61d5..29ab333cb 100644
--- a/magick/annotate.c
+++ b/magick/annotate.c
@@ -326,7 +326,7 @@ MagickExport MagickBooleanType AnnotateImage(Image *image,
(void) CloneString(&annotate->text,textlist[i]);
if ((metrics.width == 0) || (annotate->gravity != NorthWestGravity))
(void) GetTypeMetrics(image,annotate,&metrics);
- height=(size_t) floor(metrics.ascent-metrics.descent+0.5);
+ height=CastDoubleToUnsigned(metrics.ascent-metrics.descent+0.5);
if (height == 0)
height=draw_info->pointsize;
height+=(size_t) floor(draw_info->interline_spacing+0.5);
@@ -654,7 +654,7 @@ MagickExport ssize_t FormatMagickCaption(Image *image,DrawInfo *draw_info,
status=GetTypeMetrics(image,draw_info,metrics);
if (status == MagickFalse)
break;
- width=(size_t) floor(metrics->width+draw_info->stroke_width+0.5);
+ width=CastDoubleToUnsigned(metrics->width+draw_info->stroke_width+0.5);
if (width <= image->columns)
continue;
if (s != (char *) NULL)
diff --git a/magick/draw.c b/magick/draw.c
index 867b58ab2..40b6f4be6 100644
--- a/magick/draw.c
+++ b/magick/draw.c
@@ -3486,14 +3486,14 @@ static MagickBooleanType RenderMVGContent(Image *image,
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- bounds.width=(size_t) floor(GetDrawValue(token,&next_token)+
+ bounds.width=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+
0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- bounds.height=(size_t) floor(GetDrawValue(token,&next_token)+
+ bounds.height=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+
0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
@@ -3909,14 +3909,14 @@ static MagickBooleanType RenderMVGContent(Image *image,
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- graphic_context[n]->viewbox.width=(size_t) floor(GetDrawValue(
+ graphic_context[n]->viewbox.width=CastDoubleToUnsigned(GetDrawValue(
token,&next_token)+0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
(void) GetNextToken(q,&q,extent,token);
if (*token == ',')
(void) GetNextToken(q,&q,extent,token);
- graphic_context[n]->viewbox.height=(size_t) floor(GetDrawValue(
+ graphic_context[n]->viewbox.height=CastDoubleToUnsigned(GetDrawValue(
token,&next_token)+0.5);
if (token == next_token)
ThrowPointExpectedException(image,token);
diff --git a/magick/geometry.c b/magick/geometry.c
index 0aa7f74d0..470adc2d2 100644
--- a/magick/geometry.c
+++ b/magick/geometry.c
@@ -1475,8 +1475,8 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x,
scale.y=geometry_info.sigma;
if ((flags & SigmaValue) == 0)
scale.y=scale.x;
- *width=(size_t) floor(scale.x*former_width/100.0+0.5);
- *height=(size_t) floor(scale.y*former_height/100.0+0.5);
+ *width=CastDoubleToUnsigned(scale.x*former_width/100.0+0.5);
+ *height=CastDoubleToUnsigned(scale.y*former_height/100.0+0.5);
former_width=(*width);
former_height=(*height);
}
diff --git a/magick/shear.c b/magick/shear.c
index e66ceac9a..ec7a7568e 100644
--- a/magick/shear.c
+++ b/magick/shear.c
@@ -166,8 +166,8 @@ static MagickBooleanType CropToFitImage(Image **image,
}
geometry.x=CastDoubleToLong(ceil(min.x-0.5));
geometry.y=CastDoubleToLong(ceil(min.y-0.5));
- geometry.width=(size_t) floor(max.x-min.x+0.5);
- geometry.height=(size_t) floor(max.y-min.y+0.5);
+ geometry.width=CastDoubleToUnsigned(max.x-min.x+0.5);
+ geometry.height=CastDoubleToUnsigned(max.y-min.y+0.5);
page=(*image)->page;
(void) ParseAbsoluteGeometry("0x0+0+0",&(*image)->page);
crop_image=CropImage(*image,&geometry,exception);
@@ -1787,9 +1787,9 @@ MagickExport Image *ShearRotateImage(const Image *image,const double degrees,
*/
width=integral_image->columns;
height=integral_image->rows;
- bounds.width=(size_t) floor(fabs((double) height*shear.x)+width+0.5);
- bounds.height=(size_t) floor(fabs((double) bounds.width*shear.y)+height+0.5);
- shear_width=(size_t) floor(fabs((double) bounds.height*shear.x)+
+ bounds.width=CastDoubleToUnsigned(fabs((double) height*shear.x)+width+0.5);
+ bounds.height=CastDoubleToUnsigned(fabs((double) bounds.width*shear.y)+height+0.5);
+ shear_width=CastDoubleToUnsigned(fabs((double) bounds.height*shear.x)+
bounds.width+0.5);
bounds.x=CastDoubleToLong(floor((double) ((shear_width > bounds.width) ?
width : bounds.width-shear_width+2)/2.0+0.5));
diff --git a/magick/visual-effects.c b/magick/visual-effects.c
index dc039727a..1ec419e61 100644
--- a/magick/visual-effects.c
+++ b/magick/visual-effects.c
@@ -2052,8 +2052,8 @@ MagickExport Image *ShadowImage(const Image *image,const double opacity,
(void) SetImageColorspace(clone_image,sRGBColorspace);
(void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod);
clone_image->compose=OverCompositeOp;
- border_info.width=(size_t) floor(2.0*sigma+0.5);
- border_info.height=(size_t) floor(2.0*sigma+0.5);
+ border_info.width=CastDoubleToUnsigned(2.0*sigma+0.5);
+ border_info.height=CastDoubleToUnsigned(2.0*sigma+0.5);
border_info.x=0;
border_info.y=0;
(void) QueryColorDatabase("none",&clone_image->border_color,exception);

25
CVE-2023-3428.patch Normal file
View File

@ -0,0 +1,25 @@
From 0d00400727170b0540a355a1bc52787bc7bcdea5 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 26 Jun 2023 19:39:43 -0400
Subject: [PATCH] heap-buffer-overflow in ImageMagick <= 7.1.1-12, contributed
by Hardik shah of Vehere (Dawn Treaders team)
Origin: https://github.com/ImageMagick/ImageMagick6/commit/0d00400727170b0540a355a1bc52787bc7bcdea5
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index d6a818644..9b0d16d59 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1917,7 +1917,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+ extent=4*(samples_per_pixel+1)*MagickMax((rows+1)*TIFFTileRowSize(tiff),
TIFFTileSize(tiff));
tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
sizeof(*tile_pixels));

23
CVE-2023-39978.patch Normal file
View File

@ -0,0 +1,23 @@
From c90e79b3b22fec309cab55af2ee606f71b027b12 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sun, 16 Jul 2023 06:45:32 +0200
Subject: [PATCH] Fixed memory leak.
Origin: https://github.com/ImageMagick/ImageMagick6/commit/c90e79b3b22fec309cab55af2ee606f71b027b12
---
magick/draw.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/magick/draw.c b/magick/draw.c
index 40b6f4be6..7bc5f603d 100644
--- a/magick/draw.c
+++ b/magick/draw.c
@@ -383,7 +383,6 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info,
clone_info->composite_mask=CloneImage(draw_info->composite_mask,0,0,
MagickTrue,&draw_info->composite_mask->exception);
clone_info->render=draw_info->render;
- clone_info->image_info=CloneImageInfo(draw_info->image_info);
clone_info->debug=draw_info->debug;
return(clone_info);
}

27
CVE-2023-5341.patch Normal file
View File

@ -0,0 +1,27 @@
From 27411f1d1d3a0b328cede4a808525ee237cb415b Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 7 Oct 2023 10:48:39 +0800
Subject: [PATCH] check for BMP file size, poc provided by Hardik Shah of
Vehere (Dawn Treaders team)
---
coders/bmp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/coders/bmp.c b/coders/bmp.c
index 6f9b57b..5e6dac3 100644
--- a/coders/bmp.c
+++ b/coders/bmp.c
@@ -635,6 +635,9 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
" BMP header size: %u",bmp_info.size);
if (bmp_info.size > 124)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((bmp_info.file_size != 0) &&
+ ((MagickSizeType) bmp_info.file_size > GetBlobSize(image)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (bmp_info.offset_bits < bmp_info.size)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
profile_data=0;
--
2.27.0

BIN
ImageMagick-6.9.12-43.tar.xz → ImageMagick-6.9.12-86.tar.xz
View File

Binary file not shown.

35
ImageMagick.spec
View File

@ -1,19 +1,15 @@
Name: ImageMagick
Epoch: 1
Version: 6.9.12.43
Version: 6.9.12.86
Release: 5
Summary: Create, edit, compose, or convert bitmap images
License: ImageMagick and MIT
Url: http://www.imagemagick.org/
Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-43.tar.xz
Patch0001: backport-fix-CVE-2022-1115.patch
Patch0002: CVE-2022-3213-pre1.patch
Patch0003: CVE-2022-3213-pre2.patch
Patch0004: CVE-2022-3213.patch
Patch0005: CVE-2022-32547.patch
Patch0006: CVE-2022-44267_CVE-2022-44268.patch
Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-86.tar.xz
Patch0: CVE-2023-34151.patch
Patch1: CVE-2023-3428.patch
Patch2: CVE-2023-39978.patch
Patch3: CVE-2023-5341.patch
BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@ -79,7 +75,7 @@ Requires: ImageMagick-devel = %{epoch}:%{version}-%{release}
Development files for ImageMagick-c++.
%prep
%autosetup -n ImageMagick-6.9.12-43 -p1
%autosetup -n ImageMagick-6.9.12-86 -p1
install -d Magick++/examples
cp -p Magick++/demo/*.cpp Magick++/demo/*.miff Magick++/examples
@ -147,7 +143,7 @@ rm PerlMagick/demo/Generic.ttf
%{_includedir}/%{name}-6/wand
%files help
%doc README.txt NEWS.txt ChangeLog.md QuickStart.txt
%doc README.txt NEWS.txt QuickStart.txt
%doc %{_datadir}/doc/ImageMagick-6
%doc %{_datadir}/doc/ImageMagick-6.9.12
%{_mandir}/man[145]/[a-z]*
@ -171,6 +167,21 @@ rm PerlMagick/demo/Generic.ttf
%{_libdir}/pkgconfig/ImageMagick++*
%changelog
* Sat Oct 7 2023 liningjie <liningjie@xfusion.com> - 1:6.9.12.86-5
- Fix CVE-2023-5341
* Mon Aug 14 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-4
- Fix CVE-2023-39978
* Mon Jul 24 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-3
- Fix CVE-2023-3428
* Thu Jun 08 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-2
- Fix CVE-2023-34151
* Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-1
- Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906
* Thu Feb 09 2023 yaoxin <yaoxin30@h-partners.com> - 1:6.9.12.43-5
- Fix CVE-2022-44267 and CVE-2022-44268

25
backport-fix-CVE-2022-1115.patch
View File

@ -1,25 +0,0 @@
From e88576bc495951a1c08a6e9cdbc2121b4c9d8ac8 Mon Sep 17 00:00:00 2001
From: cenhuilin <cenhuilin@kylinos.cn>
Date: Mon, 5 Sep 2022 06:39:50 +0000
Subject: [PATCH] heap-buffer-overflow in magick at quantum-private.h PushShortPixel
---
coders/tiff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/coders/tiff.c b/coders/tiff.c
index 8fd1451..b4c94bb 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1894,7 +1894,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
number_pixels=(MagickSizeType) columns*rows;
if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
- extent=MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+ extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
#if defined(TIFF_VERSION_BIG)
extent+=image->columns*sizeof(uint64);
#else
--
2.33.0