diff -Nru imagemagick-6.7.7.10/debian/changelog imagemagick-6.7.7.10/debian/changelog --- imagemagick-6.7.7.10/debian/changelog 2017-07-31 11:24:18.000000000 +0000 +++ imagemagick-6.7.7.10/debian/changelog 2018-06-11 13:26:35.000000000 +0000 @@ -1,3 +1,33 @@ +imagemagick (8:6.7.7.10-6ubuntu3.11) trusty-security; urgency=medium + + * SECURITY UPDATE: Multiple security issues + - debian/patches/*: synchronize security fixes with Debian's + 8:6.7.7.10-5+deb7u22 release. Thanks to Markus Koschany, + Chris Lamb, and Roberto C. Sánchez for the excellent work this + update is based on! + - debian/patches/CVE-201[78]*.patch: backport large number of upstream + security patches. + - CVE-2017-10995, CVE-2017-11533, CVE-2017-11535, CVE-2017-11537, + CVE-2017-11639, CVE-2017-11640, CVE-2017-12140, CVE-2017-12429, + CVE-2017-12430, CVE-2017-12431, CVE-2017-12432, CVE-2017-12435, + CVE-2017-12563, CVE-2017-12587, CVE-2017-12640, CVE-2017-12643, + CVE-2017-12670, CVE-2017-12674, CVE-2017-12691, CVE-2017-12692, + CVE-2017-12693, CVE-2017-12875, CVE-2017-12877, CVE-2017-12983, + CVE-2017-13134, CVE-2017-13139, CVE-2017-13142, CVE-2017-13143, + CVE-2017-13144, CVE-2017-13758, CVE-2017-13768, CVE-2017-13769, + CVE-2017-14060, CVE-2017-14172, CVE-2017-14173, CVE-2017-14174, + CVE-2017-14175, CVE-2017-14224, CVE-2017-14249, CVE-2017-14325, + CVE-2017-14341, CVE-2017-14342, CVE-2017-14343, CVE-2017-14400, + CVE-2017-14505, CVE-2017-14531, CVE-2017-14607, CVE-2017-14682, + CVE-2017-14739, CVE-2017-14741, CVE-2017-14989, CVE-2017-15016, + CVE-2017-15017, CVE-2017-15277, CVE-2017-15281, CVE-2017-16546, + CVE-2017-17504, CVE-2017-17682, CVE-2017-17879, CVE-2017-17914, + CVE-2017-18252, CVE-2017-18271, CVE-2017-18273, CVE-2017-1000445, + CVE-2017-1000476, CVE-2018-7443, CVE-2018-8804, CVE-2018-8960, + CVE-2018-10177, CVE-2018-11251 + + -- Marc Deslauriers Fri, 08 Jun 2018 12:00:47 -0400 + imagemagick (8:6.7.7.10-6ubuntu3.9) trusty-security; urgency=medium * SECURITY REGRESSION: image composite function regression (LP: #1707015) diff -Nru imagemagick-6.7.7.10/debian/patches/0244-CVE-2017-10995-Fix-denial-of-service-in-mng_get_long.patch imagemagick-6.7.7.10/debian/patches/0244-CVE-2017-10995-Fix-denial-of-service-in-mng_get_long.patch --- imagemagick-6.7.7.10/debian/patches/0244-CVE-2017-10995-Fix-denial-of-service-in-mng_get_long.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0244-CVE-2017-10995-Fix-denial-of-service-in-mng_get_long.patch 2018-06-08 15:10:52.000000000 +0000 @@ -0,0 +1,396 @@ +From 24430226caf7eb468b4180f2883b2563e8cc1b23 Mon Sep 17 00:00:00 2001 +From: glennrp +Date: Sat, 24 Jan 2015 00:54:14 +0000 +Subject: [PATCH] Check lengths of certain MNG chunks before reading them. + +bug-debian: https://bugs.debian.org/867748 +bug: https://github.com/ImageMagick/ImageMagick/issues/538 +origin: https://github.com/ImageMagick/ImageMagick/commit/24430226caf7eb468b4180f2883b2563e8cc1b23 +[rcs: Backported to wheezy] + +Updated: 2018-06-08 to include: +https://github.com/ImageMagick/ImageMagick/commit/1fdc09dc8f9522f07f5f501fe8453765ad82556c + +--- + ChangeLog | 3 + + coders/png.c | 242 ++++++++++++++++++++++++++++++++--------------------------- + 2 files changed, 136 insertions(+), 109 deletions(-) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:10:11.115544009 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:10:27.279588587 -0400 +@@ -4937,7 +4937,7 @@ static Image *ReadOneMNGImage(MngInfo* m + if (length) + repeat=p[0]; + +- if (repeat == 3) ++ if (repeat == 3 && length > 8) + { + final_delay=(png_uint_32) mng_get_long(&p[2]); + mng_iterations=(png_uint_32) mng_get_long(&p[6]); +@@ -4971,69 +4971,79 @@ static Image *ReadOneMNGImage(MngInfo* m + CoderError,"DEFI chunk found in MNG-VLC datastream","`%s'", + image->filename); + +- object_id=(p[0] << 8) | p[1]; +- +- if (mng_type == 2 && object_id != 0) +- (void) ThrowMagickException(&image->exception,GetMagickModule(), +- CoderError,"Nonzero object_id in MNG-LC datastream","`%s'", +- image->filename); +- +- if (object_id > MNG_MAX_OBJECTS) ++ if (length > 1) + { +- /* +- Instead of using a warning we should allocate a larger +- MngInfo structure and continue. +- */ +- (void) ThrowMagickException(&image->exception,GetMagickModule(), +- CoderError,"object id too large","`%s'",image->filename); +- object_id=MNG_MAX_OBJECTS; +- } ++ object_id=(p[0] << 8) | p[1]; + +- if (mng_info->exists[object_id]) +- if (mng_info->frozen[object_id]) +- { +- chunk=(unsigned char *) RelinquishMagickMemory(chunk); ++ if (mng_type == 2 && object_id != 0) + (void) ThrowMagickException(&image->exception, +- GetMagickModule(),CoderError, +- "DEFI cannot redefine a frozen MNG object","`%s'", +- image->filename); +- continue; +- } ++ GetMagickModule(), ++ CoderError,"Nonzero object_id in MNG-LC datastream", ++ "`%s'", image->filename); + +- mng_info->exists[object_id]=MagickTrue; ++ if (object_id > MNG_MAX_OBJECTS) ++ { ++ /* ++ Instead of using a warning we should allocate a larger ++ MngInfo structure and continue. ++ */ ++ (void) ThrowMagickException(&image->exception, ++ GetMagickModule(), CoderError, ++ "object id too large","`%s'",image->filename); ++ object_id=MNG_MAX_OBJECTS; ++ } + +- if (length > 2) +- mng_info->invisible[object_id]=p[2]; ++ if (mng_info->exists[object_id]) ++ if (mng_info->frozen[object_id]) ++ { ++ chunk=(unsigned char *) RelinquishMagickMemory(chunk); ++ (void) ThrowMagickException(&image->exception, ++ GetMagickModule(),CoderError, ++ "DEFI cannot redefine a frozen MNG object","`%s'", ++ image->filename); ++ continue; ++ } + +- /* +- Extract object offset info. +- */ +- if (length > 11) +- { +- mng_info->x_off[object_id]=(ssize_t) ((p[4] << 24) | +- (p[5] << 16) | (p[6] << 8) | p[7]); ++ mng_info->exists[object_id]=MagickTrue; + +- mng_info->y_off[object_id]=(ssize_t) ((p[8] << 24) | +- (p[9] << 16) | (p[10] << 8) | p[11]); ++ if (length > 2) ++ mng_info->invisible[object_id]=p[2]; + +- if (logging != MagickFalse) ++ /* ++ Extract object offset info. ++ */ ++ if (length > 11) + { +- (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " x_off[%d]: %.20g",object_id,(double) +- mng_info->x_off[object_id]); +- +- (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " y_off[%d]: %.20g",object_id,(double) +- mng_info->y_off[object_id]); ++ mng_info->x_off[object_id]=(ssize_t) ((p[4] << 24) | ++ (p[5] << 16) | (p[6] << 8) | p[7]); ++ ++ mng_info->y_off[object_id]=(ssize_t) ((p[8] << 24) | ++ (p[9] << 16) | (p[10] << 8) | p[11]); ++ ++ if (logging != MagickFalse) ++ { ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " x_off[%d]: %.20g, y_off[%d]: %.20g", ++ object_id,(double) mng_info->x_off[object_id], ++ object_id,(double) mng_info->y_off[object_id]); ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " x_off[%d]: %.20g",object_id,(double) ++ mng_info->x_off[object_id]); ++ ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " y_off[%d]: %.20g",object_id,(double) ++ mng_info->y_off[object_id]); ++ } + } +- } + +- /* +- Extract object clipping info. +- */ +- if (length > 27) +- mng_info->object_clip[object_id]=mng_read_box(mng_info->frame,0, +- &p[12]); ++ /* ++ Extract object clipping info. ++ */ ++ ++ if (length > 27) ++ mng_info->object_clip[object_id]= ++ mng_read_box(mng_info->frame,0, &p[12]); ++ } + + chunk=(unsigned char *) RelinquishMagickMemory(chunk); + continue; +@@ -5236,7 +5246,7 @@ static Image *ReadOneMNGImage(MngInfo* m + frame_timeout=default_frame_timeout; + fb=default_fb; + +- if (length) ++ if (length > 0) + if (p[0]) + mng_info->framing_mode=p[0]; + +@@ -5267,10 +5277,10 @@ static Image *ReadOneMNGImage(MngInfo* m + change_clipping=(*p++); + p++; /* change_sync */ + +- if (change_delay) ++ if (change_delay && (p-chunk) < (ssize_t) (length-4)) + { +- frame_delay=1UL*image->ticks_per_second* +- mng_get_long(p); ++ frame_delay=1UL*image->ticks_per_second* ++ mng_get_long(p); + + if (mng_info->ticks_per_second != 0) + frame_delay/=mng_info->ticks_per_second; +@@ -5288,7 +5298,7 @@ static Image *ReadOneMNGImage(MngInfo* m + " Framing_delay=%.20g",(double) frame_delay); + } + +- if (change_timeout) ++ if (change_timeout && (p-chunk) < (ssize_t) (length-4)) + { + frame_timeout=1UL*image->ticks_per_second* + mng_get_long(p); +@@ -5309,7 +5319,7 @@ static Image *ReadOneMNGImage(MngInfo* m + " Framing_timeout=%.20g",(double) frame_timeout); + } + +- if (change_clipping) ++ if (change_clipping && (p-chunk) < (ssize_t) (length-16)) + { + fb=mng_read_box(previous_fb,(char) p[0],&p[1]); + p+=17; +@@ -5402,24 +5412,30 @@ static Image *ReadOneMNGImage(MngInfo* m + /* + Read CLIP. + */ +- first_object=(p[0] << 8) | p[1]; +- last_object=(p[2] << 8) | p[3]; ++ if (length > 3) ++ { ++ first_object=(p[0] << 8) | p[1]; ++ last_object=(p[2] << 8) | p[3]; ++ p+=4; + +- for (i=(int) first_object; i <= (int) last_object; i++) +- { +- if (mng_info->exists[i] && !mng_info->frozen[i]) ++ for (i=(int) first_object; i <= (int) last_object; i++) + { +- MngBox +- box; +- +- box=mng_info->object_clip[i]; +- mng_info->object_clip[i]=mng_read_box(box,(char) p[4],&p[5]); ++ if (mng_info->exists[i] && !mng_info->frozen[i]) ++ { ++ MngBox ++ box; ++ ++ box=mng_info->object_clip[i]; ++ if ((p-chunk) < (ssize_t) (length-17)) ++ mng_info->object_clip[i]= ++ mng_read_box(box,(char) p[0],&p[1]); ++ } + } +- } + + chunk=(unsigned char *) RelinquishMagickMemory(chunk); + continue; + } ++ } + if (memcmp(type,mng_SAVE,4) == 0) + { + for (i=1; i < MNG_MAX_OBJECTS; i++) +@@ -5474,24 +5490,30 @@ static Image *ReadOneMNGImage(MngInfo* m + + /* read MOVE */ + +- first_object=(p[0] << 8) | p[1]; +- last_object=(p[2] << 8) | p[3]; +- for (i=(ssize_t) first_object; i <= (ssize_t) last_object; i++) ++ if (length > 3) + { +- if (mng_info->exists[i] && !mng_info->frozen[i]) +- { +- MngPair +- new_pair; ++ first_object=(p[0] << 8) | p[1]; ++ last_object=(p[2] << 8) | p[3]; ++ p+=4; + +- MngPair +- old_pair; ++ for (i=(ssize_t) first_object; i <= (ssize_t) last_object; i++) ++ { ++ if (mng_info->exists[i] && !mng_info->frozen[i] && ++ (p-chunk) < (ssize_t) (length-8)) ++ { ++ MngPair ++ new_pair; + +- old_pair.a=mng_info->x_off[i]; +- old_pair.b=mng_info->y_off[i]; +- new_pair=mng_read_pair(old_pair,(int) p[4],&p[5]); +- mng_info->x_off[i]=new_pair.a; +- mng_info->y_off[i]=new_pair.b; +- } ++ MngPair ++ old_pair; ++ ++ old_pair.a=mng_info->x_off[i]; ++ old_pair.b=mng_info->y_off[i]; ++ new_pair=mng_read_pair(old_pair,(int) p[0],&p[1]); ++ mng_info->x_off[i]=new_pair.a; ++ mng_info->y_off[i]=new_pair.b; ++ } ++ } + } + + chunk=(unsigned char *) RelinquishMagickMemory(chunk); +@@ -5501,27 +5523,30 @@ static Image *ReadOneMNGImage(MngInfo* m + if (memcmp(type,mng_LOOP,4) == 0) + { + ssize_t loop_iters=1; +- loop_level=chunk[0]; +- mng_info->loop_active[loop_level]=1; /* mark loop active */ ++ if (length > 0) /* To do: check spec, if empty LOOP is allowed */ ++ { ++ loop_level=chunk[0]; ++ mng_info->loop_active[loop_level]=1; /* mark loop active */ + +- /* Record starting point. */ +- loop_iters=mng_get_long(&chunk[1]); ++ /* Record starting point. */ ++ loop_iters=mng_get_long(&chunk[1]); + +- if (logging != MagickFalse) +- (void) LogMagickEvent(CoderEvent,GetMagickModule(), +- " LOOP level %.20g has %.20g iterations ",(double) loop_level, +- (double) loop_iters); ++ if (logging != MagickFalse) ++ (void) LogMagickEvent(CoderEvent,GetMagickModule(), ++ " LOOP level %.20g has %.20g iterations ", ++ (double) loop_level, (double) loop_iters); + +- if (loop_iters == 0) +- skipping_loop=loop_level; ++ if (loop_iters == 0) ++ skipping_loop=loop_level; + +- else +- { +- mng_info->loop_jump[loop_level]=TellBlob(image); +- mng_info->loop_count[loop_level]=loop_iters; +- } ++ else ++ { ++ mng_info->loop_jump[loop_level]=TellBlob(image); ++ mng_info->loop_count[loop_level]=loop_iters; ++ } + +- mng_info->loop_iteration[loop_level]=0; ++ mng_info->loop_iteration[loop_level]=0; ++ } + chunk=(unsigned char *) RelinquishMagickMemory(chunk); + continue; + } +@@ -5801,33 +5826,36 @@ static Image *ReadOneMNGImage(MngInfo* m + + mng_info->basi_warning++; + #ifdef MNG_BASI_SUPPORTED +- basi_width=(size_t) ((p[0] << 24) | (p[1] << 16) | +- (p[2] << 8) | p[3]); +- basi_height=(size_t) ((p[4] << 24) | (p[5] << 16) | +- (p[6] << 8) | p[7]); +- basi_color_type=p[8]; +- basi_compression_method=p[9]; +- basi_filter_type=p[10]; +- basi_interlace_method=p[11]; + if (length > 11) ++ { ++ basi_width=(size_t) ((p[0] << 24) | (p[1] << 16) | ++ (p[2] << 8) | p[3]); ++ basi_height=(size_t) ((p[4] << 24) | (p[5] << 16) | ++ (p[6] << 8) | p[7]); ++ basi_color_type=p[8]; ++ basi_compression_method=p[9]; ++ basi_filter_type=p[10]; ++ basi_interlace_method=p[11]; ++ } ++ if (length > 13) + basi_red=(p[12] << 8) & p[13]; + + else + basi_red=0; + +- if (length > 13) ++ if (length > 15) + basi_green=(p[14] << 8) & p[15]; + + else + basi_green=0; + +- if (length > 15) ++ if (length > 17) + basi_blue=(p[16] << 8) & p[17]; + + else + basi_blue=0; + +- if (length > 17) ++ if (length > 19) + basi_alpha=(p[18] << 8) & p[19]; + + else +@@ -5838,7 +5866,7 @@ static Image *ReadOneMNGImage(MngInfo* m + basi_alpha=255; + } + +- if (length > 19) ++ if (length > 20) + basi_viewable=p[20]; + + else diff -Nru imagemagick-6.7.7.10/debian/patches/0249-CVE-2017-11533-Fix-buffer-over-read-in-convert-WriteUILImage.patch imagemagick-6.7.7.10/debian/patches/0249-CVE-2017-11533-Fix-buffer-over-read-in-convert-WriteUILImage.patch --- imagemagick-6.7.7.10/debian/patches/0249-CVE-2017-11533-Fix-buffer-over-read-in-convert-WriteUILImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0249-CVE-2017-11533-Fix-buffer-over-read-in-convert-WriteUILImage.patch 2018-06-08 15:11:33.000000000 +0000 @@ -0,0 +1,28 @@ +From ed1fd69231ab21dc540167c63bc3b0fa3282ec59 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 16 Jul 2017 11:00:52 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/562 + +bug: https://github.com/ImageMagick/ImageMagick/issues/562 +bug-debian: https://bugs.debian.org/869834 +origin: https://github.com/ImageMagick/ImageMagick/commit/ed1fd69231ab21dc540167c63bc3b0fa3282ec59 + +(cherry picked from commit ed1fd69231ab21dc540167c63bc3b0fa3282ec59) +[rcs: Backported to wheezy] +--- + coders/uil.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/uil.c b/coders/uil.c +index f509b7121a..25ecacf900 100644 +--- a/coders/uil.c ++++ b/coders/uil.c +@@ -259,6 +259,8 @@ static MagickBooleanType WriteUILImage(const ImageInfo *image_info,Image *image) + } + } + } ++ if (i != 0) ++ i--; + (void) SetImageType(image,PaletteType); + colors=image->colors; + if (transparent != MagickFalse) diff -Nru imagemagick-6.7.7.10/debian/patches/0251-CVE-2017-11535-Fix-buffer-over-read-in-convert-WritePSImage.patch imagemagick-6.7.7.10/debian/patches/0251-CVE-2017-11535-Fix-buffer-over-read-in-convert-WritePSImage.patch --- imagemagick-6.7.7.10/debian/patches/0251-CVE-2017-11535-Fix-buffer-over-read-in-convert-WritePSImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0251-CVE-2017-11535-Fix-buffer-over-read-in-convert-WritePSImage.patch 2018-06-08 15:11:48.000000000 +0000 @@ -0,0 +1,26 @@ +From bba95cfcc19fa8a261e12692f31279148ad42441 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 16 Jul 2017 11:19:30 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/561 + +bug: https://github.com/ImageMagick/ImageMagick/issues/561 +bug-debian: https://bugs.debian.org/869827 +origin: https://github.com/ImageMagick/ImageMagick/commit/bba95cfcc19fa8a261e12692f31279148ad42441 + +(cherry picked from commit bba95cfcc19fa8a261e12692f31279148ad42441) +[rcs: Backported to wheezy] +--- + coders/ps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- imagemagick.git.orig/coders/ps.c ++++ imagemagick.git/coders/ps.c +@@ -1054,7 +1054,7 @@ + { + #define WriteRunlengthPacket(image,pixel,length,p) \ + { \ +- if ((image->matte != MagickFalse) && \ ++ if ((image->matte != MagickFalse) && (length != 0) &&\ + (GetPixelOpacity(p) == (Quantum) TransparentOpacity)) \ + { \ + q=PopHexPixel(hex_digits,0xff,q); \ diff -Nru imagemagick-6.7.7.10/debian/patches/0252-CVE-2017-11537-Fix-floating-point-exception-in-convert-WritePALImage.patch imagemagick-6.7.7.10/debian/patches/0252-CVE-2017-11537-Fix-floating-point-exception-in-convert-WritePALImage.patch --- imagemagick-6.7.7.10/debian/patches/0252-CVE-2017-11537-Fix-floating-point-exception-in-convert-WritePALImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0252-CVE-2017-11537-Fix-floating-point-exception-in-convert-WritePALImage.patch 2018-06-08 15:12:02.000000000 +0000 @@ -0,0 +1,33 @@ +From bac384563f557d1ac7413d2eaec00dd59c3cc29b Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 16 Jul 2017 11:36:54 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/560 + +bug: https://github.com/ImageMagick/ImageMagick/issues/560 +bug-debian: https://bugs.debian.org/869712 +origin: https://github.com/ImageMagick/ImageMagick/commit/bac384563f557d1ac7413d2eaec00dd59c3cc29b + +(cherry picked from commit bac384563f557d1ac7413d2eaec00dd59c3cc29b) +[rcs: Backported to wheezy] +--- + coders/palm.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- imagemagick.git.orig/coders/palm.c ++++ imagemagick.git/coders/palm.c +@@ -758,10 +758,11 @@ + (void) TransformImageColorspace(image,sRGBColorspace); + count=GetNumberColors(image,NULL,&exception); + for (bits_per_pixel=1; (one << bits_per_pixel) < count; bits_per_pixel*=2) ; +- if (image_info->depth > 100) +- bits_per_pixel=image_info->depth-100; +- if (bits_per_pixel < 16) +- (void) TransformImageColorspace(image,image->colorspace); ++ if (bits_per_pixel > 16) ++ bits_per_pixel=16; ++ else ++ if (bits_per_pixel < 16) ++ (void) TransformImageColorspace(image,image->colorspace); + if (bits_per_pixel < 8) + { + (void) TransformImageColorspace(image,GRAYColorspace); diff -Nru imagemagick-6.7.7.10/debian/patches/0254-CVE-2017-11639-Fix-buffer-over-read-in-convert-WriteCIPImage.patch imagemagick-6.7.7.10/debian/patches/0254-CVE-2017-11639-Fix-buffer-over-read-in-convert-WriteCIPImage.patch --- imagemagick-6.7.7.10/debian/patches/0254-CVE-2017-11639-Fix-buffer-over-read-in-convert-WriteCIPImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0254-CVE-2017-11639-Fix-buffer-over-read-in-convert-WriteCIPImage.patch 2018-06-08 15:12:16.000000000 +0000 @@ -0,0 +1,62 @@ +From 8ec8ca4c61b1199b727cf52e440f3db79a5b0d0a Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 26 Jul 2017 06:44:35 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/588 + +bug: https://github.com/ImageMagick/ImageMagick/issues/588 +bug-debian: https://bugs.debian.org/870065 +origin: https://github.com/ImageMagick/ImageMagick/commit/8ec8ca4c61b1199b727cf52e440f3db79a5b0d0a + +(cherry picked from commit 8ec8ca4c61b1199b727cf52e440f3db79a5b0d0a) +[rcs: Backported to wheezy] +--- + coders/cip.c | 40 +++++++++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 7 deletions(-) + +--- imagemagick.git.orig/coders/cip.c ++++ imagemagick.git/coders/cip.c +@@ -248,12 +248,38 @@ + } + if ((image->columns % 4) != 0) + { +- i=(ssize_t) image->columns % 4; +- byte=(unsigned char) +- ((((size_t) (4*PixelIntensityToQuantum(image,p+MagickMin(i,3))/QuantumRange) & 0x03) << 6) | +- (((size_t) (4*PixelIntensityToQuantum(image,p+MagickMin(i,2))/QuantumRange) & 0x03) << 4) | +- (((size_t) (4*PixelIntensityToQuantum(image,p+MagickMin(i,1))/QuantumRange) & 0x03) << 2) | +- (((size_t) (4*PixelIntensityToQuantum(image,p+MagickMin(i,0))/QuantumRange) & 0x03) << 0)); ++ byte=0; ++ for ( ; x < (ssize_t) image->columns; x++) ++ { ++ i=x % 4; ++ switch (i) ++ { ++ case 0: ++ { ++ byte|=(unsigned char) (((size_t) (4*PixelIntensityToQuantum( ++ image,p+MagickMin(i,3))/QuantumRange) & 0x03) << 6); ++ break; ++ } ++ case 1: ++ { ++ byte|=(unsigned char) (((size_t) (4*PixelIntensityToQuantum( ++ image,p+MagickMin(i,2))/QuantumRange) & 0x03) << 4); ++ break; ++ } ++ case 2: ++ { ++ byte|=(unsigned char) (((size_t) (4*PixelIntensityToQuantum( ++ image,p+MagickMin(i,1))/QuantumRange) & 0x03) << 2); ++ break; ++ } ++ case 3: ++ { ++ byte|=(unsigned char) (((size_t) (4*PixelIntensityToQuantum( ++ image,p+MagickMin(i,0))/QuantumRange) & 0x03) << 0); ++ break; ++ } ++ } ++ } + (void) FormatLocaleString(buffer,MaxTextExtent,"%02x",~byte); + (void) WriteBlobString(image,buffer); + } diff -Nru imagemagick-6.7.7.10/debian/patches/0255-CVE-2017-11640-Fix-address-access-exception-in-convert-WritePTIFImage-1-2.patch imagemagick-6.7.7.10/debian/patches/0255-CVE-2017-11640-Fix-address-access-exception-in-convert-WritePTIFImage-1-2.patch --- imagemagick-6.7.7.10/debian/patches/0255-CVE-2017-11640-Fix-address-access-exception-in-convert-WritePTIFImage-1-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0255-CVE-2017-11640-Fix-address-access-exception-in-convert-WritePTIFImage-1-2.patch 2018-06-08 15:14:50.000000000 +0000 @@ -0,0 +1,51 @@ +From 46fe9920da054714d1d9c2c02a595f1fe733373d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 18 Jul 2017 12:52:44 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/584 + +bug: https://github.com/ImageMagick/ImageMagick/issues/584 +bug-debian: https://bugs.debian.org/870067 +origin: https://github.com/ImageMagick/ImageMagick/commit/46fe9920da054714d1d9c2c02a595f1fe733373d + +(cherry picked from commit 46fe9920da054714d1d9c2c02a595f1fe733373d) +[rcs: Backported to wheezy] + +Updated: 2018-06-08 to add: +https://github.com/ImageMagick/ImageMagick/commit/1fcd0feb93b51b9363176097ee5f360c62687d86 + +--- + coders/tiff.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +Index: imagemagick-6.7.7.10/coders/tiff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/tiff.c 2018-06-08 11:14:06.476188533 -0400 ++++ imagemagick-6.7.7.10/coders/tiff.c 2018-06-08 11:14:26.092241871 -0400 +@@ -2214,14 +2214,19 @@ static MagickBooleanType WritePTIFImage( + AppendImageToList(&images,pyramid_image); + } + } +- /* +- Write pyramid-encoded TIFF image. +- */ +- write_info=CloneImageInfo(image_info); +- write_info->adjoin=MagickTrue; +- status=WriteTIFFImage(write_info,GetFirstImageInList(images)); +- images=DestroyImageList(images); +- write_info=DestroyImageInfo(write_info); ++ status=MagickFalse; ++ if (images != (Image *) NULL) ++ { ++ /* ++ Write pyramid-encoded TIFF image. ++ */ ++ images=GetFirstImageInList(images); ++ write_info=CloneImageInfo(image_info); ++ write_info->adjoin=MagickTrue; ++ status=WriteTIFFImage(write_info,images); ++ images=DestroyImageList(images); ++ write_info=DestroyImageInfo(write_info); ++ } + return(status); + } + #endif diff -Nru imagemagick-6.7.7.10/debian/patches/0261-CVE-2017-12140-Fix-excessive-memory-consumption-in-ReadDCMImage-via-crafted-file.patch imagemagick-6.7.7.10/debian/patches/0261-CVE-2017-12140-Fix-excessive-memory-consumption-in-ReadDCMImage-via-crafted-file.patch --- imagemagick-6.7.7.10/debian/patches/0261-CVE-2017-12140-Fix-excessive-memory-consumption-in-ReadDCMImage-via-crafted-file.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0261-CVE-2017-12140-Fix-excessive-memory-consumption-in-ReadDCMImage-via-crafted-file.patch 2018-06-08 15:15:11.000000000 +0000 @@ -0,0 +1,25 @@ +From 6bf56fbe1fc551f198c3491ed58d56bb5efea23c Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 29 Jun 2017 11:38:44 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/533 + +bug: https://github.com/ImageMagick/ImageMagick/issues/533 +origin: https://github.com/ImageMagick/ImageMagick/commit/6bf56fbe1fc551f198c3491ed58d56bb5efea23c + +(cherry picked from commit 21d19d0c64ff070dbf37279432837bf425c0d5ddw6bf56fbe1fc551f198c3491ed58d56bb5efea23c) +[rcs: Backported to wheezy] +--- + coders/dcm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- imagemagick.git.orig/coders/dcm.c ++++ imagemagick.git/coders/dcm.c +@@ -3063,6 +3063,8 @@ + else + if ((quantum != 0) && (length != 0)) + { ++ if (length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + data=(unsigned char *) NULL; + if (~length >= 1) + data=(unsigned char *) AcquireQuantumMemory(length+1,quantum* diff -Nru imagemagick-6.7.7.10/debian/patches/0265-CVE-2017-12429-Fix-memory-exhaustion-in-ReadMIFFImage.patch imagemagick-6.7.7.10/debian/patches/0265-CVE-2017-12429-Fix-memory-exhaustion-in-ReadMIFFImage.patch --- imagemagick-6.7.7.10/debian/patches/0265-CVE-2017-12429-Fix-memory-exhaustion-in-ReadMIFFImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0265-CVE-2017-12429-Fix-memory-exhaustion-in-ReadMIFFImage.patch 2018-06-08 15:15:36.000000000 +0000 @@ -0,0 +1,27 @@ +From 3ac6c73d39d59a7b0285b3756810272121759a31 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 6 Jul 2017 06:17:21 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/545 + +bug: https://github.com/ImageMagick/ImageMagick/issues/545 +origin: https://github.com/ImageMagick/ImageMagick/commit/3ac6c73d39d59a7b0285b3756810272121759a31 + +(cherry picked from commit 3ac6c73d39d59a7b0285b3756810272121759a31) +[rcs: Backported to wheezy] +--- + coders/miff.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/miff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/miff.c 2018-06-08 11:15:34.784428283 -0400 ++++ imagemagick-6.7.7.10/coders/miff.c 2018-06-08 11:15:34.784428283 -0400 +@@ -1151,6 +1151,8 @@ static Image *ReadMIFFImage(const ImageI + /* + Create image colormap. + */ ++ if ((colors*image->depth/8) > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + status=AcquireImageColormap(image,colors != 0 ? colors : 256); + if (status == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); diff -Nru imagemagick-6.7.7.10/debian/patches/0266-CVE-2017-12430-Fix-memory-exhaustion-in-ReadMPCImage.patch imagemagick-6.7.7.10/debian/patches/0266-CVE-2017-12430-Fix-memory-exhaustion-in-ReadMPCImage.patch --- imagemagick-6.7.7.10/debian/patches/0266-CVE-2017-12430-Fix-memory-exhaustion-in-ReadMPCImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0266-CVE-2017-12430-Fix-memory-exhaustion-in-ReadMPCImage.patch 2018-06-08 15:15:49.000000000 +0000 @@ -0,0 +1,55 @@ +From 8d537f6d778675e08ef9d238606d05101bf471b9 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 6 Jul 2017 06:24:15 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/546 + +bug: https://github.com/ImageMagick/ImageMagick/issues/546 +bug-debian: https://bugs.debian.org/869727 +origin: https://github.com/ImageMagick/ImageMagick/commit/8d537f6d778675e08ef9d238606d05101bf471b9 + +(cherry picked from commit 8d537f6d778675e08ef9d238606d05101bf471b9) +[rcs: Backported to wheezy] +--- + coders/miff.c | 16 ++++++++-------- + coders/mpc.c | 16 +++++++++------- + 2 files changed, 17 insertions(+), 15 deletions(-) + +Index: imagemagick-6.7.7.10/coders/miff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/miff.c 2018-06-08 11:15:47.692463252 -0400 ++++ imagemagick-6.7.7.10/coders/miff.c 2018-06-08 11:15:47.688463241 -0400 +@@ -1148,26 +1148,26 @@ static Image *ReadMIFFImage(const ImageI + image->depth=GetImageQuantumDepth(image,MagickFalse); + if (image->storage_class == PseudoClass) + { ++ size_t ++ packet_size; ++ ++ unsigned char ++ *colormap; ++ + /* + Create image colormap. + */ +- if ((colors*image->depth/8) > GetBlobSize(image)) ++ packet_size=(size_t) (3UL*image->depth/8UL); ++ if ((packet_size*image->colors) > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + status=AcquireImageColormap(image,colors != 0 ? colors : 256); + if (status == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + if (colors != 0) + { +- size_t +- packet_size; +- +- unsigned char +- *colormap; +- + /* + Read image colormap from file. + */ +- packet_size=(size_t) (3UL*image->depth/8UL); + colormap=(unsigned char *) AcquireQuantumMemory(image->colors, + packet_size*sizeof(*colormap)); + if (colormap == (unsigned char *) NULL) diff -Nru imagemagick-6.7.7.10/debian/patches/0267-CVE-2017-12431-Fix-use-after-free-in-ReadWMFImage.patch imagemagick-6.7.7.10/debian/patches/0267-CVE-2017-12431-Fix-use-after-free-in-ReadWMFImage.patch --- imagemagick-6.7.7.10/debian/patches/0267-CVE-2017-12431-Fix-use-after-free-in-ReadWMFImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0267-CVE-2017-12431-Fix-use-after-free-in-ReadWMFImage.patch 2018-06-08 15:18:01.000000000 +0000 @@ -0,0 +1,90 @@ +From 5660836f9197107e9c38f14f27a45c2d9f26afe2 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 9 Jul 2017 08:47:59 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/555 + +bug: https://github.com/ImageMagick/ImageMagick/issues/555 +bug-debian: https://bugs.debian.org/869715 +origin: https://github.com/ImageMagick/ImageMagick/commit/5660836f9197107e9c38f14f27a45c2d9f26afe2 + +(cherry picked from commit 5660836f9197107e9c38f14f27a45c2d9f26afe2) +[rcs: Backported to wheezy] +--- + coders/wmf.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +Index: imagemagick-6.7.7.10/coders/wmf.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/wmf.c 2018-06-08 11:16:08.920520721 -0400 ++++ imagemagick-6.7.7.10/coders/wmf.c 2018-06-08 11:17:15.420700461 -0400 +@@ -2625,8 +2625,6 @@ static Image *ReadWMFImage(const ImageIn + wmf_error = wmf_api_create(&API, wmf_options_flags, &wmf_api_options); + if (wmf_error != wmf_E_None) + { +- if (API) +- wmf_api_destroy(API); + if (image->debug != MagickFalse) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -2634,6 +2632,8 @@ static Image *ReadWMFImage(const ImageIn + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "leave ReadWMFImage()"); + } ++ if (API) ++ wmf_api_destroy(API); + ThrowReaderException(DelegateError,"UnableToInitializeWMFLibrary"); + } + +@@ -2664,7 +2664,6 @@ static Image *ReadWMFImage(const ImageIn + ipa_blob_tell,(void*)image); + if (wmf_error != wmf_E_None) + { +- wmf_api_destroy(API); + if (image->debug != MagickFalse) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -2672,6 +2671,7 @@ static Image *ReadWMFImage(const ImageIn + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "leave ReadWMFImage()"); + } ++ wmf_api_destroy(API); + ThrowFileException(exception,FileOpenError,"UnableToOpenFile", + image->filename); + image=DestroyImageList(image); +@@ -2726,7 +2726,11 @@ static Image *ReadWMFImage(const ImageIn + wmf_error=wmf_size(API,&wmf_width,&wmf_height); + if (wmf_error != wmf_E_None) + { +- wmf_api_destroy(API); ++ if (ddata->draw_info != (DrawInfo *) NULL) ++ { ++ DestroyDrawInfo(ddata->draw_info); ++ ddata->draw_info=(DrawInfo *)NULL; ++ } + if (image->debug != MagickFalse) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -2734,6 +2738,7 @@ static Image *ReadWMFImage(const ImageIn + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "leave ReadWMFImage()"); + } ++ wmf_api_destroy(API); + ThrowReaderException(DelegateError,"FailedToComputeOutputSize"); + } + +@@ -2900,7 +2905,6 @@ static Image *ReadWMFImage(const ImageIn + wmf_error = wmf_play(API, 0, &bbox); + if (wmf_error != wmf_E_None) + { +- wmf_api_destroy(API); + if (image->debug != MagickFalse) + { + (void) LogMagickEvent(CoderEvent,GetMagickModule(), +@@ -2908,6 +2912,7 @@ static Image *ReadWMFImage(const ImageIn + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "leave ReadWMFImage()"); + } ++ wmf_api_destroy(API); + ThrowReaderException(DelegateError,"FailedToRenderFile"); + } + diff -Nru imagemagick-6.7.7.10/debian/patches/0268-CVE-2017-12432-Fix-memory-exhaustion-in-ReadPCXImage.patch imagemagick-6.7.7.10/debian/patches/0268-CVE-2017-12432-Fix-memory-exhaustion-in-ReadPCXImage.patch --- imagemagick-6.7.7.10/debian/patches/0268-CVE-2017-12432-Fix-memory-exhaustion-in-ReadPCXImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0268-CVE-2017-12432-Fix-memory-exhaustion-in-ReadPCXImage.patch 2018-06-08 15:19:23.000000000 +0000 @@ -0,0 +1,29 @@ +From 3ded916c5da6febe9660c3cfa44c3114567adf74 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 4 Jul 2017 13:58:20 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/536 + +bug: https://github.com/ImageMagick/ImageMagick/issues/536 +bug-debian: https://bugs.debian.org/870491 +origin: https://github.com/ImageMagick/ImageMagick/commit/3ded916c5da6febe9660c3cfa44c3114567adf74 + +(cherry picked from commit 3ded916c5da6febe9660c3cfa44c3114567adf74) +[rcs: Backported to wheezy] +--- + coders/pcx.c | 2 ++ + magick/memory.c | 4 +++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/pcx.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/pcx.c 2018-06-08 11:18:39.184926300 -0400 ++++ imagemagick-6.7.7.10/coders/pcx.c 2018-06-08 11:19:12.193015140 -0400 +@@ -371,6 +371,8 @@ static Image *ReadPCXImage(const ImageIn + ThrowPCXException(CorruptImageError,"ImproperImageHeader"); + pcx_info.reserved=(unsigned char) ReadBlobByte(image); + pcx_info.planes=(unsigned char) ReadBlobByte(image); ++ if (pcx_info.planes > 6) ++ ThrowPCXException(CorruptImageError,"ImproperImageHeader"); + if ((pcx_info.bits_per_pixel*pcx_info.planes) >= 64) + ThrowPCXException(CorruptImageError,"ImproperImageHeader"); + if (pcx_info.planes == 0) diff -Nru imagemagick-6.7.7.10/debian/patches/0270-CVE-2017-12435-Fix-memory-exhaustion-in-ReadSUNImage.patch imagemagick-6.7.7.10/debian/patches/0270-CVE-2017-12435-Fix-memory-exhaustion-in-ReadSUNImage.patch --- imagemagick-6.7.7.10/debian/patches/0270-CVE-2017-12435-Fix-memory-exhaustion-in-ReadSUNImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0270-CVE-2017-12435-Fix-memory-exhaustion-in-ReadSUNImage.patch 2018-06-08 15:19:48.000000000 +0000 @@ -0,0 +1,43 @@ +From 44cb8dfd4cbe6fc475c863a5946cff64e34c2088 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 5 Jul 2017 16:41:58 -0400 +Subject: [PATCH] .https://github.com/ImageMagick/ImageMagick/issues/543 + +bug: https://github.com/ImageMagick/ImageMagick/issues/543 +bug-debian: https://bugs.debian.org/870504 +origin: https://github.com/ImageMagick/ImageMagick/commit/44cb8dfd4cbe6fc475c863a5946cff64e34c2088 + +(cherry picked from commit 44cb8dfd4cbe6fc475c863a5946cff64e34c2088) +[rcs: Backported to wheezy] +--- + coders/sun.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: imagemagick-6.7.7.10/coders/sun.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/sun.c 2018-06-08 11:19:46.937108568 -0400 ++++ imagemagick-6.7.7.10/coders/sun.c 2018-06-08 11:19:46.937108568 -0400 +@@ -332,6 +332,8 @@ static Image *ReadSUNImage(const ImageIn + size_t + one; + ++ if (sun_info.maplength > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + image->colors=sun_info.maplength; + one=1; + if (sun_info.maptype == RMT_NONE) +@@ -648,12 +650,14 @@ ModuleExport size_t RegisterSUNImage(voi + entry->encoder=(EncodeImageHandler *) WriteSUNImage; + entry->magick=(IsImageFormatHandler *) IsSUN; + entry->description=ConstantString("SUN Rasterfile"); ++ entry->seekable_stream=MagickTrue; + entry->module=ConstantString("SUN"); + (void) RegisterMagickInfo(entry); + entry=SetMagickInfo("SUN"); + entry->decoder=(DecodeImageHandler *) ReadSUNImage; + entry->encoder=(EncodeImageHandler *) WriteSUNImage; + entry->description=ConstantString("SUN Rasterfile"); ++ entry->seekable_stream=MagickTrue; + entry->module=ConstantString("SUN"); + (void) RegisterMagickInfo(entry); + return(MagickImageCoderSignature); diff -Nru imagemagick-6.7.7.10/debian/patches/0271-CVE-2017-12563-Fix-memory-exhaustion-in-ReadPSDImage.patch imagemagick-6.7.7.10/debian/patches/0271-CVE-2017-12563-Fix-memory-exhaustion-in-ReadPSDImage.patch --- imagemagick-6.7.7.10/debian/patches/0271-CVE-2017-12563-Fix-memory-exhaustion-in-ReadPSDImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0271-CVE-2017-12563-Fix-memory-exhaustion-in-ReadPSDImage.patch 2018-06-08 15:20:00.000000000 +0000 @@ -0,0 +1,28 @@ +From 7d3af83d8b946f952bfd028451e6dfb1f7ace07a Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 23 Jul 2017 10:45:14 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/599 + +bug: https://github.com/ImageMagick/ImageMagick/issues/599 +bug-debian: https://bugs.debian.org/870530 +origin: https://github.com/ImageMagick/ImageMagick/commit/7d3af83d8b946f952bfd028451e6dfb1f7ace07a + +(cherry picked from commit 7d3af83d8b946f952bfd028451e6dfb1f7ace07a) +[rcs: Backported to wheezy] +--- + coders/psd.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/psd.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/psd.c 2018-06-08 11:19:58.349139237 -0400 ++++ imagemagick-6.7.7.10/coders/psd.c 2018-06-08 11:19:58.345139226 -0400 +@@ -949,6 +949,8 @@ static Image *ReadPSDImage(const ImageIn + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " reading image resource blocks - %.20g bytes",(double) + ((MagickOffsetType) length)); ++ if (length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + blocks=(unsigned char *) AcquireQuantumMemory((size_t) length, + sizeof(*blocks)); + if (blocks == (unsigned char *) NULL) diff -Nru imagemagick-6.7.7.10/debian/patches/0276-CVE-2017-12587-Fix-large-loop-vulnerability-in-ReadPWPImage.patch imagemagick-6.7.7.10/debian/patches/0276-CVE-2017-12587-Fix-large-loop-vulnerability-in-ReadPWPImage.patch --- imagemagick-6.7.7.10/debian/patches/0276-CVE-2017-12587-Fix-large-loop-vulnerability-in-ReadPWPImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0276-CVE-2017-12587-Fix-large-loop-vulnerability-in-ReadPWPImage.patch 2018-06-08 15:20:09.000000000 +0000 @@ -0,0 +1,26 @@ +From d4192df5eb03892089806d52a317cc3101856726 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 4 Jul 2017 10:09:53 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/535 + +bug: https://github.com/ImageMagick/ImageMagick/issues/535 +bug-debian: https://bugs.debian.org/870526 +origin: https://github.com/ImageMagick/ImageMagick/commit/d4192df5eb03892089806d52a317cc3101856726 + +(cherry picked from commit d4192df5eb03892089806d52a317cc3101856726) +[rcs: Backported to wheezy] +--- + coders/pwp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- imagemagick.git.orig/coders/pwp.c ++++ imagemagick.git/coders/pwp.c +@@ -215,6 +215,8 @@ + for (i=0; i < (ssize_t) filesize; i++) + { + c=ReadBlobByte(pwp_image); ++ if (c == EOF) ++ break; + (void) fputc(c,file); + } + (void) fclose(file); diff -Nru imagemagick-6.7.7.10/debian/patches/0277-CVE-2017-12640-Fix-out-of-bounds-read-vulnerability-in-ReadOneMNGImage.patch imagemagick-6.7.7.10/debian/patches/0277-CVE-2017-12640-Fix-out-of-bounds-read-vulnerability-in-ReadOneMNGImage.patch --- imagemagick-6.7.7.10/debian/patches/0277-CVE-2017-12640-Fix-out-of-bounds-read-vulnerability-in-ReadOneMNGImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0277-CVE-2017-12640-Fix-out-of-bounds-read-vulnerability-in-ReadOneMNGImage.patch 2018-06-08 15:20:24.000000000 +0000 @@ -0,0 +1,28 @@ +From 78d4c5db50fbab0b4beb69c46c6167f2c6513dec Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 6 Jul 2017 19:20:38 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/542 + +bug: https://github.com/ImageMagick/ImageMagick/issues/542 +bug-debian: https://bugs.debian.org/870106 +origin: https://github.com/ImageMagick/ImageMagick/commit/78d4c5db50fbab0b4beb69c46c6167f2c6513dec + +(cherry picked from commit 78d4c5db50fbab0b4beb69c46c6167f2c6513dec) +[rcs: Backported to wheezy] +--- + coders/png.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:20:22.145203161 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:20:22.145203161 -0400 +@@ -5498,6 +5498,8 @@ static Image *ReadOneMNGImage(MngInfo* m + + for (i=(ssize_t) first_object; i <= (ssize_t) last_object; i++) + { ++ if ((i < 0) || (i >= MNG_MAX_OBJECTS)) ++ continue; + if (mng_info->exists[i] && !mng_info->frozen[i] && + (p-chunk) < (ssize_t) (length-8)) + { diff -Nru imagemagick-6.7.7.10/debian/patches/0280-CVE-2017-12643-Fix-memory-exhaustion-vulnerability-in-ReadOneJNGImage.patch imagemagick-6.7.7.10/debian/patches/0280-CVE-2017-12643-Fix-memory-exhaustion-vulnerability-in-ReadOneJNGImage.patch --- imagemagick-6.7.7.10/debian/patches/0280-CVE-2017-12643-Fix-memory-exhaustion-vulnerability-in-ReadOneJNGImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0280-CVE-2017-12643-Fix-memory-exhaustion-vulnerability-in-ReadOneJNGImage.patch 2018-06-08 15:20:37.000000000 +0000 @@ -0,0 +1,38 @@ +From 9eedb5660f1704cde8e8cd784c5c2a09dd2fd60f Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 8 Jul 2017 08:17:29 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/549 + +bug: https://github.com/ImageMagick/ImageMagick/issues/549 +bug-debian: https://bugs.debian.org/870107 +origin: https://github.com/ImageMagick/ImageMagick/commit/9eedb5660f1704cde8e8cd784c5c2a09dd2fd60f + +(cherry picked from commit 9eedb5660f1704cde8e8cd784c5c2a09dd2fd60f) +[rcs: Backported to wheezy] +--- + coders/png.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:20:35.621239345 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:20:35.621239345 -0400 +@@ -3917,6 +3917,8 @@ static Image *ReadOneJNGImage(MngInfo *m + + if (length) + { ++ if (length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk)); + + if (chunk == (unsigned char *) NULL) +@@ -4786,6 +4788,9 @@ static Image *ReadOneMNGImage(MngInfo* m + + if (length) + { ++ if (length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError, ++ "InsufficientImageDataInFile"); + chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk)); + + if (chunk == (unsigned char *) NULL) diff -Nru imagemagick-6.7.7.10/debian/patches/0284-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-1-2.patch imagemagick-6.7.7.10/debian/patches/0284-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-1-2.patch --- imagemagick-6.7.7.10/debian/patches/0284-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-1-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0284-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-1-2.patch 2018-06-08 15:21:26.000000000 +0000 @@ -0,0 +1,29 @@ +From ab440f9ea11e0dbefb7a808cbb9441198758b0cb Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 24 Jul 2017 08:42:22 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/610 + +bug: https://github.com/ImageMagick/ImageMagick/issues/610 +bug-debian: https://bugs.debian.org/870020 +origin: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb + +(cherry picked from commit ab440f9ea11e0dbefb7a808cbb9441198758b0cb) +[rcs: Backported to wheezy] +--- + coders/mat.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/coders/mat.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/mat.c 2018-06-08 11:20:55.073291557 -0400 ++++ imagemagick-6.7.7.10/coders/mat.c 2018-06-08 11:21:19.733357716 -0400 +@@ -1104,6 +1104,9 @@ done_reading: + if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),"return"); + if(image==NULL) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ else ++ if ((image != image2) && (image2 != (Image *) NULL)) ++ image2=DestroyImage(image2); + return (image); + } + diff -Nru imagemagick-6.7.7.10/debian/patches/0285-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-2-2.patch imagemagick-6.7.7.10/debian/patches/0285-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-2-2.patch --- imagemagick-6.7.7.10/debian/patches/0285-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-2-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0285-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-2-2.patch 2018-06-08 15:21:36.000000000 +0000 @@ -0,0 +1,30 @@ +From 75db34b6a4d642cb6f88c792942de27490c900e0 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 24 Jul 2017 09:23:29 -0400 +Subject: [PATCH] ... + +bug: https://github.com/ImageMagick/ImageMagick/issues/610 +bug-debian: https://bugs.debian.org/870020 +origin: https://github.com/ImageMagick/ImageMagick/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb + +(cherry picked from commit ab440f9ea11e0dbefb7a808cbb9441198758b0cb) +[rcs: Backported to wheezy] +--- + coders/mat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/coders/mat.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/mat.c 2018-06-08 11:21:34.393397030 -0400 ++++ imagemagick-6.7.7.10/coders/mat.c 2018-06-08 11:21:34.389397020 -0400 +@@ -1102,8 +1102,8 @@ done_reading: + clone_info = NULL; + } + if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),"return"); +- if(image==NULL) +- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ if (image==NULL) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader") + else + if ((image != image2) && (image2 != (Image *) NULL)) + image2=DestroyImage(image2); diff -Nru imagemagick-6.7.7.10/debian/patches/0286-CVE-2017-12674-Fix-CPU-exhaustion-in-ReadPDBImage.patch imagemagick-6.7.7.10/debian/patches/0286-CVE-2017-12674-Fix-CPU-exhaustion-in-ReadPDBImage.patch --- imagemagick-6.7.7.10/debian/patches/0286-CVE-2017-12674-Fix-CPU-exhaustion-in-ReadPDBImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0286-CVE-2017-12674-Fix-CPU-exhaustion-in-ReadPDBImage.patch 2018-06-08 15:21:45.000000000 +0000 @@ -0,0 +1,34 @@ +From 5a91708c6b70bd4e3d2b931465307e0aeababb3c Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 23 Jul 2017 11:48:08 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/604 + +bug: https://github.com/ImageMagick/ImageMagick/issues/604 +bug-debian: https://bugs.debian.org/872609 +origin: https://github.com/ImageMagick/ImageMagick/commit/5a91708c6b70bd4e3d2b931465307e0aeababb3c + +(cherry picked from commit 5a91708c6b70bd4e3d2b931465307e0aeababb3c) +[rcs: Backported to wheezy] +--- + coders/pdb.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- imagemagick.git.orig/coders/pdb.c ++++ imagemagick.git/coders/pdb.c +@@ -564,7 +564,15 @@ + length; + + num_pad_bytes = (size_t) (comment_offset - TellBlob( image )); +- while (num_pad_bytes--) ReadBlobByte( image ); ++ while (num_pad_bytes-- != 0) ++ { ++ int ++ c; ++ ++ c=ReadBlobByte(image); ++ if (c == EOF) ++ break; ++ } + + /* + Read comment. diff -Nru imagemagick-6.7.7.10/debian/patches/0289-CVE-2017-12877-Fix-use-after-free-in-ReadMATImage.patch imagemagick-6.7.7.10/debian/patches/0289-CVE-2017-12877-Fix-use-after-free-in-ReadMATImage.patch --- imagemagick-6.7.7.10/debian/patches/0289-CVE-2017-12877-Fix-use-after-free-in-ReadMATImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0289-CVE-2017-12877-Fix-use-after-free-in-ReadMATImage.patch 2018-06-08 15:24:08.000000000 +0000 @@ -0,0 +1,28 @@ +From 98dda239ec398dd56453460849b4c9057fc424e5 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 9 Aug 2017 08:06:56 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/662 + +bug: https://github.com/ImageMagick/ImageMagick/issues/662 +bug-debian: https://bugs.debian.org/872373 +origin: https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5 + +(cherry picked from commit 98dda239ec398dd56453460849b4c9057fc424e5) +[rcs: Backported to wheezy] +--- + coders/mat.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/coders/mat.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/mat.c 2018-06-08 11:22:49.781338767 -0400 ++++ imagemagick-6.7.7.10/coders/mat.c 2018-06-08 11:22:49.781338767 -0400 +@@ -1076,6 +1076,8 @@ done_reading: + Image *tmp=p; + if ((p->rows == 0) || (p->columns == 0)) { + p=p->previous; ++ if (tmp == image2) ++ image2=(Image *) NULL; + DeleteImageFromList(&tmp); + } else { + image=p; diff -Nru imagemagick-6.7.7.10/debian/patches/0290-CVE-2017-12983-Fix-heap-based-buffer-overflow-in-ReadSFWImage.patch imagemagick-6.7.7.10/debian/patches/0290-CVE-2017-12983-Fix-heap-based-buffer-overflow-in-ReadSFWImage.patch --- imagemagick-6.7.7.10/debian/patches/0290-CVE-2017-12983-Fix-heap-based-buffer-overflow-in-ReadSFWImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0290-CVE-2017-12983-Fix-heap-based-buffer-overflow-in-ReadSFWImage.patch 2018-06-08 15:24:27.000000000 +0000 @@ -0,0 +1,36 @@ +From 26078285f49c361ad8ddc8e14bd1d4aab7ed5682 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 18 Aug 2017 07:51:20 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/682 + +bug: https://github.com/ImageMagick/ImageMagick/issues/682 +bug-debian: https://bugs.debian.org/873134 +origin: https://github.com/ImageMagick/ImageMagick/commit/26078285f49c361ad8ddc8e14bd1d4aab7ed5682 + +(cherry picked from commit 26078285f49c361ad8ddc8e14bd1d4aab7ed5682) +[rcs: Backported to wheezy] +--- + coders/sfw.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- imagemagick.git.orig/coders/sfw.c ++++ imagemagick.git/coders/sfw.c +@@ -253,8 +253,8 @@ + */ + if (GetBlobSize(image) != (size_t) GetBlobSize(image)) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +- buffer=(unsigned char *) AcquireQuantumMemory((size_t) GetBlobSize(image), +- sizeof(*buffer)); ++ buffer=(unsigned char *) AcquireQuantumMemory((size_t) GetBlobSize(image)+ ++ MaxTextExtent,sizeof(*buffer)); + if (buffer == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + count=ReadBlob(image,(size_t) GetBlobSize(image),buffer); +@@ -403,6 +403,7 @@ + entry=SetMagickInfo("SFW"); + entry->decoder=(DecodeImageHandler *) ReadSFWImage; + entry->magick=(IsImageFormatHandler *) IsSFW; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("Seattle Film Works"); + entry->module=ConstantString("SFW"); diff -Nru imagemagick-6.7.7.10/debian/patches/0292-CVE-2017-13134-Fix-heap-based-buffer-overflow-in-SFWScan.patch imagemagick-6.7.7.10/debian/patches/0292-CVE-2017-13134-Fix-heap-based-buffer-overflow-in-SFWScan.patch --- imagemagick-6.7.7.10/debian/patches/0292-CVE-2017-13134-Fix-heap-based-buffer-overflow-in-SFWScan.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0292-CVE-2017-13134-Fix-heap-based-buffer-overflow-in-SFWScan.patch 2018-06-08 15:25:02.000000000 +0000 @@ -0,0 +1,43 @@ +From 1b234b4fe2ec864b2d5af898a31c06c9736da904 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Sat, 12 Aug 2017 10:44:51 +0200 +Subject: [PATCH] Fixed buffer overflow reported in #670 + +bug: https://github.com/ImageMagick/ImageMagick/issues/670 +bug-debian: https://bugs.debian.org/873099 +origin: https://github.com/ImageMagick/ImageMagick/commit/1b234b4fe2ec864b2d5af898a31c06c9736da904 + +(cherry picked from commit 1b234b4fe2ec864b2d5af898a31c06c9736da904) +[rcs: Backported to wheezy] +--- + coders/sfw.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- imagemagick.git.orig/coders/sfw.c ++++ imagemagick.git/coders/sfw.c +@@ -126,16 +126,15 @@ + register ssize_t + i; + +- if ((p+length) < q) +- while (p < q) +- { +- for (i=0; i < (ssize_t) length; i++) +- if (p[i] != target[i]) +- break; +- if (i == (ssize_t) length) +- return((unsigned char *) p); +- p++; +- } ++ while ((p+length) < q) ++ { ++ for (i=0; i < (ssize_t) length; i++) ++ if (p[i] != target[i]) ++ break; ++ if (i == (ssize_t) length) ++ return((unsigned char *) p); ++ p++; ++ } + return((unsigned char *) NULL); + } + diff -Nru imagemagick-6.7.7.10/debian/patches/0293-CVE-2017-13139-Fix-out-of-bounds-read-with-MNG-CLIP-chunk-in-ReadOneMNGImage.patch imagemagick-6.7.7.10/debian/patches/0293-CVE-2017-13139-Fix-out-of-bounds-read-with-MNG-CLIP-chunk-in-ReadOneMNGImage.patch --- imagemagick-6.7.7.10/debian/patches/0293-CVE-2017-13139-Fix-out-of-bounds-read-with-MNG-CLIP-chunk-in-ReadOneMNGImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0293-CVE-2017-13139-Fix-out-of-bounds-read-with-MNG-CLIP-chunk-in-ReadOneMNGImage.patch 2018-06-08 15:25:19.000000000 +0000 @@ -0,0 +1,27 @@ +From 22e0310345499ffe906c604428f2a3a668942b05 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Mon, 10 Jul 2017 08:23:01 -0400 +Subject: [PATCH] Fix potential out-of-bounds read with the MNG CLIP chunk. + +bug-debian: https://bugs.debian.org/870109 +origin: https://github.com/ImageMagick/ImageMagick/commit/22e0310345499ffe906c604428f2a3a668942b05 + +(cherry picked from commit 22e0310345499ffe906c604428f2a3a668942b05) +[rcs: Backported to wheezy] +--- + coders/png.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:25:17.733079752 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:25:17.729079757 -0400 +@@ -5425,6 +5425,8 @@ static Image *ReadOneMNGImage(MngInfo* m + + for (i=(int) first_object; i <= (int) last_object; i++) + { ++ if ((i < 0) || (i >= MNG_MAX_OBJECTS)) ++ continue; + if (mng_info->exists[i] && !mng_info->frozen[i]) + { + MngBox diff -Nru imagemagick-6.7.7.10/debian/patches/0294-CVE-2017-13142-Fix-short-file-check-in-png.c-1-2.patch imagemagick-6.7.7.10/debian/patches/0294-CVE-2017-13142-Fix-short-file-check-in-png.c-1-2.patch --- imagemagick-6.7.7.10/debian/patches/0294-CVE-2017-13142-Fix-short-file-check-in-png.c-1-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0294-CVE-2017-13142-Fix-short-file-check-in-png.c-1-2.patch 2018-06-08 15:25:37.000000000 +0000 @@ -0,0 +1,36 @@ +From 46e3aabbf8d59a1bdebdbb65acb9b9e0484577d3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 25 Jun 2017 09:23:22 -0400 +Subject: [PATCH] ... + +bug-debian: https://bugs.debian.org/870105 +origin: https://github.com/ImageMagick/ImageMagick/commit/aa84944b405acebbeefe871d0f64969b9e9f31ac + +(cherry picked from commit aa84944b405acebbeefe871d0f64969b9e9f31ac) +[rcs: Backported to wheezy] +--- + coders/png.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:25:33.917060719 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:25:33.917060719 -0400 +@@ -3930,6 +3930,8 @@ static Image *ReadOneJNGImage(MngInfo *m + c; + + c=ReadBlobByte(image); ++ if (c == EOF) ++ break; + chunk[i]=(unsigned char) c; + } + +@@ -4802,6 +4804,8 @@ static Image *ReadOneMNGImage(MngInfo* m + c; + + c=ReadBlobByte(image); ++ if (c == EOF) ++ break; + chunk[i]=(unsigned char) c; + } + diff -Nru imagemagick-6.7.7.10/debian/patches/0295-CVE-2017-13142-Fix-short-file-check-in-png.c-2-2.patch imagemagick-6.7.7.10/debian/patches/0295-CVE-2017-13142-Fix-short-file-check-in-png.c-2-2.patch --- imagemagick-6.7.7.10/debian/patches/0295-CVE-2017-13142-Fix-short-file-check-in-png.c-2-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0295-CVE-2017-13142-Fix-short-file-check-in-png.c-2-2.patch 2018-06-08 15:25:48.000000000 +0000 @@ -0,0 +1,93 @@ +From aa84944b405acebbeefe871d0f64969b9e9f31ac Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 2 Jul 2017 20:43:26 -0400 +Subject: [PATCH] ... + +bug-debian: https://bugs.debian.org/870105 +origin: https://github.com/ImageMagick/ImageMagick/commit/aa84944b405acebbeefe871d0f64969b9e9f31ac + +(cherry picked from commit aa84944b405acebbeefe871d0f64969b9e9f31ac) +[rcs: Backported to wheezy] +--- + coders/png.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:25:43.425050300 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:25:43.425050300 -0400 +@@ -3677,6 +3677,12 @@ static Image *ReadPNGImage(const ImageIn + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + + /* ++ Verify that file size large enough to contain a PNG datastream. ++ */ ++ if (GetBlobSize(image) < 61) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ ++ /* + Allocate a MngInfo structure. + */ + mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo)); +@@ -4571,6 +4577,12 @@ static Image *ReadJNGImage(const ImageIn + if (count < 8 || memcmp(magic_number,"\213JNG\r\n\032\n",8) != 0) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + ++ /* ++ Verify that file size large enough to contain a JNG datastream. ++ */ ++ if (GetBlobSize(image) < 147) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ + /* Allocate a MngInfo structure. */ + + mng_info=(MngInfo *) AcquireMagickMemory(sizeof(*mng_info)); +@@ -7150,7 +7162,7 @@ ModuleExport size_t RegisterPNGImage(voi + #endif + + entry=SetMagickInfo("MNG"); +- entry->seekable_stream=MagickTrue; /* To do: eliminate this. */ ++ entry->seekable_stream=MagickTrue; + + #if defined(MAGICKCORE_PNG_DELEGATE) + entry->decoder=(DecodeImageHandler *) ReadMNGImage; +@@ -7175,6 +7187,7 @@ ModuleExport size_t RegisterPNGImage(voi + #endif + + entry->magick=(IsImageFormatHandler *) IsPNG; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("Portable Network Graphics"); + entry->module=ConstantString("PNG"); +@@ -7193,6 +7206,7 @@ ModuleExport size_t RegisterPNGImage(voi + #endif + + entry->magick=(IsImageFormatHandler *) IsPNG; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString( + "8-bit indexed with optional binary transparency"); +@@ -7222,6 +7236,7 @@ ModuleExport size_t RegisterPNGImage(voi + #endif + + entry->magick=(IsImageFormatHandler *) IsPNG; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("opaque 24-bit RGB"); + entry->module=ConstantString("PNG"); +@@ -7235,6 +7250,7 @@ ModuleExport size_t RegisterPNGImage(voi + #endif + + entry->magick=(IsImageFormatHandler *) IsPNG; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("opaque or transparent 32-bit RGBA"); + entry->module=ConstantString("PNG"); +@@ -7250,6 +7266,7 @@ ModuleExport size_t RegisterPNGImage(voi + #endif + + entry->magick=(IsImageFormatHandler *) IsJNG; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("JPEG Network Graphics"); + entry->module=ConstantString("PNG"); diff -Nru imagemagick-6.7.7.10/debian/patches/0296-CVE-2017-13143-Fix-use-of-uninitialized-data-in-ReadMATImage.patch imagemagick-6.7.7.10/debian/patches/0296-CVE-2017-13143-Fix-use-of-uninitialized-data-in-ReadMATImage.patch --- imagemagick-6.7.7.10/debian/patches/0296-CVE-2017-13143-Fix-use-of-uninitialized-data-in-ReadMATImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0296-CVE-2017-13143-Fix-use-of-uninitialized-data-in-ReadMATImage.patch 2018-06-08 15:26:05.000000000 +0000 @@ -0,0 +1,27 @@ +From f86268752ffc70e40b6e1afdebfc96dcc29452db Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 26 Jan 2017 11:21:15 -0500 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/362 + +bug: https://github.com/ImageMagick/ImageMagick/issues/362 +bug-debian: https://bugs.debian.org/870012 +origin: https://github.com/ImageMagick/ImageMagick/commit/f86268752ffc70e40b6e1afdebfc96dcc29452db + +(cherry picked from commit f86268752ffc70e40b6e1afdebfc96dcc29452db) +[rcs: Backported to wheezy] +--- + coders/mat.c | 1 + + 1 file changed, 1 insertion(+) + +Index: imagemagick-6.7.7.10/coders/mat.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/mat.c 2018-06-08 11:26:02.633030921 -0400 ++++ imagemagick-6.7.7.10/coders/mat.c 2018-06-08 11:26:02.629030924 -0400 +@@ -874,6 +874,7 @@ NEXT_FRAME: + quantum_info=AcquireQuantumInfo(clone_info,image); + if (quantum_info == (QuantumInfo *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ (void) ResetMagickMemory(BImgBuff,0,ldblk*sizeof(double)); + + /* + If ping is true, then only set image size and colors without diff -Nru imagemagick-6.7.7.10/debian/patches/0297-CVE-2017-13144-Fix-application-crash-if-image-dimensions-are-too-large.patch imagemagick-6.7.7.10/debian/patches/0297-CVE-2017-13144-Fix-application-crash-if-image-dimensions-are-too-large.patch --- imagemagick-6.7.7.10/debian/patches/0297-CVE-2017-13144-Fix-application-crash-if-image-dimensions-are-too-large.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0297-CVE-2017-13144-Fix-application-crash-if-image-dimensions-are-too-large.patch 2018-06-08 15:31:40.000000000 +0000 @@ -0,0 +1,53 @@ +From 9b580ad0564aefd9beeccbcbb8d62ccd05795a84 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 21 Feb 2017 12:29:03 -0500 +Subject: [PATCH] + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31438 + +bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31438 +bug-debian: https://bugs.debian.org/869728 +origin: https://github.com/ImageMagick/ImageMagick/commit/9b580ad0564aefd9beeccbcbb8d62ccd05795a84 + +(cherry picked from commit 9b580ad0564aefd9beeccbcbb8d62ccd05795a84) +[rcs: Backported to wheezy] +--- + coders/mpc.c | 4 +--- + magick/colormap.c | 3 ++- + 2 files changed, 3 insertions(+), 4 deletions(-) + +Index: imagemagick-6.7.7.10/coders/mpc.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/mpc.c 2018-06-08 11:26:18.021016961 -0400 ++++ imagemagick-6.7.7.10/coders/mpc.c 2018-06-08 11:31:27.752975227 -0400 +@@ -826,9 +826,7 @@ static Image *ReadMPCImage(const ImageIn + /* + Create image colormap. + */ +- image->colormap=(PixelPacket *) AcquireQuantumMemory(image->colors+1, +- sizeof(*image->colormap)); +- if (image->colormap == (PixelPacket *) NULL) ++ if (AcquireImageColormap(image,image->colors) == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + if (image->colors != 0) + { +Index: imagemagick-6.7.7.10/magick/colormap.c +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/colormap.c 2018-06-08 11:26:18.021016961 -0400 ++++ imagemagick-6.7.7.10/magick/colormap.c 2018-06-08 11:26:18.021016961 -0400 +@@ -143,6 +143,7 @@ MagickExport MagickBooleanType AcquireIm + if (image->colormap == (PixelPacket *) NULL) + ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", + image->filename); ++ image->storage_class=PseudoClass; + for (i=0; i < (ssize_t) image->colors; i++) + { + size_t +@@ -154,7 +155,7 @@ MagickExport MagickBooleanType AcquireIm + image->colormap[i].blue=(Quantum) pixel; + image->colormap[i].opacity=OpaqueOpacity; + } +- return(SetImageStorageClass(image,PseudoClass)); ++ return(MagickTrue); + } + + /* diff -Nru imagemagick-6.7.7.10/debian/patches/0302-CVE-2017-12691-Fix-memory-consumption-in-ReadOneLayer.patch imagemagick-6.7.7.10/debian/patches/0302-CVE-2017-12691-Fix-memory-consumption-in-ReadOneLayer.patch --- imagemagick-6.7.7.10/debian/patches/0302-CVE-2017-12691-Fix-memory-consumption-in-ReadOneLayer.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0302-CVE-2017-12691-Fix-memory-consumption-in-ReadOneLayer.patch 2018-06-08 15:22:02.000000000 +0000 @@ -0,0 +1,45 @@ +From 68bbe7b8b226ed79e339296793f68f1b2bebc519 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 7 Aug 2017 14:50:12 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/656 + +bug: https://github.com/ImageMagick/ImageMagick/issues/656 +bug-debian: https://bugs.debian.org/875338 +origin: https://github.com/ImageMagick/ImageMagick/commit/68bbe7b8b226ed79e339296793f68f1b2bebc519 + +(cherry picked from commit 68bbe7b8b226ed79e339296793f68f1b2bebc519) +[rcs: Backported to wheezy] +--- + coders/xcf.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +Index: imagemagick-6.7.7.10/coders/xcf.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/xcf.c 2018-06-08 11:22:00.841463231 -0400 ++++ imagemagick-6.7.7.10/coders/xcf.c 2018-06-08 11:22:00.837463243 -0400 +@@ -368,8 +368,11 @@ static MagickBooleanType load_tile(Image + graydata=(unsigned char *) xcfdata; /* used by gray and indexed */ + count=ReadBlob(image,data_length,(unsigned char *) xcfdata); + if (count != (ssize_t) data_length) +- ThrowBinaryException(CorruptImageError,"NotEnoughPixelData", +- image->filename); ++ { ++ xcfodata=(XCFPixelPacket *) RelinquishMagickMemory(xcfodata); ++ ThrowBinaryException(CorruptImageError,"NotEnoughPixelData", ++ image->filename); ++ } + exception=(&image->exception); + for (y=0; y < (ssize_t) tile_image->rows; y++) + { +@@ -1340,9 +1343,9 @@ static Image *ReadXCFImage(const ImageIn + &layer_info[current_layer],current_layer); + if (layer_ok == MagickFalse) + { +- int j; ++ ssize_t j; + +- for (j=0; j < current_layer; j++) ++ for (j=0; j <= current_layer; j++) + layer_info[j].image=DestroyImage(layer_info[j].image); + layer_info=(XCFLayerInfo *) RelinquishMagickMemory(layer_info); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); diff -Nru imagemagick-6.7.7.10/debian/patches/0303-CVE-2017-12692-Fix-memory-consumption-in-ReadVIFFImage.patch imagemagick-6.7.7.10/debian/patches/0303-CVE-2017-12692-Fix-memory-consumption-in-ReadVIFFImage.patch --- imagemagick-6.7.7.10/debian/patches/0303-CVE-2017-12692-Fix-memory-consumption-in-ReadVIFFImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0303-CVE-2017-12692-Fix-memory-consumption-in-ReadVIFFImage.patch 2018-06-08 15:22:12.000000000 +0000 @@ -0,0 +1,41 @@ +From 5919dc606bc1d6022d3d2d205a91fdbe98de9e15 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 7 Aug 2017 15:08:22 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/653 + +bug: https://github.com/ImageMagick/ImageMagick/issues/653 +bug-debian: https://bugs.debian.org/875339 +origin: https://github.com/ImageMagick/ImageMagick/commit/5919dc606bc1d6022d3d2d205a91fdbe98de9e15 + +(cherry picked from commit 5919dc606bc1d6022d3d2d205a91fdbe98de9e15) +[rcs: Backported to wheezy] +--- + coders/viff.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- imagemagick.git.orig/coders/viff.c ++++ imagemagick.git/coders/viff.c +@@ -509,6 +509,8 @@ + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + max_packets=(size_t) (number_pixels*viff_info.number_data_bands); + } ++ if ((bytes_per_pixel*max_packets) > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + viff_pixels=(unsigned char *) AcquireQuantumMemory(MagickMax(number_pixels, + max_packets),bytes_per_pixel*sizeof(*viff_pixels)); + if (viff_pixels == (unsigned char *) NULL) +@@ -794,12 +796,14 @@ + entry->decoder=(DecodeImageHandler *) ReadVIFFImage; + entry->encoder=(EncodeImageHandler *) WriteVIFFImage; + entry->magick=(IsImageFormatHandler *) IsVIFF; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString("Khoros Visualization image"); + entry->module=ConstantString("VIFF"); + (void) RegisterMagickInfo(entry); + entry=SetMagickInfo("XV"); + entry->decoder=(DecodeImageHandler *) ReadVIFFImage; + entry->encoder=(EncodeImageHandler *) WriteVIFFImage; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString("Khoros Visualization image"); + entry->module=ConstantString("VIFF"); + (void) RegisterMagickInfo(entry); diff -Nru imagemagick-6.7.7.10/debian/patches/0304-CVE-2017-12693-Fix-memory-consumption-in-ReadBMPImage.patch imagemagick-6.7.7.10/debian/patches/0304-CVE-2017-12693-Fix-memory-consumption-in-ReadBMPImage.patch --- imagemagick-6.7.7.10/debian/patches/0304-CVE-2017-12693-Fix-memory-consumption-in-ReadBMPImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0304-CVE-2017-12693-Fix-memory-consumption-in-ReadBMPImage.patch 2018-06-08 15:22:22.000000000 +0000 @@ -0,0 +1,26 @@ +From 6709bd585b9609a9cf98a7042089f3e725886d5e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 7 Aug 2017 15:13:47 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/652 + +bug: https://github.com/ImageMagick/ImageMagick/issues/652 +bug-debian: https://bugs.debian.org/875341 +origin: https://github.com/ImageMagick/ImageMagick/commit/6709bd585b9609a9cf98a7042089f3e725886d5e + +(cherry picked from commit 6709bd585b9609a9cf98a7042089f3e725886d5e) +[rcs: Backported to wheezy] +--- + coders/bmp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- imagemagick.git.orig/coders/bmp.c ++++ imagemagick.git/coders/bmp.c +@@ -925,6 +925,8 @@ + bmp_info.bits_per_pixel<<=1; + bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32); + length=(size_t) bytes_per_line*image->rows; ++ if (length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + pixels=(unsigned char *) AcquireQuantumMemory((size_t) image->rows, + MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels)); + if (pixels == (unsigned char *) NULL) diff -Nru imagemagick-6.7.7.10/debian/patches/0305-CVE-2017-12875-Fix-CPU-consumption-in-WritePixelCachePixels.patch imagemagick-6.7.7.10/debian/patches/0305-CVE-2017-12875-Fix-CPU-consumption-in-WritePixelCachePixels.patch --- imagemagick-6.7.7.10/debian/patches/0305-CVE-2017-12875-Fix-CPU-consumption-in-WritePixelCachePixels.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0305-CVE-2017-12875-Fix-CPU-consumption-in-WritePixelCachePixels.patch 2018-06-08 15:22:35.000000000 +0000 @@ -0,0 +1,54 @@ +From 6f95e543c80319721e22d623bb23712cd29afa9e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 8 Aug 2017 17:33:27 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/659 + +bug: https://github.com/ImageMagick/ImageMagick/issues/659 +bug-debian: https://bugs.debian.org/873871 +origin: https://github.com/ImageMagick/ImageMagick/commit/6f95e543c80319721e22d623bb23712cd29afa9e + +(cherry picked from commit 6f95e543c80319721e22d623bb23712cd29afa9e) +[rcs: Backported to wheezy] +--- + coders/xcf.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/xcf.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/xcf.c 2018-06-08 11:22:33.669377381 -0400 ++++ imagemagick-6.7.7.10/coders/xcf.c 2018-06-08 11:22:33.665377391 -0400 +@@ -784,6 +784,9 @@ static MagickBooleanType load_hierarchy( + static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image, + XCFDocInfo* inDocInfo,XCFLayerInfo *outLayer,const ssize_t layer) + { ++ MagickBooleanType ++ status; ++ + MagickOffsetType + offset; + +@@ -918,6 +921,14 @@ static MagickBooleanType ReadOneLayer(co + &image->exception); + if (outLayer->image == (Image *) NULL) + return(MagickFalse); ++ status=SetImageExtent(outLayer->image,outLayer->image->columns, ++ outLayer->image->rows); ++ if (status == MagickFalse) ++ { ++ InheritException(&image->exception,&outLayer->image->exception); ++ outLayer->image=DestroyImageList(outLayer->image); ++ return(MagickFalse); ++ } + /* clear the image based on the layer opacity */ + outLayer->image->background_color.opacity= + ScaleCharToQuantum((unsigned char) (255-outLayer->alpha)); +@@ -1346,7 +1357,8 @@ static Image *ReadXCFImage(const ImageIn + ssize_t j; + + for (j=0; j <= current_layer; j++) +- layer_info[j].image=DestroyImage(layer_info[j].image); ++ if (layer_info[j].image != (Image *) NULL) ++ layer_info[j].image=DestroyImage(layer_info[j].image); + layer_info=(XCFLayerInfo *) RelinquishMagickMemory(layer_info); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } diff -Nru imagemagick-6.7.7.10/debian/patches/0306-CVE-2017-13758-Fix-heap-based-buffer-overflow-in-TracePoint.patch imagemagick-6.7.7.10/debian/patches/0306-CVE-2017-13758-Fix-heap-based-buffer-overflow-in-TracePoint.patch --- imagemagick-6.7.7.10/debian/patches/0306-CVE-2017-13758-Fix-heap-based-buffer-overflow-in-TracePoint.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0306-CVE-2017-13758-Fix-heap-based-buffer-overflow-in-TracePoint.patch 2018-06-08 15:32:07.000000000 +0000 @@ -0,0 +1,126 @@ +From 57eced684ad0660fe580800d977ba94623ec67ac Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 28 Aug 2017 08:25:11 -0400 +Subject: [PATCH] + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32583 + +bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32583 +origin: https://github.com/ImageMagick/ImageMagick/commit/57eced684ad0660fe580800d977ba94623ec67ac + +(cherry picked from commit 57eced684ad0660fe580800d977ba94623ec67ac) +[rcs: Backported to wheezy] +--- + magick/draw.c | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +Index: imagemagick-6.7.7.10/magick/draw.c +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/draw.c 2018-06-08 11:32:05.316994671 -0400 ++++ imagemagick-6.7.7.10/magick/draw.c 2018-06-08 11:32:05.316994671 -0400 +@@ -1715,6 +1715,7 @@ MagickExport MagickBooleanType DrawImage + MagickRealType + angle, + factor, ++ points_extent, + primitive_extent; + + PointInfo +@@ -1740,7 +1741,6 @@ MagickExport MagickBooleanType DrawImage + bounds; + + size_t +- length, + number_points; + + ssize_t +@@ -2229,9 +2229,9 @@ MagickExport MagickBooleanType DrawImage + { + GetMagickToken(q,&q,token); + factor=strchr(token,'%') != (char *) NULL ? 0.01 : 1.0; +- graphic_context[n]->opacity=ClampToQuantum((MagickRealType) ++ graphic_context[n]->opacity=(Quantum) (ClampToQuantum((MagickRealType) + QuantumRange*(1.0-((1.0-QuantumScale*graphic_context[n]->opacity)* +- factor*StringToDouble(token,(char **) NULL)))); ++ factor*StringToDouble(token,(char **) NULL))))); + graphic_context[n]->fill.opacity=graphic_context[n]->opacity; + graphic_context[n]->stroke.opacity=graphic_context[n]->opacity; + break; +@@ -2855,17 +2855,17 @@ MagickExport MagickBooleanType DrawImage + /* + Speculate how many points our primitive might consume. + */ +- length=primitive_info[j].coordinates; ++ points_extent=(double) primitive_info[j].coordinates; + switch (primitive_type) + { + case RectanglePrimitive: + { +- length*=5; ++ points_extent*=5; + break; + } + case RoundRectanglePrimitive: + { +- length*=5+8*BezierQuantum; ++ points_extent*=5+8*BezierQuantum; + break; + } + case BezierPrimitive: +@@ -2873,7 +2873,7 @@ MagickExport MagickBooleanType DrawImage + if (primitive_info[j].coordinates > 107) + (void) ThrowMagickException(&image->exception,GetMagickModule(), + DrawError,"TooManyBezierCoordinates","`%s'",token); +- length=BezierQuantum*primitive_info[j].coordinates; ++ points_extent=(double) (BezierQuantum*primitive_info[j].coordinates); + break; + } + case PathPrimitive: +@@ -2883,7 +2883,7 @@ MagickExport MagickBooleanType DrawImage + *t; + + GetMagickToken(q,&q,token); +- length=1; ++ points_extent=1; + t=token; + for (s=token; *s != '\0'; s=t) + { +@@ -2897,9 +2897,9 @@ MagickExport MagickBooleanType DrawImage + t++; + continue; + } +- length++; ++ points_extent++; + } +- length=length*BezierQuantum; ++ points_extent=points_extent*BezierQuantum; + break; + } + case CirclePrimitive: +@@ -2914,18 +2914,24 @@ MagickExport MagickBooleanType DrawImage + alpha=bounds.x2-bounds.x1; + beta=bounds.y2-bounds.y1; + radius=hypot((double) alpha,(double) beta); +- length=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; ++ points_extent=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; + break; + } + default: + break; + } +- if ((size_t) (i+length) >= number_points) ++ if (((double) ((size_t) points_extent)) < points_extent) ++ { ++ (void) ThrowMagickException(&image->exception,GetMagickModule(), ++ ResourceLimitError,"MemoryAllocationFailed","`%s'",image->filename); ++ break; ++ } ++ if ((MagickSizeType) (i+points_extent) >= number_points) + { + /* + Resize based on speculative points required by primitive. + */ +- number_points+=length+1; ++ number_points+=points_extent+1; + primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info, + (size_t) number_points,sizeof(*primitive_info)); + if (primitive_info == (PrimitiveInfo *) NULL) diff -Nru imagemagick-6.7.7.10/debian/patches/0307-CVE-2017-13768-Fix-Null-Pointer-Dereference-Program-Crash-in-IdentifyImage.patch imagemagick-6.7.7.10/debian/patches/0307-CVE-2017-13768-Fix-Null-Pointer-Dereference-Program-Crash-in-IdentifyImage.patch --- imagemagick-6.7.7.10/debian/patches/0307-CVE-2017-13768-Fix-Null-Pointer-Dereference-Program-Crash-in-IdentifyImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0307-CVE-2017-13768-Fix-Null-Pointer-Dereference-Program-Crash-in-IdentifyImage.patch 2018-06-08 15:32:21.000000000 +0000 @@ -0,0 +1,29 @@ +From 2c1b360d80e5f8f7c7108c0afedde64ab79318ff Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 29 Aug 2017 07:07:44 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/706 + +bug: https://github.com/ImageMagick/ImageMagick/issues/706 +bug-debian: https://bugs.debian.org/875352 +origin: https://github.com/ImageMagick/ImageMagick/commit/2c1b360d80e5f8f7c7108c0afedde64ab79318ff + +(cherry picked from commit 2c1b360d80e5f8f7c7108c0afedde64ab79318ff) +[rcs: Backported to wheezy] +--- + magick/identify.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/magick/identify.c +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/identify.c 2018-06-08 11:32:19.585003140 -0400 ++++ imagemagick-6.7.7.10/magick/identify.c 2018-06-08 11:32:19.585003140 -0400 +@@ -626,7 +626,8 @@ MagickExport MagickBooleanType IdentifyI + pixel; + + GetMagickPixelPacket(image,&pixel); +- SetMagickPixelPacket(image,p,indexes+x,&pixel); ++ if (p != (const PixelPacket *) NULL) ++ SetMagickPixelPacket(image,p,indexes+x,&pixel); + (void) QueryMagickColorname(image,&pixel,SVGCompliance,tuple, + &image->exception); + (void) FormatLocaleFile(file," Alpha: %s ",tuple); diff -Nru imagemagick-6.7.7.10/debian/patches/0308-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-1-of-2.patch imagemagick-6.7.7.10/debian/patches/0308-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-1-of-2.patch --- imagemagick-6.7.7.10/debian/patches/0308-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-1-of-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0308-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-1-of-2.patch 2018-06-08 15:32:36.000000000 +0000 @@ -0,0 +1,25 @@ +From 457e63263de6f732785608504b6e607799ad3dd5 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 29 Aug 2017 14:57:44 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/705 + +bug: https://github.com/ImageMagick/ImageMagick/issues/705 +origin: https://github.com/ImageMagick/ImageMagick/commit/457e63263de6f732785608504b6e607799ad3dd5 + +(cherry picked from commit 457e63263de6f732785608504b6e607799ad3dd5) +[rcs: Backported to wheezy] +--- + coders/thumbnail.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- imagemagick.git.orig/coders/thumbnail.c ++++ imagemagick.git/coders/thumbnail.c +@@ -190,6 +190,8 @@ + if (property == (const char *) NULL) + ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + length=(size_t) StringToLong(property); ++ if (((offset+length) < 2) || ((offset+length) > GetStringInfoLength(profile))) ++ ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + (void) ResetMagickMemory(magick,0,sizeof(magick)); + for (i=0; i < (ssize_t) length; i++) + { diff -Nru imagemagick-6.7.7.10/debian/patches/0309-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-2-of-2.patch imagemagick-6.7.7.10/debian/patches/0309-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-2-of-2.patch --- imagemagick-6.7.7.10/debian/patches/0309-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-2-of-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0309-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-2-of-2.patch 2018-06-08 15:32:42.000000000 +0000 @@ -0,0 +1,52 @@ +From abb9d1322317733b799e8b87b2e346b3038f3260 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 29 Aug 2017 21:28:26 +0200 +Subject: [PATCH] Added extra checks for issue reported in #705. + +bug: https://github.com/ImageMagick/ImageMagick/issues/705 +origin: https://github.com/ImageMagick/ImageMagick/commit/abb9d1322317733b799e8b87b2e346b3038f3260 + +(cherry picked from commit abb9d1322317733b799e8b87b2e346b3038f3260) +[rcs: Backported to wheezy] +--- + coders/thumbnail.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- imagemagick.git.orig/coders/thumbnail.c ++++ imagemagick.git/coders/thumbnail.c +@@ -177,7 +177,7 @@ + offset; + + unsigned char +- magick[MaxTextExtent]; ++ *q; + + profile=GetImageProfile(image,"exif"); + if (profile == (const StringInfo *) NULL) +@@ -190,19 +190,16 @@ + if (property == (const char *) NULL) + ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + length=(size_t) StringToLong(property); +- if (((offset+length) < 2) || ((offset+length) > GetStringInfoLength(profile))) +- ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); +- (void) ResetMagickMemory(magick,0,sizeof(magick)); +- for (i=0; i < (ssize_t) length; i++) ++ q=GetStringInfoDatum(profile)+offset; ++ for (i=offset; i < (ssize_t) GetStringInfoLength(profile) - 3; i++) + { +- magick[0]=magick[1]; +- magick[1]=magick[2]; +- magick[2]=GetStringInfoDatum(profile)[offset+i]; +- if (memcmp(magick,"\377\330\377",3) == 0) ++ if (memcmp(q,"\377\330\377",3) == 0) + break; ++ q++; + } +- thumbnail_image=BlobToImage(image_info,GetStringInfoDatum(profile)+offset+i-2, +- length,&image->exception); ++ if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ++ ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); ++ thumbnail_image=BlobToImage(image_info,q,length,&image->exception); + if (thumbnail_image == (Image *) NULL) + return(MagickFalse); + (void) SetImageType(thumbnail_image,thumbnail_image->matte == MagickFalse ? diff -Nru imagemagick-6.7.7.10/debian/patches/0310-CVE-2017-14060-Fix-NULL-pointer-dereference-in-ReadCUTImage.patch imagemagick-6.7.7.10/debian/patches/0310-CVE-2017-14060-Fix-NULL-pointer-dereference-in-ReadCUTImage.patch --- imagemagick-6.7.7.10/debian/patches/0310-CVE-2017-14060-Fix-NULL-pointer-dereference-in-ReadCUTImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0310-CVE-2017-14060-Fix-NULL-pointer-dereference-in-ReadCUTImage.patch 2018-06-08 15:32:54.000000000 +0000 @@ -0,0 +1,25 @@ +From 5bdfef29f5e6744f36f25ec04583c6b6f4a13b48 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 09:17:29 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/710 + +bug: https://github.com/ImageMagick/ImageMagick/issues/710 +origin: https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48 + +(cherry picked from commit 5bdfef29f5e6744f36f25ec04583c6b6f4a13b48) +[rcs: Backported to wheezy] +--- + coders/cut.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- imagemagick.git.orig/coders/cut.c ++++ imagemagick.git/coders/cut.c +@@ -578,6 +578,8 @@ + for (i=0; i < (ssize_t)image->rows; i++) + { + q=QueueAuthenticPixels(image,0,i,image->columns,1,exception); ++ if (q == (PixelPacket *) NULL) ++ break; + for (j=0; j < (ssize_t)image->columns; j++) + { + if (GetPixelRed(q) == ScaleCharToQuantum(1)) diff -Nru imagemagick-6.7.7.10/debian/patches/0311-CVE-2017-14172-Fix-DoS-missing-EOF-check-in-ReadPSImage.patch imagemagick-6.7.7.10/debian/patches/0311-CVE-2017-14172-Fix-DoS-missing-EOF-check-in-ReadPSImage.patch --- imagemagick-6.7.7.10/debian/patches/0311-CVE-2017-14172-Fix-DoS-missing-EOF-check-in-ReadPSImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0311-CVE-2017-14172-Fix-DoS-missing-EOF-check-in-ReadPSImage.patch 2018-06-08 15:33:05.000000000 +0000 @@ -0,0 +1,52 @@ +From 8598a497e2d1f556a34458cf54b40ba40674734c Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 11:07:36 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/715 + +bug: https://github.com/ImageMagick/ImageMagick/issues/715 +origin: https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c + +(cherry picked from commit 8598a497e2d1f556a34458cf54b40ba40674734c) +[rcs: Backported to wheezy] +--- + coders/ps.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- imagemagick.git.orig/coders/ps.c ++++ imagemagick.git/coders/ps.c +@@ -571,6 +571,8 @@ + if (count != 1) + continue; + length=extent; ++ if (length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + profile=BlobToStringInfo((const void *) NULL,length); + if (profile != (StringInfo *) NULL) + { +@@ -943,6 +945,7 @@ + entry=SetMagickInfo("EPSF"); + entry->decoder=(DecodeImageHandler *) ReadPSImage; + entry->encoder=(EncodeImageHandler *) WritePSImage; ++ entry->seekable_stream=MagickTrue; + entry->magick=(IsImageFormatHandler *) IsPS; + entry->adjoin=MagickFalse; + entry->blob_support=MagickFalse; +@@ -953,7 +956,9 @@ + entry=SetMagickInfo("EPSI"); + entry->decoder=(DecodeImageHandler *) ReadPSImage; + entry->encoder=(EncodeImageHandler *) WritePSImage; ++ entry->seekable_stream=MagickTrue; + entry->magick=(IsImageFormatHandler *) IsPS; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->blob_support=MagickFalse; + entry->seekable_stream=MagickTrue; +@@ -965,6 +970,8 @@ + entry=SetMagickInfo("PS"); + entry->decoder=(DecodeImageHandler *) ReadPSImage; + entry->encoder=(EncodeImageHandler *) WritePSImage; ++ entry->seekable_stream=MagickTrue; ++ entry->seekable_stream=MagickTrue; + entry->magick=(IsImageFormatHandler *) IsPS; + entry->module=ConstantString("PS"); + entry->blob_support=MagickFalse; diff -Nru imagemagick-6.7.7.10/debian/patches/0312-CVE-2017-14173-Fix-infinite-loop-in-ReadTXTImage.patch imagemagick-6.7.7.10/debian/patches/0312-CVE-2017-14173-Fix-infinite-loop-in-ReadTXTImage.patch --- imagemagick-6.7.7.10/debian/patches/0312-CVE-2017-14173-Fix-infinite-loop-in-ReadTXTImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0312-CVE-2017-14173-Fix-infinite-loop-in-ReadTXTImage.patch 2018-06-08 15:33:19.000000000 +0000 @@ -0,0 +1,27 @@ +From 48bcf7c39302cdf9b0d9202ad03bf1b95152c44d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 1 Sep 2017 09:25:46 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/713 + +bug: https://github.com/ImageMagick/ImageMagick/issues/713 +origin: https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d + +(cherry picked from commit 48bcf7c39302cdf9b0d9202ad03bf1b95152c44d) +[rcs: Backported to wheezy] +--- + coders/txt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: imagemagick-6.7.7.10/coders/txt.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/txt.c 2018-06-08 11:33:16.957042813 -0400 ++++ imagemagick-6.7.7.10/coders/txt.c 2018-06-08 11:33:16.953042811 -0400 +@@ -448,6 +448,8 @@ static Image *ReadTXTImage(const ImageIn + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + image->columns=width; + image->rows=height; ++ if ((max_value == 0) || (max_value > 4294967295)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + for (depth=1; (GetQuantumRange(depth)+1) < max_value; depth++) ; + image->depth=depth; + status=SetImageExtent(image,image->columns,image->rows); diff -Nru imagemagick-6.7.7.10/debian/patches/0313-CVE-2017-14174-Fix-DoS-missing-EOF-check-in-ReadPSDLayersInternal.patch imagemagick-6.7.7.10/debian/patches/0313-CVE-2017-14174-Fix-DoS-missing-EOF-check-in-ReadPSDLayersInternal.patch --- imagemagick-6.7.7.10/debian/patches/0313-CVE-2017-14174-Fix-DoS-missing-EOF-check-in-ReadPSDLayersInternal.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0313-CVE-2017-14174-Fix-DoS-missing-EOF-check-in-ReadPSDLayersInternal.patch 2018-06-08 17:28:04.000000000 +0000 @@ -0,0 +1,30 @@ +From f68a98a9d385838a1c73ec960a14102949940a64 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 10:27:46 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/714 + +bug: https://github.com/ImageMagick/ImageMagick/issues/714 +origin: https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64 + +(cherry picked from commit f68a98a9d385838a1c73ec960a14102949940a64) +[rcs: Backported to wheezy] +--- + coders/psd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: imagemagick-6.7.7.10/coders/psd.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/psd.c 2018-06-08 13:24:12.888359406 -0400 ++++ imagemagick-6.7.7.10/coders/psd.c 2018-06-08 13:27:54.780904309 -0400 +@@ -1190,6 +1190,11 @@ static Image *ReadPSDImage(const ImageIn + { + size_t blend_source=ReadBlobMSBLong(image); + size_t blend_dest=ReadBlobMSBLong(image); ++ if (EOFBlob(image) != MagickFalse) ++ { ++ ThrowBinaryException(CorruptImageError, ++ "InsufficientImageDataInFile",image->filename); ++ } + if (image->debug != MagickFalse) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " source(%x), dest(%x)",(unsigned int) diff -Nru imagemagick-6.7.7.10/debian/patches/0314-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-1-of-2.patch imagemagick-6.7.7.10/debian/patches/0314-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-1-of-2.patch --- imagemagick-6.7.7.10/debian/patches/0314-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-1-of-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0314-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-1-of-2.patch 2018-06-08 15:33:43.000000000 +0000 @@ -0,0 +1,103 @@ +From b8c63b156bf26b52e710b1a0643c846a6cd01e56 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 09:10:37 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/712 + +bug: https://github.com/ImageMagick/ImageMagick/issues/712 +origin: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56 + +(cherry picked from commit b8c63b156bf26b52e710b1a0643c846a6cd01e56) +[rcs: Backported to wheezy] +--- + coders/xbm.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +--- imagemagick.git.orig/coders/xbm.c ++++ imagemagick.git/coders/xbm.c +@@ -130,7 +130,7 @@ + % + */ + +-static unsigned int XBMInteger(Image *image,short int *hex_digits) ++static int XBMInteger(Image *image,short int *hex_digits) + { + int + c; +@@ -145,7 +145,7 @@ + { + c=ReadBlobByte(image); + if (c == EOF) +- return(0); ++ return(-1); + } while (hex_digits[c] < 0); + /* + Evaluate number. +@@ -161,8 +161,10 @@ + break; + value+=hex_digits[c]; + c=ReadBlobByte(image); ++ if (c == EOF) ++ return(-1); + } while (hex_digits[c] >= 0); +- return(value); ++ return((int) value); + } + + static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) +@@ -174,6 +176,9 @@ + Image + *image; + ++ int ++ c; ++ + MagickBooleanType + status; + +@@ -206,7 +211,6 @@ + height, + length, + padding, +- value, + version, + width; + +@@ -347,16 +351,25 @@ + if (version == 10) + for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2)) + { +- value=XBMInteger(image,hex_digits); +- *p++=(unsigned char) value; ++ c=XBMInteger(image,hex_digits); ++ if (c < 0) ++ break; ++ *p++=(unsigned char) c; + if ((padding == 0) || (((i+2) % bytes_per_line) != 0)) +- *p++=(unsigned char) (value >> 8); ++ *p++=(unsigned char) (c >> 8); + } + else + for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++) + { + value=XBMInteger(image,hex_digits); +- *p++=(unsigned char) value; ++ if (c < 0) ++ break; ++ *p++=(unsigned char) c; ++ } ++ if (EOFBlob(image) != MagickFalse) ++ { ++ data=(unsigned char *) RelinquishMagickMemory(data); ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } + /* + Convert X bitmap image to pixel packets. +@@ -373,7 +386,7 @@ + for (x=0; x < (ssize_t) image->columns; x++) + { + if (bit == 0) +- byte=(size_t) (*p++); ++ byte=(unsigned int) (*p++); + SetPixelIndex(indexes+x,(byte & 0x01) != 0 ? 0x01 : 0x00); + bit++; + byte>>=1; diff -Nru imagemagick-6.7.7.10/debian/patches/0315-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-2-of-2.patch imagemagick-6.7.7.10/debian/patches/0315-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-2-of-2.patch --- imagemagick-6.7.7.10/debian/patches/0315-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-2-of-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0315-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-2-of-2.patch 2018-06-08 15:33:49.000000000 +0000 @@ -0,0 +1,30 @@ +From 169a20e13ee634aba7ebab94775497d6a89f5ec1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 09:42:00 -0400 +Subject: [PATCH] ... + +bug: https://github.com/ImageMagick/ImageMagick/issues/712 +origin: https://github.com/ImageMagick/ImageMagick/commit/169a20e13ee634aba7ebab94775497d6a89f5ec1 + +(cherry picked from commit 169a20e13ee634aba7ebab94775497d6a89f5ec1) +[rcs: Backported to wheezy] +--- + coders/xbm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/xbm.c b/coders/xbm.c +index 66b2fac..1b776d0 100644 +--- a/coders/xbm.c ++++ b/coders/xbm.c +@@ -361,7 +361,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) + else + for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++) + { +- value=XBMInteger(image,hex_digits); ++ c=XBMInteger(image,hex_digits); + if (c < 0) + break; + *p++=(unsigned char) c; +-- +2.1.4 + diff -Nru imagemagick-6.7.7.10/debian/patches/0316-CVE-2017-14224-Fix-heap-based-buffer-overflow-in-WritePCXImage.patch imagemagick-6.7.7.10/debian/patches/0316-CVE-2017-14224-Fix-heap-based-buffer-overflow-in-WritePCXImage.patch --- imagemagick-6.7.7.10/debian/patches/0316-CVE-2017-14224-Fix-heap-based-buffer-overflow-in-WritePCXImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0316-CVE-2017-14224-Fix-heap-based-buffer-overflow-in-WritePCXImage.patch 2018-06-08 15:34:06.000000000 +0000 @@ -0,0 +1,41 @@ +From 7f2d6fe34d695d3445e2d50937db5541a1b76bde Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 6 Sep 2017 08:43:15 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/733 + +bug: https://github.com/ImageMagick/ImageMagick/issues/733 +origin: https://github.com/ImageMagick/ImageMagick/commit/7f2d6fe34d695d3445e2d50937db5541a1b76bde +bug-debian: https://bugs.debian.org/876097 + +(cherry picked from commit 7f2d6fe34d695d3445e2d50937db5541a1b76bde) +[rcs: Backported to wheezy] +--- + coders/pcx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/coders/pcx.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/pcx.c 2018-06-08 11:34:04.193081730 -0400 ++++ imagemagick-6.7.7.10/coders/pcx.c 2018-06-08 11:34:04.189081726 -0400 +@@ -905,6 +905,8 @@ static MagickBooleanType WritePCXImage(c + if (image->debug != MagickFalse) + (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); + status=OpenBlob(image_info,image,WriteBinaryBlobMode,&image->exception); ++ if ((image->columns > 65535UL) || (image->rows > 65535UL)) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); + if (status == MagickFalse) + return(status); + if (IssRGBCompatibleColorspace(image->colorspace) == MagickFalse) +@@ -971,8 +973,10 @@ static MagickBooleanType WritePCXImage(c + if (image->matte != MagickFalse) + pcx_info.planes++; + } +- pcx_info.bytes_per_line=(unsigned short) (((size_t) image->columns* +- pcx_info.bits_per_pixel+7)/8); ++ length=(((size_t) image->columns*pcx_info.bits_per_pixel+7)/8); ++ if (length > 65535UL) ++ ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); ++ pcx_info.bytes_per_line=(unsigned short) length; + pcx_info.palette_info=1; + pcx_info.colormap_signature=0x0c; + /* diff -Nru imagemagick-6.7.7.10/debian/patches/0317-CVE-2017-14249-Fix-DoS-missing-EOF-check-in-ReadMPCImage.patch imagemagick-6.7.7.10/debian/patches/0317-CVE-2017-14249-Fix-DoS-missing-EOF-check-in-ReadMPCImage.patch --- imagemagick-6.7.7.10/debian/patches/0317-CVE-2017-14249-Fix-DoS-missing-EOF-check-in-ReadMPCImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0317-CVE-2017-14249-Fix-DoS-missing-EOF-check-in-ReadMPCImage.patch 2018-06-08 15:34:18.000000000 +0000 @@ -0,0 +1,46 @@ +From 66112b7a7b64f688efe6fec53a829874a74dea04 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 07:51:18 -0400 +Subject: [PATCH] + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32602 + +bug: https://github.com/ImageMagick/ImageMagick/issues/708 +origin: https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04 +bug-debian: https://bugs.debian.org/876099 + +(cherry picked from commit 66112b7a7b64f688efe6fec53a829874a74dea04) +[rcs: Backported to wheezy] +--- + coders/mpc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +Index: imagemagick-6.7.7.10/coders/mpc.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/mpc.c 2018-06-08 11:34:16.085092352 -0400 ++++ imagemagick-6.7.7.10/coders/mpc.c 2018-06-08 11:34:16.085092352 -0400 +@@ -910,12 +910,6 @@ static Image *ReadMPCImage(const ImageIn + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + } + } +- if (EOFBlob(image) != MagickFalse) +- { +- ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", +- image->filename); +- break; +- } + if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) + if (image->scene >= (image_info->scene+image_info->number_scenes-1)) + break; +@@ -928,6 +922,12 @@ static Image *ReadMPCImage(const ImageIn + status=PersistPixelCache(image,cache_filename,MagickTrue,&offset,exception); + if (status == MagickFalse) + ThrowReaderException(CacheError,"UnableToPersistPixelCache"); ++ if (EOFBlob(image) != MagickFalse) ++ { ++ ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", ++ image->filename); ++ break; ++ } + /* + Proceed to next image. + */ diff -Nru imagemagick-6.7.7.10/debian/patches/0318-CVE-2017-14341-Fix-DoS-CPU-exhaustion-in-ReadWPGImage.patch imagemagick-6.7.7.10/debian/patches/0318-CVE-2017-14341-Fix-DoS-CPU-exhaustion-in-ReadWPGImage.patch --- imagemagick-6.7.7.10/debian/patches/0318-CVE-2017-14341-Fix-DoS-CPU-exhaustion-in-ReadWPGImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0318-CVE-2017-14341-Fix-DoS-CPU-exhaustion-in-ReadWPGImage.patch 2018-06-08 15:35:56.000000000 +0000 @@ -0,0 +1,26 @@ +From 4eae304e773bad8a876c3c26fdffac24d4253ae4 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 7 Aug 2017 15:01:02 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/654 + +bug: https://github.com/ImageMagick/ImageMagick/issues/654 +origin: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 +bug-debian: https://bugs.debian.org/876105 + +(cherry picked from commit 4eae304e773bad8a876c3c26fdffac24d4253ae4) +[rcs: Backported to wheezy] +--- + coders/wpg.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- imagemagick.git.orig/coders/wpg.c ++++ imagemagick.git/coders/wpg.c +@@ -1009,6 +1009,8 @@ + if(i==EOF) + break; + Rd_WP_DWORD(image,&Rec.RecordLength); ++ if (Rec.RecordLength > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if(EOFBlob(image)) + break; + diff -Nru imagemagick-6.7.7.10/debian/patches/0320-CVE-2017-14505-Fix-DoS-NULL-pointer-dereference-in-DrawGetStrokeDashArray.patch imagemagick-6.7.7.10/debian/patches/0320-CVE-2017-14505-Fix-DoS-NULL-pointer-dereference-in-DrawGetStrokeDashArray.patch --- imagemagick-6.7.7.10/debian/patches/0320-CVE-2017-14505-Fix-DoS-NULL-pointer-dereference-in-DrawGetStrokeDashArray.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0320-CVE-2017-14505-Fix-DoS-NULL-pointer-dereference-in-DrawGetStrokeDashArray.patch 2018-06-08 15:36:57.000000000 +0000 @@ -0,0 +1,34 @@ +From f7b0cf098bc800c5b6181dc522a99997bfee8948 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 31 Aug 2017 16:32:38 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/716 + +bug: https://github.com/ImageMagick/ImageMagick/issues/716 +origin: https://github.com/ImageMagick/ImageMagick/commit/f7b0cf098bc800c5b6181dc522a99997bfee8948 + +(cherry picked from commit f7b0cf098bc800c5b6181dc522a99997bfee8948) +[rcs: Backported to wheezy] +--- + wand/drawing-wand.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- imagemagick.git.orig/wand/drawing-wand.c ++++ imagemagick.git/wand/drawing-wand.c +@@ -1956,10 +1956,13 @@ + { + dash_array=(double *) AcquireQuantumMemory((size_t) n, + sizeof(*dash_array)); +- p=CurrentContext->dash_pattern; +- q=dash_array; +- for (i=0; i < (ssize_t) n; i++) +- *q++=(*p++); ++ if (dash_array != (double *) NULL) ++ { ++ p=CurrentContext->dash_pattern; ++ q=dash_array; ++ for (i=0; i < (ssize_t) n; i++) ++ *q++=(*p++); ++ } + } + return(dash_array); + } diff -Nru imagemagick-6.7.7.10/debian/patches/0321-CVE-2017-14607-Fix-out-of-bounds-read-in-ReadTIFFImage.patch imagemagick-6.7.7.10/debian/patches/0321-CVE-2017-14607-Fix-out-of-bounds-read-in-ReadTIFFImage.patch --- imagemagick-6.7.7.10/debian/patches/0321-CVE-2017-14607-Fix-out-of-bounds-read-in-ReadTIFFImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0321-CVE-2017-14607-Fix-out-of-bounds-read-in-ReadTIFFImage.patch 2018-06-08 15:41:03.000000000 +0000 @@ -0,0 +1,27 @@ +From cd665c3d05b46d1579c738a72214175ff50aec74 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 19 Sep 2017 06:52:38 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/765 + +bug: https://github.com/ImageMagick/ImageMagick/issues/765 +origin: https://github.com/ImageMagick/ImageMagick/commit/cd665c3d05b46d1579c738a72214175ff50aec74 + +(cherry picked from commit cd665c3d05b46d1579c738a72214175ff50aec74) +[rcs: Backported to wheezy] +--- + coders/tiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/tiff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/tiff.c 2018-06-08 11:40:07.825522676 -0400 ++++ imagemagick-6.7.7.10/coders/tiff.c 2018-06-08 11:40:56.173595291 -0400 +@@ -1258,7 +1258,7 @@ static Image *ReadTIFFImage(const ImageI + quantum_type=RGBQuantum; + tiff_pixels=(unsigned char *) AcquireMagickMemory(MagickMax( + TIFFScanlineSize(tiff),(size_t) (image->columns*samples_per_pixel* +- pow(2.0,ceil(log(bits_per_sample)/log(2.0)))))); ++ pow(2.0,ceil(log(bits_per_sample)/log(2.0)))*sizeof(uint32)))); + if (tiff_pixels == (unsigned char *) NULL) + { + TIFFClose(tiff); diff -Nru imagemagick-6.7.7.10/debian/patches/0322-CVE-2017-14682-Fix-heap-based-buffer-overflow-in-GetNextToken.patch imagemagick-6.7.7.10/debian/patches/0322-CVE-2017-14682-Fix-heap-based-buffer-overflow-in-GetNextToken.patch --- imagemagick-6.7.7.10/debian/patches/0322-CVE-2017-14682-Fix-heap-based-buffer-overflow-in-GetNextToken.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0322-CVE-2017-14682-Fix-heap-based-buffer-overflow-in-GetNextToken.patch 2018-06-08 15:41:56.000000000 +0000 @@ -0,0 +1,29 @@ +From 3bee958ee63eb6ec62834d0c7b28b4b6835e6a00 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 19 Sep 2017 07:09:26 -0400 +Subject: [PATCH] + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32726 + +bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32726 +origin: https://github.com/ImageMagick/ImageMagick/commit/3bee958ee63eb6ec62834d0c7b28b4b6835e6a00 +bug-debian: https://bugs.debian.org/876488 + +(cherry picked from commit 3bee958ee63eb6ec62834d0c7b28b4b6835e6a00) +[rcs: Backported to wheezy] +--- + magick/token.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/magick/token.c +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/token.c 2018-06-08 11:41:54.601686219 -0400 ++++ imagemagick-6.7.7.10/magick/token.c 2018-06-08 11:41:54.601686219 -0400 +@@ -283,7 +283,7 @@ MagickExport void GetMagickToken(const c + break; + } + token[i]='\0'; +- if (LocaleNCompare(token,"url(",4) == 0) ++ if ((LocaleNCompare(token,"url(",4) == 0) && (strlen(token) > 4)) + { + ssize_t + offset; diff -Nru imagemagick-6.7.7.10/debian/patches/0323-CVE-2017-14739-Fix-NULL-pointer-dereference-in-AcquireResampleFilterThreadSet.patch imagemagick-6.7.7.10/debian/patches/0323-CVE-2017-14739-Fix-NULL-pointer-dereference-in-AcquireResampleFilterThreadSet.patch --- imagemagick-6.7.7.10/debian/patches/0323-CVE-2017-14739-Fix-NULL-pointer-dereference-in-AcquireResampleFilterThreadSet.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0323-CVE-2017-14739-Fix-NULL-pointer-dereference-in-AcquireResampleFilterThreadSet.patch 2018-06-08 15:43:09.000000000 +0000 @@ -0,0 +1,33 @@ +From 700fcf95b2c3f554dfbe75833b91f19dde208089 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Mon, 25 Sep 2017 10:41:11 +0200 +Subject: [PATCH 1/2] Fixed issue reported in #780. + +bug: https://github.com/ImageMagick/ImageMagick/issues/780 +origin: https://github.com/ImageMagick/ImageMagick/commit/700fcf95b2c3f554dfbe75833b91f19dde208089 + +(cherry picked from commit 700fcf95b2c3f554dfbe75833b91f19dde208089) +[rcs: Backported to wheezy] +--- + magick/resample-private.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/magick/resample-private.h +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/resample-private.h 2018-06-08 11:42:10.917712183 -0400 ++++ imagemagick-6.7.7.10/magick/resample-private.h 2018-06-08 11:42:10.913712176 -0400 +@@ -55,13 +55,11 @@ static inline ResampleFilter **AcquireRe + filter=(ResampleFilter **) AcquireAlignedMemory(number_threads, + sizeof(*filter)); + if (filter == (ResampleFilter **) NULL) +- return((ResampleFilter **) NULL); ++ ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed"); + (void) ResetMagickMemory(filter,0,number_threads*sizeof(*filter)); + for (i=0; i < (ssize_t) number_threads; i++) + { + filter[i]=AcquireResampleFilter(image,exception); +- if (filter[i] == (ResampleFilter *) NULL) +- return(DestroyResampleFilterThreadSet(filter)); + if (method != UndefinedVirtualPixelMethod) + (void) SetResampleFilterVirtualPixelMethod(filter[i],method); + if (interpolate != MagickFalse) diff -Nru imagemagick-6.7.7.10/debian/patches/0324-CVE-2017-14741-Fix-DoS-infinite-loop-in-ReadCAPTIONImage.patch imagemagick-6.7.7.10/debian/patches/0324-CVE-2017-14741-Fix-DoS-infinite-loop-in-ReadCAPTIONImage.patch --- imagemagick-6.7.7.10/debian/patches/0324-CVE-2017-14741-Fix-DoS-infinite-loop-in-ReadCAPTIONImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0324-CVE-2017-14741-Fix-DoS-infinite-loop-in-ReadCAPTIONImage.patch 2018-06-08 15:43:21.000000000 +0000 @@ -0,0 +1,31 @@ +From bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 21 Sep 2017 06:53:56 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/771 + +bug: https://github.com/ImageMagick/ImageMagick/issues/771 +origin: https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d + +(cherry picked from commit bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d) +[rcs: Backported to wheezy] +--- + coders/caption.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- imagemagick.git.orig/coders/caption.c ++++ imagemagick.git/coders/caption.c +@@ -164,10 +164,13 @@ + high, + low; + ++ ssize_t ++ n; ++ + /* + Auto fit text into bounding box. + */ +- for ( ; ; ) ++ for (n=0; n < 32; n++, draw_info->pointsize*=2.0) + { + text=AcquireString(caption); + i=FormatMagickCaption(image,draw_info,MagickFalse,&metrics,&text); diff -Nru imagemagick-6.7.7.10/debian/patches/0325-CVE-2017-14989-Fix-use-after-free-in-RenderFreeType.patch imagemagick-6.7.7.10/debian/patches/0325-CVE-2017-14989-Fix-use-after-free-in-RenderFreeType.patch --- imagemagick-6.7.7.10/debian/patches/0325-CVE-2017-14989-Fix-use-after-free-in-RenderFreeType.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0325-CVE-2017-14989-Fix-use-after-free-in-RenderFreeType.patch 2018-06-08 15:43:37.000000000 +0000 @@ -0,0 +1,28 @@ +From 28bad01242898d7f863deedbfa8502c348293093 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 26 Sep 2017 07:16:49 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/781 + +bug: https://github.com/ImageMagick/ImageMagick/issues/781 +origin: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093 + +(cherry picked from commit 28bad01242898d7f863deedbfa8502c348293093) +[rcs: Backported to wheezy] +--- + magick/annotate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/magick/annotate.c +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/annotate.c 2018-06-08 11:43:35.437850288 -0400 ++++ imagemagick-6.7.7.10/magick/annotate.c 2018-06-08 11:43:35.433850281 -0400 +@@ -1482,8 +1482,8 @@ static MagickBooleanType RenderFreetype( + if (bitmap->left > metrics->width) + metrics->width=bitmap->left; + } ++ FT_Done_Glyph(glyph.image); + } +- FT_Done_Glyph(glyph.image); + } + metrics->width-=metrics->bounds.x1/64.0; + metrics->bounds.x1/=64.0; diff -Nru imagemagick-6.7.7.10/debian/patches/0326-CVE-2017-15016-Fix-NULL-pointer-dereference-in-ReadEnhMetaFile.patch imagemagick-6.7.7.10/debian/patches/0326-CVE-2017-15016-Fix-NULL-pointer-dereference-in-ReadEnhMetaFile.patch --- imagemagick-6.7.7.10/debian/patches/0326-CVE-2017-15016-Fix-NULL-pointer-dereference-in-ReadEnhMetaFile.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0326-CVE-2017-15016-Fix-NULL-pointer-dereference-in-ReadEnhMetaFile.patch 2018-06-08 15:44:27.000000000 +0000 @@ -0,0 +1,30 @@ +From 8254d24b86a62803231773ecf54c707aef4a1457 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 3 Sep 2017 12:07:52 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/725 + +bug: https://github.com/ImageMagick/ImageMagick/issues/725 +origin: https://github.com/ImageMagick/ImageMagick/commit/8254d24b86a62803231773ecf54c707aef4a1457 + +(cherry picked from commit 8254d24b86a62803231773ecf54c707aef4a1457) +[rcs: Backported to wheezy] +--- + coders/emf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/emf.c b/coders/emf.c +index 961d5c8..82beca6 100644 +--- a/coders/emf.c ++++ b/coders/emf.c +@@ -404,6 +404,8 @@ static HENHMETAFILE ReadEnhMetaFile(const char *path,ssize_t *width, + return(NULL); + dwSize=GetFileSize(hFile,NULL); + pBits=(LPBYTE) AcquireQuantumMemory(dwSize,sizeof(*pBits)); ++ if (pBits == (LPBYTE) NULL) ++ return(NULL); + ReadFile(hFile,pBits,dwSize,&dwSize,NULL); + CloseHandle(hFile); + if (((PAPMHEADER) pBits)->dwKey != 0x9ac6cdd7l) +-- +2.1.4 + diff -Nru imagemagick-6.7.7.10/debian/patches/0327-CVE-2017-15017-Fix-NULL-pointer-dereference-in-ReadOneMNGImage.patch imagemagick-6.7.7.10/debian/patches/0327-CVE-2017-15017-Fix-NULL-pointer-dereference-in-ReadOneMNGImage.patch --- imagemagick-6.7.7.10/debian/patches/0327-CVE-2017-15017-Fix-NULL-pointer-dereference-in-ReadOneMNGImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0327-CVE-2017-15017-Fix-NULL-pointer-dereference-in-ReadOneMNGImage.patch 2018-06-08 15:44:48.000000000 +0000 @@ -0,0 +1,29 @@ +From 5a1006a249516a875558c3d642e719b1eac8f820 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 3 Sep 2017 12:04:19 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/723 + +bug: https://github.com/ImageMagick/ImageMagick/issues/723 +origin: https://github.com/ImageMagick/ImageMagick/commit/5a1006a249516a875558c3d642e719b1eac8f820 + +(cherry picked from commit 5a1006a249516a875558c3d642e719b1eac8f820) +[rcs: Backported to wheezy] +--- + coders/png.c | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:44:45.513968899 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:44:45.509968892 -0400 +@@ -5132,6 +5132,10 @@ static Image *ReadOneMNGImage(MngInfo* m + mng_info->global_plte=(png_colorp) AcquireQuantumMemory(256, + sizeof(*mng_info->global_plte)); + ++ if (mng_info->global_plte == (png_colorp) NULL) ++ ThrowReaderException(ResourceLimitError, ++ "MemoryAllocationFailed"); ++ + for (i=0; i < (ssize_t) (length/3); i++) + { + mng_info->global_plte[i].red=p[3*i]; diff -Nru imagemagick-6.7.7.10/debian/patches/0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch imagemagick-6.7.7.10/debian/patches/0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch --- imagemagick-6.7.7.10/debian/patches/0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch 2018-06-08 15:45:10.000000000 +0000 @@ -0,0 +1,26 @@ +From 9fd10cf630832b36a588c1545d8736539b2f1fb5 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 21 Jul 2017 07:54:50 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/592 + +bug: https://github.com/ImageMagick/ImageMagick/issues/592 +origin: https://github.com/ImageMagick/ImageMagick/commit/9fd10cf630832b36a588c1545d8736539b2f1fb5 +bug-debian: https://bugs.debian.org/878578 + +(cherry picked from commit 9fd10cf630832b36a588c1545d8736539b2f1fb5) +[rcs: Backported to wheezy] +--- + coders/gif.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- imagemagick.git.orig/coders/gif.c ++++ imagemagick.git/coders/gif.c +@@ -1040,6 +1040,8 @@ + MagickMax(global_colors,256),3UL*sizeof(*global_colormap)); + if (global_colormap == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ (void) ResetMagickMemory(global_colormap,0,3*MagickMax(global_colors,256)* ++ sizeof(*global_colormap)); + if (BitSet((int) flag,0x80) != 0) + count=ReadBlob(image,(size_t) (3*global_colors),global_colormap); + delay=0; diff -Nru imagemagick-6.7.7.10/debian/patches/0329-CVE-2017-15281-Fix-DoS-application-crash-via-crafted-file-in-ReadPSDImage.patch imagemagick-6.7.7.10/debian/patches/0329-CVE-2017-15281-Fix-DoS-application-crash-via-crafted-file-in-ReadPSDImage.patch --- imagemagick-6.7.7.10/debian/patches/0329-CVE-2017-15281-Fix-DoS-application-crash-via-crafted-file-in-ReadPSDImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/0329-CVE-2017-15281-Fix-DoS-application-crash-via-crafted-file-in-ReadPSDImage.patch 2018-06-08 15:45:25.000000000 +0000 @@ -0,0 +1,38 @@ +From e9d1c2adae866861a291535997b2263f26becb1e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 9 Oct 2017 19:28:18 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/832 + +bug: https://github.com/ImageMagick/ImageMagick/issues/832 +origin: https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e +bug-debian: https://bugs.debian.org/878579 + +(cherry picked from commit e9d1c2adae866861a291535997b2263f26becb1e) +[rcs: Backported to wheezy] +--- + coders/psd.c | 4 ++++ + filters/analyze.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/psd.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/psd.c 2018-06-08 11:45:23.050033782 -0400 ++++ imagemagick-6.7.7.10/coders/psd.c 2018-06-08 11:45:23.046033775 -0400 +@@ -850,6 +850,8 @@ static Image *ReadPSDImage(const ImageIn + (double) psd_info.columns,(double) psd_info.rows,(double) + psd_info.channels,(double) psd_info.depth,ModeToString((PSDImageType) + psd_info.mode)); ++ if (EOFBlob(image) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + /* + Initialize image. + */ +@@ -1478,6 +1480,8 @@ static Image *ReadPSDImage(const ImageIn + } + } + } ++ if (EOFBlob(image) != MagickFalse) ++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); + /* + Read the precombined layer, present for PSD < 4 compatibility + */ diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-1000445.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-1000445.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-1000445.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-1000445.patch 2018-06-08 15:53:59.000000000 +0000 @@ -0,0 +1,18 @@ +--- imagemagick-6.7.7.10.orig/magick/random-private.h ++++ imagemagick-6.7.7.10/magick/random-private.h +@@ -52,14 +52,10 @@ static inline RandomInfo **AcquireRandom + random_info=(RandomInfo **) AcquireAlignedMemory(number_threads, + sizeof(*random_info)); + if (random_info == (RandomInfo **) NULL) +- return((RandomInfo **) NULL); ++ ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed"); + (void) ResetMagickMemory(random_info,0,number_threads*sizeof(*random_info)); + for (i=0; i < (ssize_t) number_threads; i++) +- { + random_info[i]=AcquireRandomInfo(); +- if (random_info[i] == (RandomInfo *) NULL) +- return(DestroyRandomInfoThreadSet(random_info)); +- } + return(random_info); + } + diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-1000476.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-1000476.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-1000476.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-1000476.patch 2018-06-08 15:54:10.000000000 +0000 @@ -0,0 +1,22 @@ +Index: imagemagick-6.7.7.10/coders/dds.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/dds.c 2018-06-08 11:54:08.867010109 -0400 ++++ imagemagick-6.7.7.10/coders/dds.c 2018-06-08 11:54:08.863010102 -0400 +@@ -879,6 +879,8 @@ static MagickBooleanType SkipDXTMipmaps( + break; + w = DIV2(w); + h = DIV2(h); ++ if ((w == 1) && (h == 1)); ++ break; + } + } + return(MagickTrue); +@@ -926,6 +928,8 @@ static MagickBooleanType SkipRGBMipmaps( + break; + w = DIV2(w); + h = DIV2(h); ++ if ((w == 1) && (h == 1)) ++ break; + } + } + return(MagickTrue); diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-14325.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-14325.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-14325.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-14325.patch 2018-06-08 15:35:37.000000000 +0000 @@ -0,0 +1,25 @@ +Backport of: + +From 44a55580ac8c01d8cff1e6e0063820af113f8591 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 11 Sep 2017 16:22:43 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/741 + https://github.com/ImageMagick/ImageMagick/issues/746 + +--- + magick/cache.c | 2 -- + 1 file changed, 2 deletions(-) + +Index: imagemagick-6.7.7.10/magick/cache.c +=================================================================== +--- imagemagick-6.7.7.10.orig/magick/cache.c 2018-06-08 11:34:43.085117630 -0400 ++++ imagemagick-6.7.7.10/magick/cache.c 2018-06-08 11:35:20.825155539 -0400 +@@ -2104,8 +2104,6 @@ static Cache GetImagePixelCache(Image *i + status=ClonePixelCachePixels(clone_info,cache_info,exception); + if (status != MagickFalse) + { +- if (cache_info->mode == ReadMode) +- cache_info->nexus_info=(NexusInfo **) NULL; + destroy=MagickTrue; + image->cache=clone_image.cache; + } diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-14342.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-14342.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-14342.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-14342.patch 2018-06-08 15:36:20.000000000 +0000 @@ -0,0 +1,22 @@ +From 6d5b22baedd49ef8a35011789bd600762ce1ef21 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 7 Aug 2017 15:18:17 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/650 + +--- + coders/wpg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/wpg.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/wpg.c 2018-06-08 11:36:17.721217933 -0400 ++++ imagemagick-6.7.7.10/coders/wpg.c 2018-06-08 11:36:17.717217929 -0400 +@@ -1099,7 +1099,7 @@ static Image *ReadWPGImage(const ImageIn + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + break; +- if ((image->colors == 0) && (bpp != 24)) ++ if ((image->colors == 0) && (bpp <= 16)) + { + image->colors=one << bpp; + if (!AcquireImageColormap(image,image->colors)) diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-14531.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-14531.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-14531.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-14531.patch 2018-06-08 15:38:11.000000000 +0000 @@ -0,0 +1,24 @@ +Backport of: + +From 1385a09732c261f1f403a9af6700979ca56c76d3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 3 Sep 2017 08:04:47 -0400 +Subject: [PATCH] ... + +--- + coders/sun.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/sun.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/sun.c 2018-06-08 11:37:18.457290832 -0400 ++++ imagemagick-6.7.7.10/coders/sun.c 2018-06-08 11:37:56.077338928 -0400 +@@ -428,6 +428,8 @@ static Image *ReadSUNImage(const ImageIn + if ((number_pixels*sun_info.depth) > (8*sun_info.length)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + bytes_per_line=sun_info.width*sun_info.depth; ++ if (sun_info.length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + sun_data=(unsigned char *) AcquireQuantumMemory((size_t) MagickMax( + sun_info.length,bytes_per_line*sun_info.width),sizeof(*sun_data)); + if (sun_data == (unsigned char *) NULL) diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-16546.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-16546.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-16546.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-16546.patch 2018-06-08 15:47:06.000000000 +0000 @@ -0,0 +1,25 @@ +Backport of: + +From e04cf3e9524f50ca336253513d977224e083b816 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 4 Nov 2017 10:56:39 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/851 + +--- + coders/wpg.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/wpg.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/wpg.c 2018-06-08 11:45:53.938087819 -0400 ++++ imagemagick-6.7.7.10/coders/wpg.c 2018-06-08 11:46:49.978187227 -0400 +@@ -1042,7 +1042,8 @@ static Image *ReadWPGImage(const ImageIn + case 0x0E: /*Color palette */ + WPG_Palette.StartIndex=ReadBlobLSBShort(image); + WPG_Palette.NumOfEntries=ReadBlobLSBShort(image); +- ++ if (WPG_Palette.StartIndex > WPG_Palette.NumOfEntries) ++ ThrowReaderException(CorruptImageError,"InvalidColormapIndex"); + image->colors=WPG_Palette.NumOfEntries; + if (!AcquireImageColormap(image,image->colors)) + goto NoMemory; diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-17504.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-17504.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-17504.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-17504.patch 2018-06-08 15:47:39.000000000 +0000 @@ -0,0 +1,71 @@ +From: Markus Koschany +Date: Fri, 29 Dec 2017 17:04:01 +0100 +Subject: CVE-2017-17504 + +Bug-Debian: https://bugs.debian.org/885340 +Origin: https://github.com/ImageMagick/ImageMagick/commit/ce3a586a43a7d13442587eb7f28d129557b6a135 +--- + coders/png.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:47:37.926273565 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:47:37.922273559 -0400 +@@ -1793,6 +1793,7 @@ Magick_png_read_raw_profile(png_struct * + sp; + + png_uint_32 ++ extent, + length, + nibbles; + +@@ -1808,22 +1809,35 @@ Magick_png_read_raw_profile(png_struct * + 13,14,15}; + + sp=text[ii].text+1; ++ extent=text[ii].text_length; + /* look for newline */ +- while (*sp != '\n') +- sp++; ++ while ((*sp != '\n') && extent--) ++ sp++; + + /* look for length */ +- while (*sp == '\0' || *sp == ' ' || *sp == '\n') ++ while (((*sp == '\0' || *sp == ' ' || *sp == '\n')) && extent--) + sp++; + ++ if (extent == 0) ++ { ++ png_warning(ping,"invalid profile length"); ++ return(MagickFalse); ++ } ++ + length=(png_uint_32) StringToLong(sp); + + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " length: %lu",(unsigned long) length); + +- while (*sp != ' ' && *sp != '\n') ++ while ((*sp != ' ' && *sp != '\n') && extent--) + sp++; + ++ if (extent == 0) ++ { ++ png_warning(ping,"invalid profile length"); ++ return(MagickFalse); ++ } ++ + /* allocate space */ + if (length == 0) + { +@@ -5060,7 +5074,7 @@ static Image *ReadOneMNGImage(MngInfo* m + /* + Extract object clipping info. + */ +- ++ + if (length > 27) + mng_info->object_clip[object_id]= + mng_read_box(mng_info->frame,0, &p[12]); diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-17682.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-17682.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-17682.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-17682.patch 2018-06-08 15:49:38.000000000 +0000 @@ -0,0 +1,42 @@ +From: Markus Koschany +Date: Fri, 29 Dec 2017 18:04:40 +0100 +Subject: CVE-2017-17682 + +Bug-Debian: https://bugs.debian.org/885942 +Origin: https://github.com/ImageMagick/ImageMagick/commit/da649f031e36753c69268c5c027e695b8ae45e9a +--- + coders/wpg.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/coders/wpg.c b/coders/wpg.c +index 331d8eb..164675d 100644 +--- a/coders/wpg.c ++++ b/coders/wpg.c +@@ -731,6 +731,9 @@ static Image *ExtractPostscript(Image *image,const ImageInfo *image_info, + FILE + *ps_file; + ++ int ++ c; ++ + ImageInfo + *clone_info; + +@@ -757,10 +760,13 @@ static Image *ExtractPostscript(Image *image,const ImageInfo *image_info, + (void) ReadBlob(image, 2*MaxTextExtent, magick); + + (void) SeekBlob(image,PS_Offset,SEEK_SET); +- while(PS_Size-- > 0) +- { +- (void) fputc(ReadBlobByte(image),ps_file); +- } ++ while (PS_Size-- > 0) ++ { ++ c=ReadBlobByte(image); ++ if (c == EOF) ++ break; ++ (void) fputc(c,ps_file); ++ } + (void) fclose(ps_file); + + /* Detect file format - Check magic.mgk configuration file. */ diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-17879.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-17879.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-17879.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-17879.patch 2018-06-08 15:50:25.000000000 +0000 @@ -0,0 +1,23 @@ +From: Markus Koschany +Date: Fri, 29 Dec 2017 18:43:14 +0100 +Subject: CVE-2017-17879 + +Bug-Debian: https://bugs.debian.org/885125 +Origin: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 +--- + coders/png.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:50:23.374579146 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:50:23.370579139 -0400 +@@ -5299,7 +5299,7 @@ static Image *ReadOneMNGImage(MngInfo* m + + p++; /* framing mode */ + +- while (*p && ((p-chunk) < (ssize_t) length)) ++ while (*p && ((p-chunk) < (ssize_t) length-1)) + p++; /* frame name */ + + p++; /* frame name terminator */ diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-17914.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-17914.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-17914.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-17914.patch 2018-06-08 15:50:42.000000000 +0000 @@ -0,0 +1,26 @@ +From: Markus Koschany +Date: Fri, 29 Dec 2017 18:32:48 +0100 +Subject: CVE-2017-17914 + +Origin: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046 +--- + coders/png.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 11:50:40.770611869 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 11:50:40.770611869 -0400 +@@ -2158,10 +2158,10 @@ static Image *ReadOnePNGImage(MngInfo *m + if (image != (Image *) NULL) + { + InheritException(exception,&image->exception); +- image->columns=0; ++ image=DestroyImage(image); + } ++ return(image); + +- return(GetFirstImageInList(image)); + } + + /* { For navigation to end of SETJMP-protected block. Within this diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-18252.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-18252.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-18252.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-18252.patch 2018-06-08 15:52:31.000000000 +0000 @@ -0,0 +1,23 @@ +From bb04ccb34fd45e9c3020786857fb79b09f44d7db Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 30 Sep 2017 10:16:18 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/802 + +--- + wand/mogrify.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: imagemagick-6.7.7.10/wand/mogrify.c +=================================================================== +--- imagemagick-6.7.7.10.orig/wand/mogrify.c 2018-06-08 11:52:29.134817810 -0400 ++++ imagemagick-6.7.7.10/wand/mogrify.c 2018-06-08 11:52:29.130817802 -0400 +@@ -8220,6 +8220,9 @@ This has been merged completely into Mog + if (p == q) + break; + swap=CloneImage(p,0,0,MagickTrue,exception); ++ if (swap == (Image *) NULL) ++ ThrowWandFatalException(ResourceLimitFatalError, ++ "MemoryAllocationFailed",(*images)->filename); + ReplaceImageInList(&p,CloneImage(q,0,0,MagickTrue,exception)); + ReplaceImageInList(&q,swap); + *images=GetFirstImageInList(q); diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-18271.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-18271.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-18271.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-18271.patch 2018-06-08 15:52:48.000000000 +0000 @@ -0,0 +1,23 @@ +From: Markus Koschany +Date: Wed, 23 May 2018 14:21:04 +0200 +Subject: CVE-2017-18271 + +Bug-Upstream: https://github.com/ImageMagick/ImageMagick/issues/911 +Origin: https://github.com/ImageMagick/ImageMagick/commit/7523250e2664028aa1d8f02d2d7ae49c769a851e +--- + coders/miff.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: imagemagick-6.7.7.10/coders/miff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/miff.c 2018-06-08 11:52:46.170850486 -0400 ++++ imagemagick-6.7.7.10/coders/miff.c 2018-06-08 11:52:46.166850477 -0400 +@@ -1113,6 +1113,8 @@ static Image *ReadMIFFImage(const ImageI + p=image->directory+strlen(image->directory); + } + c=ReadBlobByte(image); ++ if (c == EOF) ++ break; + *p++=(char) c; + } while (c != (int) '\0'); + } diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2017-18273.patch imagemagick-6.7.7.10/debian/patches/CVE-2017-18273.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2017-18273.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2017-18273.patch 2018-06-08 15:53:27.000000000 +0000 @@ -0,0 +1,22 @@ +From: Markus Koschany +Date: Wed, 23 May 2018 14:29:24 +0200 +Subject: CVE-2017-18273 + +Bug-Upstream: https://github.com/ImageMagick/ImageMagick/issues/910 +Origin: https://github.com/ImageMagick/ImageMagick/commit/b8fcb59e9e1d1189caf2e0f5e39346944dcd6b9d +--- + coders/txt.c | 1 + + 1 file changed, 1 insertion(+) + +Index: imagemagick-6.7.7.10/coders/txt.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/txt.c 2018-06-08 11:53:01.194879364 -0400 ++++ imagemagick-6.7.7.10/coders/txt.c 2018-06-08 11:53:18.362912432 -0400 +@@ -516,6 +516,7 @@ static Image *ReadTXTImage(const ImageIn + break; + } + } ++ *text='\0'; + (void) ReadBlobString(image,text); + if (LocaleNCompare((char *) text,MagickID,strlen(MagickID)) == 0) + { diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2018-10177.patch imagemagick-6.7.7.10/debian/patches/CVE-2018-10177.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2018-10177.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2018-10177.patch 2018-06-08 16:00:10.000000000 +0000 @@ -0,0 +1,22 @@ +From 9fdda6391e38aaad3bfd6a30bd6a72bd31aeee02 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 17 Apr 2018 21:26:48 +0200 +Subject: [PATCH] Fixed infinite loop (#1095). + +--- + coders/png.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: imagemagick-6.7.7.10/coders/png.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/png.c 2018-06-08 12:00:08.984210458 -0400 ++++ imagemagick-6.7.7.10/coders/png.c 2018-06-08 12:00:08.984210458 -0400 +@@ -5579,7 +5579,7 @@ static Image *ReadOneMNGImage(MngInfo* m + " LOOP level %.20g has %.20g iterations ", + (double) loop_level, (double) loop_iters); + +- if (loop_iters == 0) ++ if (loop_iters <= 0) + skipping_loop=loop_level; + + else diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2018-11251.patch imagemagick-6.7.7.10/debian/patches/CVE-2018-11251.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2018-11251.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2018-11251.patch 2018-06-08 16:00:29.000000000 +0000 @@ -0,0 +1,23 @@ +From: Markus Koschany +Date: Wed, 23 May 2018 14:33:27 +0200 +Subject: CVE-2018-11251 + +Bug-Upstream: https://github.com/ImageMagick/ImageMagick/issues/956 +Origin: https://github.com/ImageMagick/ImageMagick/commit/73fbc6a557b4f63af18b2debe83f817859ef7481 +--- + coders/sun.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/sun.c b/coders/sun.c +index 99952b1..4d9bc6d 100644 +--- a/coders/sun.c ++++ b/coders/sun.c +@@ -340,6 +340,8 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->colors=one << sun_info.depth; + if (sun_info.maptype == RMT_EQUAL_RGB) + image->colors=sun_info.maplength/3; ++ if (image->colors == 0) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (AcquireImageColormap(image,image->colors) == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2018-7443.patch imagemagick-6.7.7.10/debian/patches/CVE-2018-7443.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2018-7443.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2018-7443.patch 2018-06-08 17:23:46.000000000 +0000 @@ -0,0 +1,13 @@ +Index: imagemagick-6.7.7.10/coders/tiff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/tiff.c 2018-06-08 11:55:21.199150958 -0400 ++++ imagemagick-6.7.7.10/coders/tiff.c 2018-06-08 11:55:21.195150949 -0400 +@@ -1256,6 +1256,8 @@ static Image *ReadTIFFImage(const ImageI + method=ReadTileMethod; + quantum_info->endian=LSBEndian; + quantum_type=RGBQuantum; ++ if (((MagickSizeType) TIFFScanlineSize(tiff)) > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + tiff_pixels=(unsigned char *) AcquireMagickMemory(MagickMax( + TIFFScanlineSize(tiff),(size_t) (image->columns*samples_per_pixel* + pow(2.0,ceil(log(bits_per_sample)/log(2.0)))*sizeof(uint32)))); diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2018-8804.patch imagemagick-6.7.7.10/debian/patches/CVE-2018-8804.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2018-8804.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2018-8804.patch 2018-06-08 15:57:19.000000000 +0000 @@ -0,0 +1,36 @@ +Backport of: + +From 6355db269e03f879c516cf9d592c72e157bc75d6 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 16 Mar 2018 20:20:18 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1025 + +--- + coders/ept.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +Index: imagemagick-6.7.7.10/coders/ept.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/ept.c 2018-06-08 11:55:50.175207666 -0400 ++++ imagemagick-6.7.7.10/coders/ept.c 2018-06-08 11:57:00.583468274 -0400 +@@ -410,11 +410,18 @@ static MagickBooleanType WriteEPTImage(c + if (write_image == (Image *) NULL) + return(MagickFalse); + write_info=CloneImageInfo(image_info); ++ (void) CopyMagickString(write_info->filename,"EPS:",MaxTextExtent); + (void) CopyMagickString(write_info->magick,"EPS",MaxTextExtent); + if (LocaleCompare(image_info->magick,"EPT2") == 0) +- (void) CopyMagickString(write_info->magick,"EPS2",MaxTextExtent); ++ { ++ (void) CopyMagickString(write_info->filename,"EPS2:",MaxTextExtent); ++ (void) CopyMagickString(write_info->magick,"EPS2",MaxTextExtent); ++ } + if (LocaleCompare(image_info->magick,"EPT3") == 0) +- (void) CopyMagickString(write_info->magick,"EPS3",MaxTextExtent); ++ { ++ (void) CopyMagickString(write_info->filename,"EPS3:",MaxTextExtent); ++ (void) CopyMagickString(write_info->magick,"EPS3",MaxTextExtent); ++ } + (void) ResetMagickMemory(&ept_info,0,sizeof(ept_info)); + ept_info.magick=0xc6d3d0c5ul; + ept_info.postscript=(unsigned char *) ImageToBlob(write_info,write_image, diff -Nru imagemagick-6.7.7.10/debian/patches/CVE-2018-8960.patch imagemagick-6.7.7.10/debian/patches/CVE-2018-8960.patch --- imagemagick-6.7.7.10/debian/patches/CVE-2018-8960.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/CVE-2018-8960.patch 2018-06-08 17:23:52.000000000 +0000 @@ -0,0 +1,27 @@ +Backport of: + +From 7c0b29f621ebcce1a35c0e6c1992c9043b3bb1bd Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 16 Mar 2018 21:08:17 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1020 + +--- + coders/tiff.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: imagemagick-6.7.7.10/coders/tiff.c +=================================================================== +--- imagemagick-6.7.7.10.orig/coders/tiff.c 2018-06-08 11:57:40.207633384 -0400 ++++ imagemagick-6.7.7.10/coders/tiff.c 2018-06-08 11:58:07.631744624 -0400 +@@ -1259,8 +1259,9 @@ static Image *ReadTIFFImage(const ImageI + if (((MagickSizeType) TIFFScanlineSize(tiff)) > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); + tiff_pixels=(unsigned char *) AcquireMagickMemory(MagickMax( +- TIFFScanlineSize(tiff),(size_t) (image->columns*samples_per_pixel* +- pow(2.0,ceil(log(bits_per_sample)/log(2.0)))*sizeof(uint32)))); ++ TIFFScanlineSize(tiff),(ssize_t) MagickMax(image->columns* ++ samples_per_pixel*pow(2.0,ceil(log(bits_per_sample)/log(2.0))), ++ rows_per_strip)*sizeof(uint32))); + if (tiff_pixels == (unsigned char *) NULL) + { + TIFFClose(tiff); diff -Nru imagemagick-6.7.7.10/debian/patches/series imagemagick-6.7.7.10/debian/patches/series --- imagemagick-6.7.7.10/debian/patches/series 2017-07-31 11:20:15.000000000 +0000 +++ imagemagick-6.7.7.10/debian/patches/series 2018-06-11 13:25:26.000000000 +0000 @@ -239,3 +239,75 @@ 0245-memory-leak-in-ReadMATImage-in-mat.c.patch 0246-Avoid-heap-based-overflow-for-jpeg.patch 0055-CVE-2017-9144-fix-incomplete-patch.patch +0244-CVE-2017-10995-Fix-denial-of-service-in-mng_get_long.patch +0249-CVE-2017-11533-Fix-buffer-over-read-in-convert-WriteUILImage.patch +0251-CVE-2017-11535-Fix-buffer-over-read-in-convert-WritePSImage.patch +0252-CVE-2017-11537-Fix-floating-point-exception-in-convert-WritePALImage.patch +0254-CVE-2017-11639-Fix-buffer-over-read-in-convert-WriteCIPImage.patch +0255-CVE-2017-11640-Fix-address-access-exception-in-convert-WritePTIFImage-1-2.patch +0261-CVE-2017-12140-Fix-excessive-memory-consumption-in-ReadDCMImage-via-crafted-file.patch +0265-CVE-2017-12429-Fix-memory-exhaustion-in-ReadMIFFImage.patch +0266-CVE-2017-12430-Fix-memory-exhaustion-in-ReadMPCImage.patch +0267-CVE-2017-12431-Fix-use-after-free-in-ReadWMFImage.patch +0268-CVE-2017-12432-Fix-memory-exhaustion-in-ReadPCXImage.patch +0270-CVE-2017-12435-Fix-memory-exhaustion-in-ReadSUNImage.patch +0271-CVE-2017-12563-Fix-memory-exhaustion-in-ReadPSDImage.patch +0276-CVE-2017-12587-Fix-large-loop-vulnerability-in-ReadPWPImage.patch +0277-CVE-2017-12640-Fix-out-of-bounds-read-vulnerability-in-ReadOneMNGImage.patch +0280-CVE-2017-12643-Fix-memory-exhaustion-vulnerability-in-ReadOneJNGImage.patch +0284-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-1-2.patch +0285-CVE-2017-12670-Fix-missing-validation-in-ReadMATImage-2-2.patch +0286-CVE-2017-12674-Fix-CPU-exhaustion-in-ReadPDBImage.patch +0302-CVE-2017-12691-Fix-memory-consumption-in-ReadOneLayer.patch +0303-CVE-2017-12692-Fix-memory-consumption-in-ReadVIFFImage.patch +0304-CVE-2017-12693-Fix-memory-consumption-in-ReadBMPImage.patch +0305-CVE-2017-12875-Fix-CPU-consumption-in-WritePixelCachePixels.patch +0289-CVE-2017-12877-Fix-use-after-free-in-ReadMATImage.patch +0290-CVE-2017-12983-Fix-heap-based-buffer-overflow-in-ReadSFWImage.patch +0292-CVE-2017-13134-Fix-heap-based-buffer-overflow-in-SFWScan.patch +0293-CVE-2017-13139-Fix-out-of-bounds-read-with-MNG-CLIP-chunk-in-ReadOneMNGImage.patch +0294-CVE-2017-13142-Fix-short-file-check-in-png.c-1-2.patch +0295-CVE-2017-13142-Fix-short-file-check-in-png.c-2-2.patch +0296-CVE-2017-13143-Fix-use-of-uninitialized-data-in-ReadMATImage.patch +0297-CVE-2017-13144-Fix-application-crash-if-image-dimensions-are-too-large.patch +0306-CVE-2017-13758-Fix-heap-based-buffer-overflow-in-TracePoint.patch +0307-CVE-2017-13768-Fix-Null-Pointer-Dereference-Program-Crash-in-IdentifyImage.patch +0308-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-1-of-2.patch +0309-CVE-2017-13769-Fix-buffer-over-read-in-WriteTHUMBNAILImage-2-of-2.patch +0310-CVE-2017-14060-Fix-NULL-pointer-dereference-in-ReadCUTImage.patch +0311-CVE-2017-14172-Fix-DoS-missing-EOF-check-in-ReadPSImage.patch +0312-CVE-2017-14173-Fix-infinite-loop-in-ReadTXTImage.patch +0313-CVE-2017-14174-Fix-DoS-missing-EOF-check-in-ReadPSDLayersInternal.patch +0314-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-1-of-2.patch +0315-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-2-of-2.patch +0316-CVE-2017-14224-Fix-heap-based-buffer-overflow-in-WritePCXImage.patch +0317-CVE-2017-14249-Fix-DoS-missing-EOF-check-in-ReadMPCImage.patch +CVE-2017-14325.patch +0318-CVE-2017-14341-Fix-DoS-CPU-exhaustion-in-ReadWPGImage.patch +CVE-2017-14342.patch +0320-CVE-2017-14505-Fix-DoS-NULL-pointer-dereference-in-DrawGetStrokeDashArray.patch +CVE-2017-14531.patch +0321-CVE-2017-14607-Fix-out-of-bounds-read-in-ReadTIFFImage.patch +0322-CVE-2017-14682-Fix-heap-based-buffer-overflow-in-GetNextToken.patch +0323-CVE-2017-14739-Fix-NULL-pointer-dereference-in-AcquireResampleFilterThreadSet.patch +0324-CVE-2017-14741-Fix-DoS-infinite-loop-in-ReadCAPTIONImage.patch +0325-CVE-2017-14989-Fix-use-after-free-in-RenderFreeType.patch +0326-CVE-2017-15016-Fix-NULL-pointer-dereference-in-ReadEnhMetaFile.patch +0327-CVE-2017-15017-Fix-NULL-pointer-dereference-in-ReadOneMNGImage.patch +0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch +0329-CVE-2017-15281-Fix-DoS-application-crash-via-crafted-file-in-ReadPSDImage.patch +CVE-2017-16546.patch +CVE-2017-17504.patch +CVE-2017-17682.patch +CVE-2017-17879.patch +CVE-2017-17914.patch +CVE-2017-18252.patch +CVE-2017-18271.patch +CVE-2017-18273.patch +CVE-2017-1000445.patch +CVE-2017-1000476.patch +CVE-2018-7443.patch +CVE-2018-8804.patch +CVE-2018-8960.patch +CVE-2018-10177.patch +CVE-2018-11251.patch