diff -Nru imagemagick-6.9.7.4+dfsg/debian/changelog imagemagick-6.9.7.4+dfsg/debian/changelog --- imagemagick-6.9.7.4+dfsg/debian/changelog 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/changelog 2017-07-21 12:30:46.000000000 +0000 @@ -1,3 +1,17 @@ +imagemagick (8:6.9.7.4+dfsg-3ubuntu1.2) zesty-security; urgency=medium + + * SECURITY UPDATE: multiple security issues + - debian/patches/*: synchronize security fixes with Debian's + 8:6.9.7.4+dfsg-12 release. Once again, thanks to Bastien Roucariès + for the excellent work this update is based on! + - CVE-2017-9261, CVE-2017-9262, CVE-2017-9405, CVE-2017-9407, + CVE-2017-9409, CVE-2017-9439, CVE-2017-9440, CVE-2017-9501, + CVE-2017-10928, CVE-2017-11141, CVE-2017-11170, CVE-2017-11188, + CVE-2017-11352, CVE-2017-11360, CVE-2017-11447, CVE-2017-11448, + CVE-2017-11449, CVE-2017-11450, CVE-2017-11478 + + -- Marc Deslauriers Fri, 21 Jul 2017 08:30:46 -0400 + imagemagick (8:6.9.7.4+dfsg-3ubuntu1.1) zesty-security; urgency=medium * SECURITY UPDATE: multiple security issues diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0042-Check-for-EOF-conditions-for-RLE-image-format.patch imagemagick-6.9.7.4+dfsg/debian/patches/0042-Check-for-EOF-conditions-for-RLE-image-format.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0042-Check-for-EOF-conditions-for-RLE-image-format.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0042-Check-for-EOF-conditions-for-RLE-image-format.patch 2017-07-14 16:56:39.000000000 +0000 @@ -0,0 +1,250 @@ +From 7cd05b00bc42f6fac754b8db7e8ad520a10ca71c Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 12 May 2017 07:14:36 -0400 +Subject: [PATCH] Check for EOF conditions for RLE image format + +This fix a crash for a specialy crafted file + +This fix CVE-2017-9144 + +(cherry picked from commit 7fdf9ea808caa3c81a0eb42656e5fafc59084198) + +origin: https://github.com/ImageMagick/ImageMagick/commit/7fdf9ea808caa3c81a0eb42656e5fafc59084198 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863126 +--- + coders/rle.c | 93 ++++++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 66 insertions(+), 27 deletions(-) + +diff --git a/coders/rle.c b/coders/rle.c +index ecbdcdcdc..142eccbef 100644 +--- a/coders/rle.c ++++ b/coders/rle.c +@@ -132,6 +132,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + #define ByteDataOp 0x05 + #define RunDataOp 0x06 + #define EOFOp 0x07 ++#define ThrowRLEException(exception,message) \ ++{ \ ++ if (colormap != (unsigned char *) NULL) \ ++ colormap=(unsigned char *) RelinquishMagickMemory(colormap); \ ++ if (pixel_info != (MemoryInfo *) NULL) \ ++ pixel_info=RelinquishVirtualMemory(pixel_info); \ ++ ThrowReaderException((exception),(message)); \ ++} ++ + + char + magick[12]; +@@ -209,6 +218,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Determine if this a RLE file. + */ ++ colormap=(unsigned char *) NULL; ++ pixel_info=(MemoryInfo *) NULL; + count=ReadBlob(image,2,(unsigned char *) magick); + if ((count != 2) || (memcmp(magick,"\122\314",2) != 0)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); +@@ -217,8 +228,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Read image header. + */ +- image->page.x=ReadBlobLSBShort(image); +- image->page.y=ReadBlobLSBShort(image); ++ image->page.x=(ssize_t) ReadBlobLSBShort(image); ++ image->page.y=(ssize_t) ReadBlobLSBShort(image); + image->columns=ReadBlobLSBShort(image); + image->rows=ReadBlobLSBShort(image); + flags=(MagickStatusType) ReadBlobByte(image); +@@ -229,6 +240,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + map_length=(unsigned char) ReadBlobByte(image); + if (map_length >= 22) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ if (EOFBlob(image) != MagickFalse) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + one=1; + map_length=one << map_length; + if ((number_planes == 0) || (number_planes == 2) || +@@ -256,11 +269,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((number_planes & 0x01) == 0) + (void) ReadBlobByte(image); + if (EOFBlob(image) != MagickFalse) +- { +- ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", +- image->filename); +- break; +- } ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + colormap=(unsigned char *) NULL; + if (number_colormaps != 0) + { +@@ -274,8 +283,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + p=colormap; + for (i=0; i < (ssize_t) number_colormaps; i++) + for (x=0; x < (ssize_t) map_length; x++) ++ { + *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum( + ReadBlobLSBShort(image))); ++ if (EOFBlob(image) != MagickFalse) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + } + if ((flags & 0x08) != 0) + { +@@ -303,11 +316,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + } + if (EOFBlob(image) != MagickFalse) +- { +- ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", +- image->filename); +- break; +- } ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) + if (image->scene >= (image_info->scene+image_info->number_scenes-1)) + break; +@@ -364,6 +373,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + x=0; + y=0; + opcode=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + do + { + switch (opcode & 0x3f) +@@ -371,8 +382,14 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case SkipLinesOp: + { + operand=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) +- operand=ReadBlobLSBSignedShort(image); ++ { ++ operand=ReadBlobLSBSignedShort(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + x=0; + y+=operand; + break; +@@ -380,6 +397,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case SetColorOp: + { + operand=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + plane=(unsigned char) operand; + if (plane == 255) + plane=(unsigned char) (number_planes-1); +@@ -389,21 +408,33 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case SkipPixelsOp: + { + operand=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) +- operand=ReadBlobLSBSignedShort(image); ++ { ++ operand=ReadBlobLSBSignedShort(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + x+=operand; + break; + } + case ByteDataOp: + { + operand=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) +- operand=ReadBlobLSBSignedShort(image); +- offset=((image->rows-y-1)*image->columns*number_planes)+x* +- number_planes+plane; ++ { ++ operand=ReadBlobLSBSignedShort(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); ++ } ++ offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* ++ number_planes+plane); + operand++; + if ((offset < 0) || +- (offset+((size_t) operand*number_planes) > pixel_info_length)) ++ ((offset+operand*number_planes) > (ssize_t) pixel_info_length)) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); +@@ -427,15 +458,21 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case RunDataOp: + { + operand=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) +- operand=ReadBlobLSBSignedShort(image); ++ { ++ operand=ReadBlobLSBSignedShort(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); ++ } + pixel=(unsigned char) ReadBlobByte(image); + (void) ReadBlobByte(image); + operand++; +- offset=((image->rows-y-1)*image->columns*number_planes)+x* +- number_planes+plane; ++ offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* ++ number_planes+plane); + if ((offset < 0) || +- (offset+((size_t) operand*number_planes) > pixel_info_length)) ++ ((offset+operand*number_planes) > (ssize_t) pixel_info_length)) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); +@@ -457,6 +494,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + break; + } + opcode=ReadBlobByte(image); ++ if (opcode == EOF) ++ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF)); + if (number_colormaps != 0) + { +@@ -472,7 +511,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (number_colormaps == 1) + for (i=0; i < (ssize_t) number_pixels; i++) + { +- if (IsValidColormapIndex(image,*p & mask,&index,exception) == ++ if (IsValidColormapIndex(image,(ssize_t) (*p & mask),&index,exception) == + MagickFalse) + break; + *p=colormap[(ssize_t) index]; +@@ -483,7 +522,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + for (i=0; i < (ssize_t) number_pixels; i++) + for (x=0; x < (ssize_t) number_planes; x++) + { +- if (IsValidColormapIndex(image,(size_t) (x*map_length+ ++ if (IsValidColormapIndex(image,(ssize_t) (x*map_length+ + (*p & mask)),&index,exception) == MagickFalse) + break; + *p=colormap[(ssize_t) index]; +@@ -597,15 +636,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + break; + for (x=0; x < (ssize_t) image->columns; x++) + { +- if (IsValidColormapIndex(image,*p++,&index,exception) == ++ if (IsValidColormapIndex(image,(ssize_t) *p++,&index,exception) == + MagickFalse) + break; + SetPixelRed(q,image->colormap[(ssize_t) index].red); +- if (IsValidColormapIndex(image,*p++,&index,exception) == ++ if (IsValidColormapIndex(image,(ssize_t) *p++,&index,exception) == + MagickFalse) + break; + SetPixelGreen(q,image->colormap[(ssize_t) index].green); +- if (IsValidColormapIndex(image,*p++,&index,exception) == ++ if (IsValidColormapIndex(image,(ssize_t) *p++,&index,exception) == + MagickFalse) + break; + SetPixelBlue(q,image->colormap[(ssize_t) index].blue); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0043-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch imagemagick-6.9.7.4+dfsg/debian/patches/0043-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0043-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0043-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch 2017-07-14 16:56:40.000000000 +0000 @@ -0,0 +1,35 @@ +From 466e8dc815943b73d4aa6a64c96f05f04321bcb5 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Mon, 15 May 2017 21:17:59 +0200 +Subject: [PATCH] Fixed incorrect call to WriteBlob reported in #490. + +A crafted file revealed an assertion failure in blob.c. + +This fix CVE-2017-9142 + +origin: https://github.com/ImageMagick/ImageMagick/commit/72f5c8632bff2daf3c95005f9b4cf2982786b52a +bug: https://github.com/ImageMagick/ImageMagick/issues/490 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863125 +--- + coders/png.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index 2da4be6a3..a1150e357 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -4337,10 +4337,11 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " Copying JDAT chunk data to color_blob."); + +- (void) WriteBlob(color_image,length,chunk); +- + if (length != 0) +- chunk=(unsigned char *) RelinquishMagickMemory(chunk); ++ { ++ (void) WriteBlob(color_image,length,chunk); ++ chunk=(unsigned char *) RelinquishMagickMemory(chunk); ++ } + + continue; + } diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0044-Added-check-to-prevent-image-being-0x0-reported-in-4.patch imagemagick-6.9.7.4+dfsg/debian/patches/0044-Added-check-to-prevent-image-being-0x0-reported-in-4.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0044-Added-check-to-prevent-image-being-0x0-reported-in-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0044-Added-check-to-prevent-image-being-0x0-reported-in-4.patch 2017-07-14 16:56:40.000000000 +0000 @@ -0,0 +1,42 @@ +From e7647c4173b590ff1026d82ea7bd62956b53ecd9 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Mon, 15 May 2017 21:10:19 +0200 +Subject: [PATCH] Added check to prevent image being 0x0 (reported in #489). + +crafted file revealed an assertion failure in profile.c. + magick: MagickCore/profile.c:1303: ResetImageProfileIterator: Assertion `image != (Image *) ((void *)0)' failed. + +This fix CVE-2017-9141 + +origin: https://github.com/ImageMagick/ImageMagick/commit/f5910e91b0778e03ded45b9022be8eb8f77942cd +bug: https://github.com/ImageMagick/ImageMagick/issues/489 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863124 +--- + coders/dds.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/coders/dds.c b/coders/dds.c +index 2f698dbb9..b22ad9930 100644 +--- a/coders/dds.c ++++ b/coders/dds.c +@@ -1673,9 +1673,8 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Initialize image structure. + */ +- if (ReadDDSInfo(image, &dds_info) != MagickTrue) { ++ if (ReadDDSInfo(image, &dds_info) != MagickTrue) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); +- } + + if (dds_info.ddscaps2 & DDSCAPS2_CUBEMAP) + cubemap = MagickTrue; +@@ -1772,6 +1771,9 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception) + if (volume) + num_images = dds_info.depth; + ++ if (num_images < 1) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ + for (n = 0; n < num_images; n++) + { + if (n != 0) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0045-Fixed-memory-leak-reported-in-456.patch imagemagick-6.9.7.4+dfsg/debian/patches/0045-Fixed-memory-leak-reported-in-456.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0045-Fixed-memory-leak-reported-in-456.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0045-Fixed-memory-leak-reported-in-456.patch 2017-07-14 16:56:40.000000000 +0000 @@ -0,0 +1,32 @@ +From 421a466abe8ef10183fc6416bda37f7595ff34c1 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 2 May 2017 08:32:19 +0200 +Subject: [PATCH] Fixed memory leak reported in #456. + +Specially crafted arts file could lead to memory leak + +This fix CVE-2017-9143 + +origin: https://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4 +bug: https://github.com/ImageMagick/ImageMagick/issues/456 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863123 +--- + coders/art.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/art.c b/coders/art.c +index e528a57ed..e41cec95e 100644 +--- a/coders/art.c ++++ b/coders/art.c +@@ -181,7 +181,10 @@ static Image *ReadARTImage(const ImageInfo *image_info,ExceptionInfo *exception) + pixels=(const unsigned char *) ReadBlobStream(image,length, + GetQuantumPixels(quantum_info),&count); + if (count != (ssize_t) length) +- ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ { ++ quantum_info=DestroyQuantumInfo(quantum_info); ++ ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ } + (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, + quantum_type,pixels,exception); + (void) ReadBlobStream(image,(size_t) (-(ssize_t) length) & 0x01, diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0046-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch imagemagick-6.9.7.4+dfsg/debian/patches/0046-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0046-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0046-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch 2017-07-14 16:56:39.000000000 +0000 @@ -0,0 +1,26 @@ +From 1c9af3b1332c6839e93e1202aecb422ad64f7b5d Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 9 Mar 2017 07:27:42 -0500 +Subject: [PATCH] CVE-2017-9098: use of uninitialized memory in RLE decoder + +Reset memory for RLE decoder (patch provided by scarybeasts) + +bug: https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862967 +origin: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b +--- + coders/rle.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/coders/rle.c b/coders/rle.c +index 142eccbef..5279f451c 100644 +--- a/coders/rle.c ++++ b/coders/rle.c +@@ -344,6 +344,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + pixel_info_length=image->columns*image->rows* + MagickMax(number_planes_filled,4); + pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); ++ (void) ResetMagickMemory(pixels,0,pixel_info_length); + if ((flags & 0x01) && !(flags & 0x02)) + { + ssize_t diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0047-CVE-2017-9261-Memory-leak-in-the-ReadMNGImage-functi.patch imagemagick-6.9.7.4+dfsg/debian/patches/0047-CVE-2017-9261-Memory-leak-in-the-ReadMNGImage-functi.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0047-CVE-2017-9261-Memory-leak-in-the-ReadMNGImage-functi.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0047-CVE-2017-9261-Memory-leak-in-the-ReadMNGImage-functi.patch 2017-07-14 16:56:40.000000000 +0000 @@ -0,0 +1,34 @@ +From b6dfc0252f55a7f7dca3c33852693af2b9b4cced Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Sun, 7 May 2017 12:17:18 +0200 +Subject: [PATCH] CVE-2017-9261: Memory leak in the ReadMNGImage function + +In ImageMagic, the ReadMNGImage function in coders/png.c +allows attackers to cause a denial of service (memory leak) via a +crafted file. + +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863833 +bug: https://github.com/ImageMagick/ImageMagick/issues/476 +origin: https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199 + +(cherry picked from commit 01d522e990aa57cbe67d222dd5e8f7196cc6d199) +--- + coders/png.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/png.c b/coders/png.c +index a1150e357..03e542d87 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -5126,7 +5126,10 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + + if ((mng_info->mng_width > 65535L) || + (mng_info->mng_height > 65535L)) +- ThrowReaderException(ImageError,"WidthOrHeightExceedsLimit"); ++ { ++ chunk=(unsigned char *) RelinquishMagickMemory(chunk); ++ ThrowReaderException(ImageError,"WidthOrHeightExceedsLimit"); ++ } + + (void) FormatLocaleString(page_geometry,MaxTextExtent, + "%.20gx%.20g+0+0",(double) mng_info->mng_width,(double) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0048-CVE-2017-9262-Memory-leak-in-the-ReadJNGImage-functi.patch imagemagick-6.9.7.4+dfsg/debian/patches/0048-CVE-2017-9262-Memory-leak-in-the-ReadJNGImage-functi.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0048-CVE-2017-9262-Memory-leak-in-the-ReadJNGImage-functi.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0048-CVE-2017-9262-Memory-leak-in-the-ReadJNGImage-functi.patch 2017-07-14 16:56:40.000000000 +0000 @@ -0,0 +1,68 @@ +From 47176d01335aadf26b7572e604fc27169af6164e Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Sun, 7 May 2017 12:11:52 +0200 +Subject: [PATCH] CVE-2017-9262: Memory leak in the ReadJNGImage function + +In ImageMagick, the ReadJNGImage function in coders/png.c +allows attackers to cause a denial of service (memory leak) via a +crafted file. + +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863834 +bug: https://github.com/ImageMagick/ImageMagick/issues/475 +origin: https://github.com/ImageMagick/ImageMagick/commit/4649578df8dcbfb2b08d8623d52486dc124da3a8 +--- + coders/png.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index 03e542d87..f9bc4bd82 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -4268,7 +4268,10 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, + exception); + + if (status == MagickFalse) +- return(DestroyImageList(image)); ++ { ++ color_image=DestroyImage(color_image); ++ return(DestroyImageList(image)); ++ } + + if ((image_info->ping == MagickFalse) && (jng_color_type >= 12)) + { +@@ -4276,14 +4279,19 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, + AcquireMagickMemory(sizeof(ImageInfo)); + + if (alpha_image_info == (ImageInfo *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ { ++ color_image=DestroyImage(color_image); ++ ThrowReaderException(ResourceLimitError, ++ "MemoryAllocationFailed"); ++ } + + GetImageInfo(alpha_image_info); + alpha_image=AcquireImage(alpha_image_info); + + if (alpha_image == (Image *) NULL) + { +- alpha_image=DestroyImage(alpha_image); ++ alpha_image_info=DestroyImageInfo(alpha_image_info); ++ color_image=DestroyImage(color_image); + ThrowReaderException(ResourceLimitError, + "MemoryAllocationFailed"); + } +@@ -4298,7 +4306,12 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, + exception); + + if (status == MagickFalse) +- return(DestroyImageList(image)); ++ { ++ alpha_image=DestroyImage(alpha_image); ++ alpha_image_info=DestroyImageInfo(alpha_image_info); ++ color_image=DestroyImage(color_image); ++ return(DestroyImageList(image)); ++ } + + if (jng_alpha_compression_method == 0) + { diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0049-CVE-2017-9409-the-ReadMPCImage-function-in-mpc.c-all.patch imagemagick-6.9.7.4+dfsg/debian/patches/0049-CVE-2017-9409-the-ReadMPCImage-function-in-mpc.c-all.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0049-CVE-2017-9409-the-ReadMPCImage-function-in-mpc.c-all.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0049-CVE-2017-9409-the-ReadMPCImage-function-in-mpc.c-all.patch 2017-07-14 16:56:39.000000000 +0000 @@ -0,0 +1,38 @@ +From cba86d89ada0bf05e2ee3a109dad8738972eb95c Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 2 May 2017 08:37:52 +0200 +Subject: [PATCH] CVE-2017-9409: the ReadMPCImage function in mpc.c allows + attackers to cause a denial of service (memory leak) via a crafted file. + +origin: https://github.com/ImageMagick/ImageMagick/commit/492991ed21c1d233287fda884044c0cc222b2161 +bug: https://github.com/ImageMagick/ImageMagick/issues/458 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864090 + +(cherry picked from commit 492991ed21c1d233287fda884044c0cc222b2161) +--- + coders/mpc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/coders/mpc.c b/coders/mpc.c +index 89fead527..ca479dc43 100644 +--- a/coders/mpc.c ++++ b/coders/mpc.c +@@ -864,12 +864,16 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + count=ReadBlob(image,packet_size*image->colors,colormap); + if (count != (ssize_t) (packet_size*image->colors)) +- ThrowReaderException(CorruptImageError, +- "InsufficientImageDataInFile"); ++ { ++ colormap=(unsigned char *) RelinquishMagickMemory(colormap); ++ ThrowReaderException(CorruptImageError, ++ "InsufficientImageDataInFile"); ++ } + p=colormap; + switch (depth) + { + default: ++ colormap=(unsigned char *) RelinquishMagickMemory(colormap); + ThrowReaderException(CorruptImageError, + "ImageDepthNotSupported"); + case 8: diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0050-CVE-2017-9407-the-ReadPALMImage-function-in-palm.c-a.patch imagemagick-6.9.7.4+dfsg/debian/patches/0050-CVE-2017-9407-the-ReadPALMImage-function-in-palm.c-a.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0050-CVE-2017-9407-the-ReadPALMImage-function-in-palm.c-a.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0050-CVE-2017-9407-the-ReadPALMImage-function-in-palm.c-a.patch 2017-07-14 16:56:39.000000000 +0000 @@ -0,0 +1,49 @@ +From b258532d5620a7246ba82c1fc4ddac6444732e1b Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 2 May 2017 08:42:38 +0200 +Subject: [PATCH] CVE-2017-9407: the ReadPALMImage function in palm.c allows + attackers to cause a denial of service (memory leak) via a crafted file. + +Fixed memory leak reported in #459. + +origin: https://github.com/ImageMagick/ImageMagick/commit/7851278ed92bcdef72132ceadee9256c9d98acf1 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864089 +bug: https://github.com/ImageMagick/ImageMagick/issues/459 + +(cherry picked from commit 7851278ed92bcdef72132ceadee9256c9d98acf1) +--- + coders/palm.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/coders/palm.c b/coders/palm.c +index 49ec4c895..5a81c738a 100644 +--- a/coders/palm.c ++++ b/coders/palm.c +@@ -486,7 +486,12 @@ static Image *ReadPALMImage(const ImageInfo *image_info, + if (bits_per_pixel == 16) + { + if (image->columns > (2*bytes_per_row)) +- ThrowReaderException(CorruptImageError,"CorruptImage"); ++ { ++ one_row=(unsigned char *) RelinquishMagickMemory(one_row); ++ if (compressionType == PALM_COMPRESSION_SCANLINE) ++ lastrow=(unsigned char *) RelinquishMagickMemory(lastrow); ++ ThrowReaderException(CorruptImageError,"CorruptImage"); ++ } + for (x=0; x < (ssize_t) image->columns; x++) + { + color16=(*ptr++ << 8); +@@ -504,7 +509,12 @@ static Image *ReadPALMImage(const ImageInfo *image_info, + for (x=0; x < (ssize_t) image->columns; x++) + { + if ((size_t) (ptr-one_row) >= bytes_per_row) +- ThrowReaderException(CorruptImageError,"CorruptImage"); ++ { ++ one_row=(unsigned char *) RelinquishMagickMemory(one_row); ++ if (compressionType == PALM_COMPRESSION_SCANLINE) ++ lastrow=(unsigned char *) RelinquishMagickMemory(lastrow); ++ ThrowReaderException(CorruptImageError,"CorruptImage"); ++ } + index=(IndexPacket) (mask-(((*ptr) & (mask << bit)) >> bit)); + SetPixelIndex(indexes+x,index); + SetPixelRGBO(q,image->colormap+(ssize_t) index); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0051-CVE-2017-9405-the-ReadICONImage-function-in-icon.c-4.patch imagemagick-6.9.7.4+dfsg/debian/patches/0051-CVE-2017-9405-the-ReadICONImage-function-in-icon.c-4.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0051-CVE-2017-9405-the-ReadICONImage-function-in-icon.c-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0051-CVE-2017-9405-the-ReadICONImage-function-in-icon.c-4.patch 2017-07-14 16:56:40.000000000 +0000 @@ -0,0 +1,37 @@ +From f209d27e145e5b54c7404fbb30413a2691fb8c01 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 2 May 2017 08:34:29 +0200 +Subject: [PATCH] CVE-2017-9405: the ReadICONImage function in icon.c:452 + allows attackers to cause a denial of service (memory leak) via a crafted + file. + +Fixed memory leak reported in #457. + +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864087 +bug: https://github.com/ImageMagick/ImageMagick/issues/457 +origin: https://github.com/ImageMagick/ImageMagick/commit/29b52a2856c00bae0f11492a124b8d6c1dd9b830 + +(cherry picked from commit 29b52a2856c00bae0f11492a124b8d6c1dd9b830) +--- + coders/icon.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/coders/icon.c b/coders/icon.c +index b94fa05fa..adfec9116 100644 +--- a/coders/icon.c ++++ b/coders/icon.c +@@ -455,8 +455,12 @@ static Image *ReadICONImage(const ImageInfo *image_info, + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + count=ReadBlob(image,(size_t) (4*image->colors),icon_colormap); + if (count != (ssize_t) (4*image->colors)) +- ThrowReaderException(CorruptImageError, +- "InsufficientImageDataInFile"); ++ { ++ icon_colormap=(unsigned char *) RelinquishMagickMemory( ++ icon_colormap); ++ ThrowReaderException(CorruptImageError, ++ "InsufficientImageDataInFile"); ++ } + p=icon_colormap; + for (i=0; i < (ssize_t) image->colors; i++) + { diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0052-CVE-2017-9439.patch imagemagick-6.9.7.4+dfsg/debian/patches/0052-CVE-2017-9439.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0052-CVE-2017-9439.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0052-CVE-2017-9439.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,62 @@ +From a0cecdc8160d2b9ae0730b3bd520a2ebb6e003c2 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 2 May 2017 08:26:36 +0200 +Subject: [PATCH] CVE-2017-9439 + +A memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file. + +bug: https://github.com/ImageMagick/ImageMagick/issues/460 +origin: https://github.com/ImageMagick/ImageMagick/commit/6c6abed989ea4a3ef472db65ab487c1809a3a718 +bug-debian: https://bugs.debian.org/864274 + +(cherry picked from commit 6c6abed989ea4a3ef472db65ab487c1809a3a718) +--- + coders/pdb.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/coders/pdb.c b/coders/pdb.c +index 6a0cf5b23..a4f1974e8 100644 +--- a/coders/pdb.c ++++ b/coders/pdb.c +@@ -429,19 +429,25 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception) + case 0: + { + image->compression=NoCompression; +- count=(ssize_t) ReadBlob(image, packets * image -> rows, pixels); ++ count=(ssize_t) ReadBlob(image,packets*image->rows,pixels); + break; + } + case 1: + { + image->compression=RLECompression; +- if (!DecodeImage(image, pixels, packets * image -> rows)) +- ThrowReaderException( CorruptImageError, "RLEDecoderError" ); ++ if (!DecodeImage(image,pixels,packets*image->rows)) ++ { ++ pixels=(unsigned char *) RelinquishMagickMemory(pixels); ++ ThrowReaderException( CorruptImageError,"RLEDecoderError"); ++ } + break; + } + default: +- ThrowReaderException(CorruptImageError, +- "UnrecognizedImageCompressionType" ); ++ { ++ pixels=(unsigned char *) RelinquishMagickMemory(pixels); ++ ThrowReaderException(CorruptImageError, ++ "UnrecognizedImageCompressionType"); ++ } + } + p=pixels; + switch (bits_per_pixel) +@@ -542,7 +548,10 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception) + break; + } + default: ++ { ++ pixels=(unsigned char *) RelinquishMagickMemory(pixels); + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ } + } + pixels=(unsigned char *) RelinquishMagickMemory(pixels); + if (EOFBlob(image) != MagickFalse) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0053-CVE-2017-9440.patch imagemagick-6.9.7.4+dfsg/debian/patches/0053-CVE-2017-9440.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0053-CVE-2017-9440.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0053-CVE-2017-9440.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,35 @@ +From fbf30c6e7d23d60a21c7c5be0792dd262b0e2cfc Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Tue, 2 May 2017 09:05:15 +0200 +Subject: [PATCH] CVE-2017-9440 + +A memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file. + +bug: https://github.com/ImageMagick/ImageMagick/issues/462 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864273 +origin: https://github.com/ImageMagick/ImageMagick/commit/c2be129c25763680afeca59f4de5d6d4240ca2cf + +(cherry picked from commit c2be129c25763680afeca59f4de5d6d4240ca2cf) +--- + coders/psd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/psd.c b/coders/psd.c +index fb93c57dd..2f4a02f11 100644 +--- a/coders/psd.c ++++ b/coders/psd.c +@@ -1202,12 +1202,14 @@ static MagickBooleanType ReadPSDChannelZip(Image *image,const size_t channels, + ret=inflate(&stream, Z_SYNC_FLUSH); + if ((ret != Z_OK) && (ret != Z_STREAM_END)) + { ++ (void) inflateEnd(&stream); + compact_pixels=(unsigned char *) RelinquishMagickMemory( + compact_pixels); + pixels=(unsigned char *) RelinquishMagickMemory(pixels); + return(MagickFalse); + } + } ++ (void) inflateEnd(&stream); + } + + if (compression == ZipWithPrediction) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0054-CVE-2017-10928.patch imagemagick-6.9.7.4+dfsg/debian/patches/0054-CVE-2017-10928.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0054-CVE-2017-10928.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0054-CVE-2017-10928.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,70 @@ +From cd8b03158aba399c5f80df2d48e72afbad2c80de Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 4 Jul 2017 19:39:46 -0400 +Subject: [PATCH] CVE-2017-10928 + +A heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain +sensitive information from process memory or possibly have unspecified other impact +via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c. + +origin: https://github.com/ImageMagick/ImageMagick/commit/663e70e90257797f4634ea8dd4a31e0947d1f266 +bug: https://github.com/ImageMagick/ImageMagick/issues/539 +bug-debian: https://bugs.debian.org/867367 + +(cherry picked from commit 663e70e90257797f4634ea8dd4a31e0947d1f266) +--- + magick/token.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/magick/token.c b/magick/token.c +index 6fd848730..032e53c62 100644 +--- a/magick/token.c ++++ b/magick/token.c +@@ -180,9 +180,13 @@ MagickExport void GetNextToken(const char *start,const char **end, + register ssize_t + i; + ++ size_t ++ length; ++ + assert(start != (const char *) NULL); + assert(token != (char *) NULL); + i=0; ++ length=strlen(start); + p=start; + while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0')) + p++; +@@ -218,6 +222,8 @@ MagickExport void GetNextToken(const char *start,const char **end, + } + if (i < (ssize_t) (extent-1)) + token[i++]=(*p); ++ if ((p-start) >= length) ++ break; + } + break; + } +@@ -240,8 +246,12 @@ MagickExport void GetNextToken(const char *start,const char **end, + if ((p != q) && (*p != ',')) + { + for ( ; (p < q) && (*p != ','); p++) ++ { + if (i < (ssize_t) (extent-1)) + token[i++]=(*p); ++ if ((p-start) >= length) ++ break; ++ } + if (*p == '%') + if (i < (ssize_t) (extent-1)) + token[i++]=(*p++); +@@ -272,7 +282,11 @@ MagickExport void GetNextToken(const char *start,const char **end, + token[i++]=(*p); + if ((*p == ')') && (*(p-1) != '\\')) + break; ++ if ((p-start) >= length) ++ break; + } ++ if ((p-start) >= length) ++ break; + } + break; + } diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0055-CVE-2017-9144-fix-incomplete-patch.patch imagemagick-6.9.7.4+dfsg/debian/patches/0055-CVE-2017-9144-fix-incomplete-patch.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0055-CVE-2017-9144-fix-incomplete-patch.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0055-CVE-2017-9144-fix-incomplete-patch.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,89 @@ +From 0d0707a60be40e2dfb728d6574831fd94dd485c1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 31 May 2017 06:20:59 -0400 +Subject: [PATCH] CVE-2017-9144 fix incomplete patch + +a crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c + +bug: https://github.com/ImageMagick/ImageMagick/issues/502 +origin: https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373 +bug-debian: https://bugs.debian.org/863126 + +(cherry picked from commit 7f1f01b695e869c410ee10e2176f8fd764f09373) +--- + coders/rle.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/coders/rle.c b/coders/rle.c +index 5279f451c..0326897e1 100644 +--- a/coders/rle.c ++++ b/coders/rle.c +@@ -383,12 +383,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case SkipLinesOp: + { + operand=ReadBlobByte(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) + { + operand=ReadBlobLSBSignedShort(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } + x=0; +@@ -398,7 +398,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case SetColorOp: + { + operand=ReadBlobByte(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + plane=(unsigned char) operand; + if (plane == 255) +@@ -409,12 +409,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case SkipPixelsOp: + { + operand=ReadBlobByte(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) + { + operand=ReadBlobLSBSignedShort(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } + x+=operand; +@@ -423,12 +423,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case ByteDataOp: + { + operand=ReadBlobByte(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) + { + operand=ReadBlobLSBSignedShort(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } + offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* +@@ -459,12 +459,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + case RunDataOp: + { + operand=ReadBlobByte(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + if (opcode & 0x40) + { + operand=ReadBlobLSBSignedShort(image); +- if (opcode == EOF) ++ if (operand == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } + pixel=(unsigned char) ReadBlobByte(image); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0056-1-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch imagemagick-6.9.7.4+dfsg/debian/patches/0056-1-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0056-1-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0056-1-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,37 @@ +From aa269eed49a647cc5259e4195d81008c3077e636 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 6 Jul 2017 06:41:49 -0400 +Subject: [PATCH] [1/2] Enable heap overflow check for stdin for mpc files + +Enabling seekable streams is required to ensure checking the blob size +works when an image is streamed on stdin. + +origin: https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3 +bug: https://github.com/ImageMagick/ImageMagick/issues/556 +bug-debian: https://bugs.debian.org/867896 + +(cherry picked from commit b007dd3a048097d8f58949297f5b434612e1e1a3) +--- + coders/mpc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/mpc.c b/coders/mpc.c +index ca479dc43..f49abaaf0 100644 +--- a/coders/mpc.c ++++ b/coders/mpc.c +@@ -1006,6 +1006,7 @@ ModuleExport size_t RegisterMPCImage(void) + entry=SetMagickInfo("CACHE"); + entry->description=ConstantString("Magick Persistent Cache image format"); + entry->module=ConstantString("MPC"); ++ entry->seekable_stream=MagickTrue; + entry->stealth=MagickTrue; + (void) RegisterMagickInfo(entry); + entry=SetMagickInfo("MPC"); +@@ -1013,6 +1014,7 @@ ModuleExport size_t RegisterMPCImage(void) + entry->encoder=(EncodeImageHandler *) WriteMPCImage; + entry->magick=(IsImageFormatHandler *) IsMPC; + entry->description=ConstantString("Magick Persistent Cache image format"); ++ entry->seekable_stream=MagickTrue; + entry->module=ConstantString("MPC"); + (void) RegisterMagickInfo(entry); + return(MagickImageCoderSignature); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0057-2-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch imagemagick-6.9.7.4+dfsg/debian/patches/0057-2-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0057-2-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0057-2-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,29 @@ +From 6196214011422607a61bf44964d6326ee9b325e9 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 6 Jul 2017 06:43:32 -0400 +Subject: [PATCH] [2/2] Enable heap overflow check for stdin for mpc files + +Enabling seekable streams is required to ensure checking the blob size +works when an image is streamed on stdin. + +origin: https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1 +bug: https://github.com/ImageMagick/ImageMagick/issues/556 +bug-debian: https://bugs.debian.org/867896 + +(cherry picked from commit 529ff26b68febb2ac03062c58452ea0b4c6edbc1) +--- + coders/mpc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/coders/mpc.c b/coders/mpc.c +index f49abaaf0..3c8f7d6f7 100644 +--- a/coders/mpc.c ++++ b/coders/mpc.c +@@ -1006,7 +1006,6 @@ ModuleExport size_t RegisterMPCImage(void) + entry=SetMagickInfo("CACHE"); + entry->description=ConstantString("Magick Persistent Cache image format"); + entry->module=ConstantString("MPC"); +- entry->seekable_stream=MagickTrue; + entry->stealth=MagickTrue; + (void) RegisterMagickInfo(entry); + entry=SetMagickInfo("MPC"); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0058-1-2-CPU-exhaustion-in-ReadDPXImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0058-1-2-CPU-exhaustion-in-ReadDPXImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0058-1-2-CPU-exhaustion-in-ReadDPXImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0058-1-2-CPU-exhaustion-in-ReadDPXImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,39 @@ +From 05c47cad17514d3fd125275a859bd84fad9bf941 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 8 Jun 2017 09:04:32 -0400 +Subject: [PATCH] [1/2] CPU exhaustion in ReadDPXImage + +Because dpx.file.image_offset is a unsigned int, it can be controlled +as large as 4294967295. +This will cause ImageMagick spend a lot of time to process a crafted +DPX imagefile, even if the imagefile is very small. + +origin: https://github.com/ImageMagick/ImageMagick/commit/42ceb8ee940a4c0bddeaf22e5a9c20cea2e85a8f +bug: https://github.com/ImageMagick/ImageMagick/issues/509 +bug-debian: https://bugs.debian.org/867806 + +(cherry picked from commit 42ceb8ee940a4c0bddeaf22e5a9c20cea2e85a8f) +--- + coders/dpx.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/coders/dpx.c b/coders/dpx.c +index a050f5e5a..c1a4c7757 100644 +--- a/coders/dpx.c ++++ b/coders/dpx.c +@@ -1126,10 +1126,11 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + } + for ( ; offset < (MagickOffsetType) dpx.file.image_offset; offset++) +- (void) ReadBlobByte(image); +- /* +- Read DPX image header. +- */ ++ if (ReadBlobByte(image) == EOF) ++ break; ++ if (EOFBlob(image) != MagickFalse) ++ ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", ++ image->filename); + if (image_info->ping != MagickFalse) + { + (void) CloseBlob(image); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0059-1-2-CPU-exhaustion-in-ReadDPXImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0059-1-2-CPU-exhaustion-in-ReadDPXImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0059-1-2-CPU-exhaustion-in-ReadDPXImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0059-1-2-CPU-exhaustion-in-ReadDPXImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,33 @@ +From 7439cc1da9a73844dfb47a39d42f89f918673f6f Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Thu, 8 Jun 2017 09:07:39 -0400 +Subject: [PATCH] [1/2] CPU exhaustion in ReadDPXImage + +Because dpx.file.image_offset is a unsigned int, it can be controlled +as large as 4294967295. +This will cause ImageMagick spend a lot of time to process a crafted +DPX imagefile, even if the imagefile is very small. + +origin: https://github.com/ImageMagick/ImageMagick/commit/4faa884efefa85f4203291c8be2e6b0c2707554c +bug: https://github.com/ImageMagick/ImageMagick/issues/509 +bug-debian: https://bugs.debian.org/867806 + +(cherry picked from commit 4faa884efefa85f4203291c8be2e6b0c2707554c) +--- + coders/dpx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/dpx.c b/coders/dpx.c +index c1a4c7757..81a141370 100644 +--- a/coders/dpx.c ++++ b/coders/dpx.c +@@ -1158,7 +1158,8 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception) + offset=SeekBlob(image,data_offset,SEEK_SET); + else + for ( ; offset < data_offset; offset++) +- (void) ReadBlobByte(image); ++ if (ReadBlobByte(image) == EOF) ++ break; + if (offset != data_offset) + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0060-CPU-exhaustion-in-ReadRLEImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0060-CPU-exhaustion-in-ReadRLEImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0060-CPU-exhaustion-in-ReadRLEImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0060-CPU-exhaustion-in-ReadRLEImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,54 @@ +From fac3c804f22a3d4fd9e6b90e0df919d54e38af6a Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 23 Jun 2017 08:59:30 -0400 +Subject: [PATCH] CPU exhaustion in ReadRLEImage + +A corrupted rle file could trigger a DOS + +bug: https://github.com/ImageMagick/ImageMagick/issues/518 +bug-debian: https://bugs.debian.org/867808 +origin: https://github.com/ImageMagick/ImageMagick/commit/224bc946b24824a77e8e8c52ee07e9bc65796e30 + +(cherry picked from commit 224bc946b24824a77e8e8c52ee07e9bc65796e30) +--- + coders/rle.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/coders/rle.c b/coders/rle.c +index 0326897e1..9945a88fa 100644 +--- a/coders/rle.c ++++ b/coders/rle.c +@@ -270,7 +270,14 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + (void) ReadBlobByte(image); + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); +- colormap=(unsigned char *) NULL; ++ if (image->matte != MagickFalse) ++ number_planes++; ++ number_pixels=(MagickSizeType) image->columns*image->rows; ++ if ((GetBlobSize(image) == 0) || ((((MagickSizeType) number_pixels* ++ number_planes*bits_per_pixel/8)/GetBlobSize(image)) > 254.0)) ++ ThrowRLEException(CorruptImageError,"InsufficientImageDataInFile") ++ if (((MagickSizeType) number_colormaps*map_length) > GetBlobSize(image)) ++ ThrowRLEException(CorruptImageError,"InsufficientImageDataInFile") + if (number_colormaps != 0) + { + /* +@@ -329,9 +336,6 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Allocate RLE pixels. + */ +- if (image->matte != MagickFalse) +- number_planes++; +- number_pixels=(MagickSizeType) image->columns*image->rows; + number_planes_filled=(number_planes % 2 == 0) ? number_planes : + number_planes+1; + if ((number_pixels*number_planes_filled) != (size_t) (number_pixels* +@@ -740,6 +744,7 @@ ModuleExport size_t RegisterRLEImage(void) + entry=SetMagickInfo("RLE"); + entry->decoder=(DecodeImageHandler *) ReadRLEImage; + entry->magick=(IsImageFormatHandler *) IsRLE; ++ entry->blob_support=MagickFalse; + entry->adjoin=MagickFalse; + entry->description=ConstantString("Utah Run length encoded image"); + entry->module=ConstantString("RLE"); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0061-Memory-exhaustion-in-ReadCINImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0061-Memory-exhaustion-in-ReadCINImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0061-Memory-exhaustion-in-ReadCINImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0061-Memory-exhaustion-in-ReadCINImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,55 @@ +From 238dab224683098cafc3b41e9f63113ff14b810c Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Fri, 23 Jun 2017 09:30:29 -0400 +Subject: [PATCH] Memory exhaustion in ReadCINImage + +When identify CIN file that contains User defined data, imagemagick will allocate memory to store the +data in function ReadCINImage in coders\inc.c + +There is a security checking in the function SetImageExtent, +but it after memory allocation, so IM can not control the memory usage + +bug: https://github.com/ImageMagick/ImageMagick/issues/519 +bug-debian: https://bugs.debian.org/867810 +origin: https://github.com/ImageMagick/ImageMagick/commit/8e576918eb28501626040d925d19a0910f3dfac4 + +(cherry picked from commit 8e576918eb28501626040d925d19a0910f3dfac4) +--- + coders/cin.c | 3 +++ + coders/rle.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/cin.c b/coders/cin.c +index f394d8c00..1ef0ff296 100644 +--- a/coders/cin.c ++++ b/coders/cin.c +@@ -710,6 +710,8 @@ static Image *ReadCINImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + User defined data. + */ ++ if (cin.file.user_length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + profile=BlobToStringInfo((const void *) NULL,cin.file.user_length); + if (profile == (StringInfo *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); +@@ -822,6 +824,7 @@ ModuleExport size_t RegisterCINImage(void) + entry->encoder=(EncodeImageHandler *) WriteCINImage; + entry->magick=(IsImageFormatHandler *) IsCIN; + entry->adjoin=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString("Cineon Image File"); + entry->module=ConstantString("CIN"); + (void) RegisterMagickInfo(entry); +diff --git a/coders/rle.c b/coders/rle.c +index 9945a88fa..b3f55090a 100644 +--- a/coders/rle.c ++++ b/coders/rle.c +@@ -744,7 +744,7 @@ ModuleExport size_t RegisterRLEImage(void) + entry=SetMagickInfo("RLE"); + entry->decoder=(DecodeImageHandler *) ReadRLEImage; + entry->magick=(IsImageFormatHandler *) IsRLE; +- entry->blob_support=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("Utah Run length encoded image"); + entry->module=ConstantString("RLE"); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0062-memory-leak-in-ReadDIBImage-in-dib.c.patch imagemagick-6.9.7.4+dfsg/debian/patches/0062-memory-leak-in-ReadDIBImage-in-dib.c.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0062-memory-leak-in-ReadDIBImage-in-dib.c.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0062-memory-leak-in-ReadDIBImage-in-dib.c.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,31 @@ +From 658adf1c44eb46d33261a37554b656d9fb0e319a Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 24 Jun 2017 08:07:17 -0400 +Subject: [PATCH] memory leak in ReadDIBImage in dib.c + +The ReadDIBImage function in dib.c allows attackers to cause a denial of service (memory leak) +via a small crafted dib file. + +bug: https://github.com/ImageMagick/ImageMagick/issues/522 +bug-debian: https://bugs.debian.org/867811 +origin: https://github.com/ImageMagick/ImageMagick/commit/e5b294754697d9e261224ad4f6e8eeee9e04275f +--- + coders/dib.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/dib.c b/coders/dib.c +index ce2e6ee90..0ec9183f2 100644 +--- a/coders/dib.c ++++ b/coders/dib.c +@@ -623,7 +623,10 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception) + packet_size=4; + count=ReadBlob(image,packet_size*image->colors,dib_colormap); + if (count != (ssize_t) (packet_size*image->colors)) +- ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ { ++ dib_colormap=(unsigned char *) RelinquishMagickMemory(dib_colormap); ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ } + p=dib_colormap; + for (i=0; i < (ssize_t) image->colors; i++) + { diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0063-memory-exhaustion-in-ReadDPXImage-in-dpx.c.patch imagemagick-6.9.7.4+dfsg/debian/patches/0063-memory-exhaustion-in-ReadDPXImage-in-dpx.c.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0063-memory-exhaustion-in-ReadDPXImage-in-dpx.c.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0063-memory-exhaustion-in-ReadDPXImage-in-dpx.c.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,39 @@ +From 295ccbb111d9887204e5961e2da30bac4238d57e Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 24 Jun 2017 08:29:29 -0400 +Subject: [PATCH] memory exhaustion in ReadDPXImage in dpx.c + +When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c + +There is a security checking in the function SetImageExtent, but it is too late, so IM can not control the memory usage + +bug: https://github.com/ImageMagick/ImageMagick/issues/523 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867812 +origin: https://github.com/ImageMagick/ImageMagick/commit/961eb7c6fe2f1efc0be11d950c4500cd0cd17702 + +(cherry picked from commit 961eb7c6fe2f1efc0be11d950c4500cd0cd17702) +--- + coders/dpx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/coders/dpx.c b/coders/dpx.c +index 81a141370..ef42a7ab6 100644 +--- a/coders/dpx.c ++++ b/coders/dpx.c +@@ -1115,6 +1115,8 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception) + StringInfo + *profile; + ++ if (dpx.file.user_size > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + profile=BlobToStringInfo((const void *) NULL, + dpx.file.user_size-sizeof(dpx.user.id)); + if (profile == (StringInfo *) NULL) +@@ -1338,6 +1340,7 @@ ModuleExport size_t RegisterDPXImage(void) + entry->decoder=(DecodeImageHandler *) ReadDPXImage; + entry->encoder=(EncodeImageHandler *) WriteDPXImage; + entry->magick=(IsImageFormatHandler *) IsDPX; ++ entry->seekable_stream=MagickTrue; + entry->adjoin=MagickFalse; + entry->description=ConstantString("SMPTE 268M-2003 (DPX 2.0)"); + entry->note=ConstantString(DPXNote); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0064-assertion-failed-in-WriteBlob.patch imagemagick-6.9.7.4+dfsg/debian/patches/0064-assertion-failed-in-WriteBlob.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0064-assertion-failed-in-WriteBlob.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0064-assertion-failed-in-WriteBlob.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,34 @@ +From a201ee8de5c22f57be9c72bd807cf805b4896dd9 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 4 Jun 2017 07:23:56 -0400 +Subject: [PATCH] assertion failed in WriteBlob + +On version: ImageMagick 7.0.5-10 , a crafted file revealed an +assertion failure in blob.c. + +bug: https://github.com/ImageMagick/ImageMagick/issues/506 +bug-debian: https://bugs.debian.org/867798 +origin: https://github.com/ImageMagick/ImageMagick/commit/c6a9837c00f73a77a58aeb22acdd08e0cd7f2684 + +(cherry picked from commit c6a9837c00f73a77a58aeb22acdd08e0cd7f2684) +--- + magick/blob.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/magick/blob.c b/magick/blob.c +index bb490b421..3b9bce0ab 100644 +--- a/magick/blob.c ++++ b/magick/blob.c +@@ -4436,11 +4436,11 @@ MagickExport ssize_t WriteBlob(Image *image,const size_t length, + + assert(image != (Image *) NULL); + assert(image->signature == MagickSignature); +- assert(data != (const unsigned char *) NULL); + assert(image->blob != (BlobInfo *) NULL); + assert(image->blob->type != UndefinedStream); + if (length == 0) + return(0); ++ assert(data != (const unsigned char *) NULL); + count=0; + p=data; + switch (image->blob->type) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0065-Memory-exhaustion-in-ReadEPTImage-in-ept.c.patch imagemagick-6.9.7.4+dfsg/debian/patches/0065-Memory-exhaustion-in-ReadEPTImage-in-ept.c.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0065-Memory-exhaustion-in-ReadEPTImage-in-ept.c.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0065-Memory-exhaustion-in-ReadEPTImage-in-ept.c.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,35 @@ +From 12cc97cc627e4d225b7aa75f01597b203cc3767b Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 24 Jun 2017 08:24:01 -0400 +Subject: [PATCH] Memory exhaustion in ReadEPTImage in ept.c + +When identify EPT file , imagemagick will allocate memory to store the data. +There is a security checking in the function SetImageExtent, but it is not used in +the allocation function, so IM can not control the memory usage + +bug: https://github.com/ImageMagick/ImageMagick/issues/524 +bug-debian: https://bugs.debian.org/867821 +origin: https://github.com/ImageMagick/ImageMagick/commit/eee1829d5908019721972baece1e3a157a897d24 +--- + coders/ept.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/coders/ept.c b/coders/ept.c +index f4b915bde..e6bc619ed 100644 +--- a/coders/ept.c ++++ b/coders/ept.c +@@ -197,10 +197,14 @@ static Image *ReadEPTImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + ept_info.postscript_offset=(MagickOffsetType) ReadBlobLSBLong(image); + ept_info.postscript_length=ReadBlobLSBLong(image); ++ if (ept_info.postscript_length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + (void) ReadBlobLSBLong(image); + (void) ReadBlobLSBLong(image); + ept_info.tiff_offset=(MagickOffsetType) ReadBlobLSBLong(image); + ept_info.tiff_length=ReadBlobLSBLong(image); ++ if (ept_info.tiff_length > GetBlobSize(image)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + (void) ReadBlobLSBShort(image); + ept_info.postscript=(unsigned char *) AcquireQuantumMemory( + ept_info.postscript_length+1,sizeof(*ept_info.postscript)); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0066-CVE-2017-11141-memory-exhaustion-in-ReadMATImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0066-CVE-2017-11141-memory-exhaustion-in-ReadMATImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0066-CVE-2017-11141-memory-exhaustion-in-ReadMATImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0066-CVE-2017-11141-memory-exhaustion-in-ReadMATImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,43 @@ +From fa0ed20f7d7f31fd5dc7182bdec36870028dbfbe Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Sun, 7 May 2017 09:53:03 +0200 +Subject: [PATCH] CVE-2017-11141 memory exhaustion in ReadMATImage + +When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage in coders\mat.c, line 1094 + +modifying MAT's MATLAB_HDR can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion + +This is CVE-2017-11141 + +bug: https://github.com/ImageMagick/ImageMagick/issues/469 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868264 +origin: https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f +(cherry picked from commit 353b942bd83da7e1356ba99c942848bd1871ee9f) +--- + coders/mat.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/coders/mat.c b/coders/mat.c +index e262e5795..1c5affe1b 100644 +--- a/coders/mat.c ++++ b/coders/mat.c +@@ -1092,9 +1092,6 @@ RestoreMSCWarning + (void) sample_size; + image->columns = MATLAB_HDR.SizeX; + image->rows = MATLAB_HDR.SizeY; +- quantum_info=AcquireQuantumInfo(clone_info,image); +- if (quantum_info == (QuantumInfo *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + one=1; + image->colors = one << image->depth; + if (image->columns == 0 || image->rows == 0) +@@ -1125,6 +1122,9 @@ RestoreMSCWarning + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } ++ quantum_info=AcquireQuantumInfo(clone_info,image); ++ if (quantum_info == (QuantumInfo *) NULL) ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + + /* ----- Load raster data ----- */ + BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(double)); /* Ldblk was set in the check phase */ diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0067-CVE-2017-11170-memory-exhaustion-in-ReadTGAImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0067-CVE-2017-11170-memory-exhaustion-in-ReadTGAImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0067-CVE-2017-11170-memory-exhaustion-in-ReadTGAImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0067-CVE-2017-11170-memory-exhaustion-in-ReadTGAImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,34 @@ +From 4e070c63eec8aefa3628dc0acfc430ac55771083 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 6 May 2017 13:31:00 -0400 +Subject: [PATCH] CVE-2017-11170 memory exhaustion in ReadTGAImage + +When identify VST file, imagemagick will allocate memory to store data in function ReadTGAImage in coders\tga.c +using tga_info.bits_per_pixel field diretly from VST file without checking in tga.c +By review the founction code, tga_info.bits_per_pixel max valid value is 32. +On 32bit os, size_t one will be 32bit, so image->colors can be overflow to 0. +On 64bit os, size_t one will be 64bit, so image->colors can be large as 0x100000000(64GB). + +Original patch was edited to remove magick/image.c modifications that lead to compile error +(reverted in 87664f06ef49a1635cf83ab19981800fc655b746) + +bug: CVE-2017-11170 memory exhaustion in ReadTGAImage +origin: https://github.com/ImageMagick/ImageMagick/commit/ea03f17c96467d037d1a21fba1b0b35613658d5b +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868184 +--- + coders/tga.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/tga.c b/coders/tga.c +index 7b87278ef..2402fe2c5 100644 +--- a/coders/tga.c ++++ b/coders/tga.c +@@ -274,6 +274,8 @@ static Image *ReadTGAImage(const ImageInfo *image_info, + + one=1; + image->colors=one << tga_info.bits_per_pixel; ++ if (image->colors > ((~0UL)/sizeof(*image->colormap))) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (AcquireImageColormap(image,image->colors) == MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0068-1-3-CVE-2017-9501-Fixed-incorrect-call-to-DestroyIma.patch imagemagick-6.9.7.4+dfsg/debian/patches/0068-1-3-CVE-2017-9501-Fixed-incorrect-call-to-DestroyIma.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0068-1-3-CVE-2017-9501-Fixed-incorrect-call-to-DestroyIma.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0068-1-3-CVE-2017-9501-Fixed-incorrect-call-to-DestroyIma.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,30 @@ +From 9ca3726b3d1403c194888abacbd6389d430cef61 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Mon, 15 May 2017 21:24:24 +0200 +Subject: [PATCH] [1/3] CVE-2017-9501 Fixed incorrect call to DestroyImage + reported in #491. + +an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. + +bug: https://github.com/ImageMagick/ImageMagick/issues/491 +bug-debian: https://bugs.debian.org/867721 +origin: https://github.com/ImageMagick/ImageMagick/commit/01843366d6a7b96e22ad7bb67f3df7d9fd4d5d74 + +(cherry picked from commit 01843366d6a7b96e22ad7bb67f3df7d9fd4d5d74) +--- + magick/image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/magick/image.c b/magick/image.c +index cb6b6efc9..4609dabeb 100644 +--- a/magick/image.c ++++ b/magick/image.c +@@ -833,7 +833,7 @@ MagickExport Image *CloneImage(const Image *image,const size_t columns, + sizeof(*clone_image->colormap)); + if (clone_image->colormap == (PixelPacket *) NULL) + { +- clone_image=DestroyImage(clone_image); ++ image=(Image *) RelinquishMagickMemory(image); + ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); + } + (void) CopyMagickMemory(clone_image->colormap,image->colormap,length* diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0069-2-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch imagemagick-6.9.7.4+dfsg/debian/patches/0069-2-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0069-2-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0069-2-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,29 @@ +From c13e615460022416fa8f106107f863cb0955a0fa Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 15 May 2017 19:07:56 -0400 +Subject: [PATCH] [2/3] CVE-2017-9501 Avoid an off-by one error + +an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. + +bug: https://github.com/ImageMagick/ImageMagick/issues/491 +bug-debian: https://bugs.debian.org/867721 +origin: https://github.com/ImageMagick/ImageMagick/commit/b21f81ab5e31f5f0bbf177663e2c3d888135ab9b + +(cherry picked from commit b21f81ab5e31f5f0bbf177663e2c3d888135ab9b) +--- + magick/image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/magick/image.c b/magick/image.c +index 4609dabeb..8a35cce38 100644 +--- a/magick/image.c ++++ b/magick/image.c +@@ -829,7 +829,7 @@ MagickExport Image *CloneImage(const Image *image,const size_t columns, + */ + clone_image->colors=image->colors; + length=(size_t) image->colors; +- clone_image->colormap=(PixelPacket *) AcquireQuantumMemory(length, ++ clone_image->colormap=(PixelPacket *) AcquireQuantumMemory(length+1, + sizeof(*clone_image->colormap)); + if (clone_image->colormap == (PixelPacket *) NULL) + { diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0070-3-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch imagemagick-6.9.7.4+dfsg/debian/patches/0070-3-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0070-3-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0070-3-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,68 @@ +From 5b509d227f98ac4335257a4e2db1ee7b1b9df4a3 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Mon, 15 May 2017 20:26:44 -0400 +Subject: [PATCH] [3/3] CVE-2017-9501 Avoid an off-by one error + +an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file. + +bug: https://github.com/ImageMagick/ImageMagick/issues/491 +bug-debian: https://bugs.debian.org/867721 +origin: https://github.com/ImageMagick/ImageMagick/commit/33a0592787bff86b2593d2d2f01152fd8a32a88b + +(cherry picked from commit 33a0592787bff86b2593d2d2f01152fd8a32a88b) +--- + magick/image.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/magick/image.c b/magick/image.c +index 8a35cce38..1fb6495dd 100644 +--- a/magick/image.c ++++ b/magick/image.c +@@ -822,23 +822,6 @@ MagickExport Image *CloneImage(const Image *image,const size_t columns, + clone_image->columns=image->columns; + clone_image->rows=image->rows; + clone_image->dither=image->dither; +- if (image->colormap != (PixelPacket *) NULL) +- { +- /* +- Allocate and copy the image colormap. +- */ +- clone_image->colors=image->colors; +- length=(size_t) image->colors; +- clone_image->colormap=(PixelPacket *) AcquireQuantumMemory(length+1, +- sizeof(*clone_image->colormap)); +- if (clone_image->colormap == (PixelPacket *) NULL) +- { +- image=(Image *) RelinquishMagickMemory(image); +- ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); +- } +- (void) CopyMagickMemory(clone_image->colormap,image->colormap,length* +- sizeof(*clone_image->colormap)); +- } + (void) CloneImageProfiles(clone_image,image); + (void) CloneImageProperties(clone_image,image); + (void) CloneImageArtifacts(clone_image,image); +@@ -873,6 +856,23 @@ MagickExport Image *CloneImage(const Image *image,const size_t columns, + clone_image->ping=image->ping; + clone_image->debug=IsEventLogging(); + clone_image->semaphore=AllocateSemaphoreInfo(); ++ if (image->colormap != (PixelPacket *) NULL) ++ { ++ /* ++ Allocate and copy the image colormap. ++ */ ++ clone_image->colors=image->colors; ++ length=(size_t) image->colors; ++ clone_image->colormap=(PixelPacket *) AcquireQuantumMemory(length+1, ++ sizeof(*clone_image->colormap)); ++ if (clone_image->colormap == (PixelPacket *) NULL) ++ { ++ clone_image=DestroyImage(clone_image); ++ ThrowImageException(ResourceLimitError,"MemoryAllocationFailed"); ++ } ++ (void) CopyMagickMemory(clone_image->colormap,image->colormap,length* ++ sizeof(*clone_image->colormap)); ++ } + if ((columns == 0) || (rows == 0)) + { + if (image->montage != (char *) NULL) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0071-CPU-exhaustion-in-ReadOneJNGImage.patch imagemagick-6.9.7.4+dfsg/debian/patches/0071-CPU-exhaustion-in-ReadOneJNGImage.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0071-CPU-exhaustion-in-ReadOneJNGImage.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0071-CPU-exhaustion-in-ReadOneJNGImage.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,53 @@ +From 855c70dfa7367b199b463d24a7a6805da87066d5 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 24 Jun 2017 12:14:47 -0400 +Subject: [PATCH] CPU exhaustion in ReadOneJNGImage + +Due to lack of validation of PNG format, imagemagick could loop +2^32 in a CPU intensive loop. + +bug: https://github.com/ImageMagick/ImageMagick/issues/526 +bug: https://github.com/ImageMagick/ImageMagick/issues/527 +bug-debian: https://bugs.debian.org/867824 +bug-debian: https://bugs.debian.org/867825 +origin: https://github.com/ImageMagick/ImageMagick/commit/5d43fdf7a1f18f36e45225f121697d7f13c8cba9 + +(cherry picked from commit 5d43fdf7a1f18f36e45225f121697d7f13c8cba9) +--- + coders/png.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/coders/png.c b/coders/png.c +index f9bc4bd82..593c468fe 100644 +--- a/coders/png.c ++++ b/coders/png.c +@@ -4173,7 +4173,13 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + + for (i=0; i < (ssize_t) length; i++) +- chunk[i]=(unsigned char) ReadBlobByte(image); ++ { ++ int ++ c; ++ ++ c=ReadBlobByte(image); ++ chunk[i]=(unsigned char) c; ++ } + + p=chunk; + } +@@ -5026,7 +5032,13 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + + for (i=0; i < (ssize_t) length; i++) +- chunk[i]=(unsigned char) ReadBlobByte(image); ++ { ++ int ++ c; ++ ++ c=ReadBlobByte(image); ++ chunk[i]=(unsigned char) c; ++ } + + p=chunk; + } diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0072-CPU-exhaustion-in-ReadOneDJVUImag.patch imagemagick-6.9.7.4+dfsg/debian/patches/0072-CPU-exhaustion-in-ReadOneDJVUImag.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0072-CPU-exhaustion-in-ReadOneDJVUImag.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0072-CPU-exhaustion-in-ReadOneDJVUImag.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,38 @@ +From e6a2a79fd296cc89e9f687406626ca6050e75c66 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 24 Jun 2017 12:10:19 -0400 +Subject: [PATCH] CPU exhaustion in ReadOneDJVUImag + +Due to lack of format validation, a crafted file will cause a loop to run endless. + +bug: https://github.com/ImageMagick/ImageMagick/issues/528 +bug-debian: https://bugs.debian.org/867826 +origin: https://github.com/ImageMagick/ImageMagick/commit/78b819628b6a9429f0c33b72e695b4df0b32faea + +(cherry picked from commit 78b819628b6a9429f0c33b72e695b4df0b32faea) +--- + coders/djvu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/coders/djvu.c b/coders/djvu.c +index 973e8ff85..42a3e7e68 100644 +--- a/coders/djvu.c ++++ b/coders/djvu.c +@@ -613,6 +613,7 @@ static Image *ReadOneDJVUImage(LoadContext* lc,const int pagenum, + if (tag == 0) break; + ddjvu_message_pop(lc->context); + } while ((message = ddjvu_message_peek(lc->context))); ++ if (tag == 0) break; + } while (!ddjvu_page_decoding_done(lc->page)); + + ddjvu_document_get_pageinfo(lc->document, pagenum, &info); +@@ -887,7 +888,8 @@ static Image *ReadDJVUImage(const ImageInfo *image_info, + break; + } + djvu_close_lc(lc); +- (void) CloseBlob(images); ++ if (images != (Image *) NULL) ++ (void) CloseBlob(images); + if (image != (Image *) NULL) + image=DestroyImageList(image); + diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0073-Zero-pixel-buffer.patch imagemagick-6.9.7.4+dfsg/debian/patches/0073-Zero-pixel-buffer.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0073-Zero-pixel-buffer.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0073-Zero-pixel-buffer.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,29 @@ +From bd5c9464ac7d8306ebc0b81c3323fefb55409020 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 9 Jul 2017 09:06:26 -0400 +Subject: [PATCH] Zero pixel buffer + +Avoid a data leak in case of incorrect file by clearing a buffer + +bug: https://github.com/ImageMagick/ImageMagick/issues/556 +bug-debian: https://bugs.debian.org/867893 +origin: https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11 + +(cherry picked from commit 1737ac82b335e53376382c07b9a500d73dd2aa11) +--- + coders/jpeg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/jpeg.c b/coders/jpeg.c +index 29fcf812a..377866ab0 100644 +--- a/coders/jpeg.c ++++ b/coders/jpeg.c +@@ -1283,6 +1283,8 @@ static Image *ReadJPEGImage(const ImageInfo *image_info, + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } + jpeg_pixels=(JSAMPLE *) GetVirtualMemoryBlob(memory_info); ++ (void) ResetMagickMemory(jpeg_pixels,0,image->columns* ++ jpeg_info.output_components*sizeof(*jpeg_pixels)); + /* + Convert JPEG pixels to pixel packets. + */ diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0074-memory-leak-in-ReadMATImage-in-mat.c.patch imagemagick-6.9.7.4+dfsg/debian/patches/0074-memory-leak-in-ReadMATImage-in-mat.c.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0074-memory-leak-in-ReadMATImage-in-mat.c.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0074-memory-leak-in-ReadMATImage-in-mat.c.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,38 @@ +From 7fbea25ada626edc182c639d31beaf273073c997 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 24 Jun 2017 10:43:12 -0400 +Subject: [PATCH] memory leak in ReadMATImage in mat.c + +The ReadMATImage function in mat.c allows attackers to cause a +denial of service (memory leak) via a small crafted mat file. + +bug-debian: https://bugs.debian.org/867823 +bug: https://github.com/ImageMagick/ImageMagick/issues/525 +origin: https://github.com/ImageMagick/ImageMagick/commit/bd428b8c3217643c8c3a185c5e4b83b4ddc6b275 + +(cherry picked from commit bd428b8c3217643c8c3a185c5e4b83b4ddc6b275) +--- + coders/mat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/mat.c b/coders/mat.c +index 1c5affe1b..cf09bec39 100644 +--- a/coders/mat.c ++++ b/coders/mat.c +@@ -894,7 +894,7 @@ static Image *ReadMATImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Read MATLAB image. + */ +- clone_info=CloneImageInfo(image_info); ++ clone_info=(ImageInfo *) NULL; + if(ReadBlob(image,124,(unsigned char *) &MATLAB_HDR.identific) != 124) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (strncmp(MATLAB_HDR.identific,"MATLAB",6) != 0) +@@ -946,6 +946,7 @@ MATLAB_KO: ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if(EOFBlob(image)) break; + filepos += MATLAB_HDR.ObjectSize + 4 + 4; + ++ clone_info=CloneImageInfo(image_info); + image2 = image; + #if defined(MAGICKCORE_ZLIB_DELEGATE) + if(MATLAB_HDR.DataType == miCOMPRESSED) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0075-Avoid-heap-based-overflow-for-jpeg.patch imagemagick-6.9.7.4+dfsg/debian/patches/0075-Avoid-heap-based-overflow-for-jpeg.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0075-Avoid-heap-based-overflow-for-jpeg.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0075-Avoid-heap-based-overflow-for-jpeg.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,70 @@ +From d39ec5273d5ea3c5260c22bf14ec5047bbdff103 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sun, 2 Jul 2017 20:38:07 -0400 +Subject: [PATCH] Avoid heap based overflow for jpeg + +A corrupted jpeg file could trigger an heap overflow + +bug-debian: https://bugs.debian.org/867894 +bug: https://github.com/ImageMagick/ImageMagick/issues/556 +origin: https://github.com/ImageMagick/ImageMagick/commit/948356eec65aea91995d4b7cc487d197d2c5f602 +--- + coders/jpeg.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/coders/jpeg.c b/coders/jpeg.c +index 377866ab0..248cef656 100644 +--- a/coders/jpeg.c ++++ b/coders/jpeg.c +@@ -1033,6 +1033,11 @@ static Image *ReadJPEGImage(const ImageInfo *image_info, + return((Image *) NULL); + } + /* ++ Verify that file size large enough to contain a JPEG datastream. ++ */ ++ if (GetBlobSize(image) < 107) ++ ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); ++ /* + Initialize JPEG parameters. + */ + (void) ResetMagickMemory(&error_manager,0,sizeof(error_manager)); +@@ -1501,6 +1506,7 @@ ModuleExport size_t RegisterJPEGImage(void) + #endif + entry->magick=(IsImageFormatHandler *) IsJPEG; + entry->adjoin=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString(description); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -1517,6 +1523,7 @@ ModuleExport size_t RegisterJPEGImage(void) + #endif + entry->magick=(IsImageFormatHandler *) IsJPEG; + entry->adjoin=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString(description); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -1532,6 +1539,7 @@ ModuleExport size_t RegisterJPEGImage(void) + entry->encoder=(EncodeImageHandler *) WriteJPEGImage; + #endif + entry->adjoin=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString(description); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -1547,6 +1555,7 @@ ModuleExport size_t RegisterJPEGImage(void) + entry->encoder=(EncodeImageHandler *) WriteJPEGImage; + #endif + entry->adjoin=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString(description); + if (*version != '\0') + entry->version=ConstantString(version); +@@ -1562,6 +1571,7 @@ ModuleExport size_t RegisterJPEGImage(void) + entry->encoder=(EncodeImageHandler *) WriteJPEGImage; + #endif + entry->adjoin=MagickFalse; ++ entry->seekable_stream=MagickTrue; + entry->description=ConstantString(description); + if (*version != '\0') + entry->version=ConstantString(version); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0076-Fixed-potential-memory-leak-in-screenshot-coders.patch imagemagick-6.9.7.4+dfsg/debian/patches/0076-Fixed-potential-memory-leak-in-screenshot-coders.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0076-Fixed-potential-memory-leak-in-screenshot-coders.patch 1970-01-01 00:00:00.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0076-Fixed-potential-memory-leak-in-screenshot-coders.patch 2017-07-14 13:35:15.000000000 +0000 @@ -0,0 +1,37 @@ +From 5eae1b27ddc10e6f158b4a4990b598a131488c95 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra +Date: Mon, 19 Jun 2017 23:00:54 +0200 +Subject: [PATCH] Fixed potential memory leak in screenshot coders + +bug-debian: https://bugs.debian.org/867897 +bug: https://github.com/ImageMagick/ImageMagick/issues/556 +origin: https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae +--- + coders/screenshot.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/coders/screenshot.c b/coders/screenshot.c +index aaa3bbde9..7cf40c4fc 100644 +--- a/coders/screenshot.c ++++ b/coders/screenshot.c +@@ -165,16 +165,16 @@ static Image *ReadSCREENSHOTImage(const ImageInfo *image_info, + screen->columns=(size_t) GetDeviceCaps(hDC,HORZRES); + screen->rows=(size_t) GetDeviceCaps(hDC,VERTRES); + screen->storage_class=DirectClass; ++ if (image == (Image *) NULL) ++ image=screen; ++ else ++ AppendImageToList(&image,screen); + status=SetImageExtent(screen,screen->columns,screen->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } +- if (image == (Image *) NULL) +- image=screen; +- else +- AppendImageToList(&image,screen); + + bitmapDC=CreateCompatibleDC(hDC); + if (bitmapDC == (HDC) NULL) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0212-Check-for-EOF-conditions-for-RLE-image-format.patch imagemagick-6.9.7.4+dfsg/debian/patches/0212-Check-for-EOF-conditions-for-RLE-image-format.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0212-Check-for-EOF-conditions-for-RLE-image-format.patch 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0212-Check-for-EOF-conditions-for-RLE-image-format.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,243 +0,0 @@ -From 7fdf9ea808caa3c81a0eb42656e5fafc59084198 Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Fri, 12 May 2017 07:14:36 -0400 -Subject: [PATCH] Check for EOF conditions for RLE image format - ---- - ChangeLog | 1 + - coders/rle.c | 93 ++++++++++++++++++++++++++++++++++++++++++------------------ - 2 files changed, 67 insertions(+), 27 deletions(-) - -diff --git a/coders/rle.c b/coders/rle.c -index d780d56a1b..fc5b4124e6 100644 ---- a/coders/rle.c -+++ b/coders/rle.c -@@ -132,6 +132,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - #define ByteDataOp 0x05 - #define RunDataOp 0x06 - #define EOFOp 0x07 -+#define ThrowRLEException(exception,message) \ -+{ \ -+ if (colormap != (unsigned char *) NULL) \ -+ colormap=(unsigned char *) RelinquishMagickMemory(colormap); \ -+ if (pixel_info != (MemoryInfo *) NULL) \ -+ pixel_info=RelinquishVirtualMemory(pixel_info); \ -+ ThrowReaderException((exception),(message)); \ -+} -+ - - char - magick[12]; -@@ -209,6 +218,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - /* - Determine if this a RLE file. - */ -+ colormap=(unsigned char *) NULL; -+ pixel_info=(MemoryInfo *) NULL; - count=ReadBlob(image,2,(unsigned char *) magick); - if ((count != 2) || (memcmp(magick,"\122\314",2) != 0)) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); -@@ -217,8 +228,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - /* - Read image header. - */ -- image->page.x=ReadBlobLSBShort(image); -- image->page.y=ReadBlobLSBShort(image); -+ image->page.x=(ssize_t) ReadBlobLSBShort(image); -+ image->page.y=(ssize_t) ReadBlobLSBShort(image); - image->columns=ReadBlobLSBShort(image); - image->rows=ReadBlobLSBShort(image); - flags=(MagickStatusType) ReadBlobByte(image); -@@ -229,6 +240,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - map_length=(unsigned char) ReadBlobByte(image); - if (map_length >= 22) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); -+ if (EOFBlob(image) != MagickFalse) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - one=1; - map_length=one << map_length; - if ((number_planes == 0) || (number_planes == 2) || -@@ -256,11 +269,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - if ((number_planes & 0x01) == 0) - (void) ReadBlobByte(image); - if (EOFBlob(image) != MagickFalse) -- { -- ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", -- image->filename); -- break; -- } -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - colormap=(unsigned char *) NULL; - if (number_colormaps != 0) - { -@@ -274,8 +283,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - p=colormap; - for (i=0; i < (ssize_t) number_colormaps; i++) - for (x=0; x < (ssize_t) map_length; x++) -+ { - *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum( - ReadBlobLSBShort(image))); -+ if (EOFBlob(image) != MagickFalse) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); -+ } - } - if ((flags & 0x08) != 0) - { -@@ -303,11 +316,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - } - } - if (EOFBlob(image) != MagickFalse) -- { -- ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", -- image->filename); -- break; -- } -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) - if (image->scene >= (image_info->scene+image_info->number_scenes-1)) - break; -@@ -365,6 +374,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - x=0; - y=0; - opcode=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - do - { - switch (opcode & 0x3f) -@@ -372,8 +383,14 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - case SkipLinesOp: - { - operand=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - if (opcode & 0x40) -- operand=ReadBlobLSBSignedShort(image); -+ { -+ operand=ReadBlobLSBSignedShort(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); -+ } - x=0; - y+=operand; - break; -@@ -381,6 +398,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - case SetColorOp: - { - operand=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - plane=(unsigned char) operand; - if (plane == 255) - plane=(unsigned char) (number_planes-1); -@@ -390,21 +409,33 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - case SkipPixelsOp: - { - operand=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - if (opcode & 0x40) -- operand=ReadBlobLSBSignedShort(image); -+ { -+ operand=ReadBlobLSBSignedShort(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); -+ } - x+=operand; - break; - } - case ByteDataOp: - { - operand=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - if (opcode & 0x40) -- operand=ReadBlobLSBSignedShort(image); -- offset=((image->rows-y-1)*image->columns*number_planes)+x* -- number_planes+plane; -+ { -+ operand=ReadBlobLSBSignedShort(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); -+ } -+ offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* -+ number_planes+plane); - operand++; - if ((offset < 0) || -- (offset+((size_t) operand*number_planes) > pixel_info_length)) -+ ((offset+operand*number_planes) > (ssize_t) pixel_info_length)) - { - if (number_colormaps != 0) - colormap=(unsigned char *) RelinquishMagickMemory(colormap); -@@ -428,15 +459,21 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - case RunDataOp: - { - operand=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - if (opcode & 0x40) -- operand=ReadBlobLSBSignedShort(image); -+ { -+ operand=ReadBlobLSBSignedShort(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); -+ } - pixel=(unsigned char) ReadBlobByte(image); - (void) ReadBlobByte(image); - operand++; -- offset=((image->rows-y-1)*image->columns*number_planes)+x* -- number_planes+plane; -+ offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* -+ number_planes+plane); - if ((offset < 0) || -- (offset+((size_t) operand*number_planes) > pixel_info_length)) -+ ((offset+operand*number_planes) > (ssize_t) pixel_info_length)) - { - if (number_colormaps != 0) - colormap=(unsigned char *) RelinquishMagickMemory(colormap); -@@ -458,6 +495,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - break; - } - opcode=ReadBlobByte(image); -+ if (opcode == EOF) -+ ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); - } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF)); - if (number_colormaps != 0) - { -@@ -473,7 +512,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - if (number_colormaps == 1) - for (i=0; i < (ssize_t) number_pixels; i++) - { -- if (IsValidColormapIndex(image,*p & mask,&index,exception) == -+ if (IsValidColormapIndex(image,(ssize_t) (*p & mask),&index,exception) == - MagickFalse) - break; - *p=colormap[(ssize_t) index]; -@@ -484,7 +523,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - for (i=0; i < (ssize_t) number_pixels; i++) - for (x=0; x < (ssize_t) number_planes; x++) - { -- if (IsValidColormapIndex(image,(size_t) (x*map_length+ -+ if (IsValidColormapIndex(image,(ssize_t) (x*map_length+ - (*p & mask)),&index,exception) == MagickFalse) - break; - *p=colormap[(ssize_t) index]; -@@ -598,15 +637,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - break; - for (x=0; x < (ssize_t) image->columns; x++) - { -- if (IsValidColormapIndex(image,*p++,&index,exception) == -+ if (IsValidColormapIndex(image,(ssize_t) *p++,&index,exception) == - MagickFalse) - break; - SetPixelRed(q,image->colormap[(ssize_t) index].red); -- if (IsValidColormapIndex(image,*p++,&index,exception) == -+ if (IsValidColormapIndex(image,(ssize_t) *p++,&index,exception) == - MagickFalse) - break; - SetPixelGreen(q,image->colormap[(ssize_t) index].green); -- if (IsValidColormapIndex(image,*p++,&index,exception) == -+ if (IsValidColormapIndex(image,(ssize_t) *p++,&index,exception) == - MagickFalse) - break; - SetPixelBlue(q,image->colormap[(ssize_t) index].blue); diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0213-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch imagemagick-6.9.7.4+dfsg/debian/patches/0213-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0213-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0213-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -From 22e7a207cb739f52eef20ae915ae76b128756da5 Mon Sep 17 00:00:00 2001 -From: Dirk Lemstra -Date: Mon, 15 May 2017 21:17:59 +0200 -Subject: [PATCH] Fixed incorrect call to WriteBlob reported in #490. - -A crafted file revealed an assertion failure in blob.c. - -origin: https://github.com/ImageMagick/ImageMagick/commit/72f5c8632bff2daf3c95005f9b4cf2982786b52a -bug: https://github.com/ImageMagick/ImageMagick/issues/490 ---- - coders/png.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/coders/png.c b/coders/png.c -index 3f5775909..3f7fbcadd 100644 ---- a/coders/png.c -+++ b/coders/png.c -@@ -4347,10 +4347,11 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Copying JDAT chunk data to color_blob."); - -- (void) WriteBlob(color_image,length,chunk); -- - if (length != 0) -- chunk=(unsigned char *) RelinquishMagickMemory(chunk); -+ { -+ (void) WriteBlob(color_image,length,chunk); -+ chunk=(unsigned char *) RelinquishMagickMemory(chunk); -+ } - - continue; - } diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0214-Added-check-to-prevent-image-being-0x0-reported-in-4.patch imagemagick-6.9.7.4+dfsg/debian/patches/0214-Added-check-to-prevent-image-being-0x0-reported-in-4.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0214-Added-check-to-prevent-image-being-0x0-reported-in-4.patch 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0214-Added-check-to-prevent-image-being-0x0-reported-in-4.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,40 +0,0 @@ -From 1d59a686ff8c429a3347d9d30c49627d47169fdc Mon Sep 17 00:00:00 2001 -From: Dirk Lemstra -Date: Mon, 15 May 2017 21:10:19 +0200 -Subject: [PATCH] Added check to prevent image being 0x0 (reported in #489). - -A crafted file revealed an assertion failure in profile.c. - -magick: MagickCore/profile.c:1303: ResetImageProfileIterator: Assertion `image != (Image *) ((void *)0)' failed. - -origin: https://github.com/ImageMagick/ImageMagick/commit/f5910e91b0778e03ded45b9022be8eb8f77942cd -bug: https://github.com/ImageMagick/ImageMagick/issues/489 ---- - coders/dds.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/coders/dds.c b/coders/dds.c -index c0989c745..53f8f8d61 100644 ---- a/coders/dds.c -+++ b/coders/dds.c -@@ -1655,9 +1655,8 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception) - /* - Initialize image structure. - */ -- if (ReadDDSInfo(image, &dds_info) != MagickTrue) { -+ if (ReadDDSInfo(image, &dds_info) != MagickTrue) - ThrowReaderException(CorruptImageError,"ImproperImageHeader"); -- } - - if (dds_info.ddscaps2 & DDSCAPS2_CUBEMAP) - cubemap = MagickTrue; -@@ -1754,6 +1753,9 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception) - if (volume) - num_images = dds_info.depth; - -+ if (num_images < 1) -+ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); -+ - for (n = 0; n < num_images; n++) - { - if (n != 0) diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0215-Fixed-memory-leak-reported-in-456.patch imagemagick-6.9.7.4+dfsg/debian/patches/0215-Fixed-memory-leak-reported-in-456.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0215-Fixed-memory-leak-reported-in-456.patch 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0215-Fixed-memory-leak-reported-in-456.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -From 50488937f29fcc3f03ddb5a3982d4df4951efb76 Mon Sep 17 00:00:00 2001 -From: Dirk Lemstra -Date: Tue, 2 May 2017 08:32:19 +0200 -Subject: [PATCH] Fixed memory leak reported in #456. - -Specially crafted arts file could lead to memory leak - -origin: https://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4 -bug: https://github.com/ImageMagick/ImageMagick/issues/456 ---- - coders/art.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -Index: imagemagick-6.9.7.4+dfsg/coders/art.c -=================================================================== ---- imagemagick-6.9.7.4+dfsg.orig/coders/art.c 2017-05-26 11:08:42.026359298 -0400 -+++ imagemagick-6.9.7.4+dfsg/coders/art.c 2017-05-26 11:08:42.022359247 -0400 -@@ -181,7 +181,10 @@ static Image *ReadARTImage(const ImageIn - pixels=(const unsigned char *) ReadBlobStream(image,length, - GetQuantumPixels(quantum_info),&count); - if (count != (ssize_t) length) -- ThrowReaderException(CorruptImageError,"UnableToReadImageData"); -+ { -+ quantum_info=DestroyQuantumInfo(quantum_info); -+ ThrowReaderException(CorruptImageError,"UnableToReadImageData"); -+ } - (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, - quantum_type,pixels,exception); - (void) ReadBlobStream(image,(size_t) (-(ssize_t) length) & 0x01, diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/0216-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch imagemagick-6.9.7.4+dfsg/debian/patches/0216-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch --- imagemagick-6.9.7.4+dfsg/debian/patches/0216-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/0216-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,26 +0,0 @@ -From 22bc0820f62d5a8488e32699e927aa1d08a762db Mon Sep 17 00:00:00 2001 -From: Cristy -Date: Thu, 9 Mar 2017 07:27:42 -0500 -Subject: [PATCH] CVE-2017-9098: use of uninitialized memory in RLE decoder - -Reset memory for RLE decoder (patch provided by scarybeasts) - -bug: https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html -bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862967 -origin: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b ---- - coders/rle.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/coders/rle.c b/coders/rle.c -index 28856db35..15b25a188 100644 ---- a/coders/rle.c -+++ b/coders/rle.c -@@ -354,6 +354,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) - pixel_info_length=image->columns*image->rows* - MagickMax(number_planes_filled,4); - pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); -+ (void) ResetMagickMemory(pixels,0,pixel_info_length); - if ((flags & 0x01) && !(flags & 0x02)) - { - ssize_t diff -Nru imagemagick-6.9.7.4+dfsg/debian/patches/series imagemagick-6.9.7.4+dfsg/debian/patches/series --- imagemagick-6.9.7.4+dfsg/debian/patches/series 2017-05-26 15:02:11.000000000 +0000 +++ imagemagick-6.9.7.4+dfsg/debian/patches/series 2017-07-21 12:30:32.000000000 +0000 @@ -40,8 +40,38 @@ 0039-CVE-2017-8357.patch 0040-CVE-2017-8765.patch 0041-CVE-2017-8830.patch -0216-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch -0214-Added-check-to-prevent-image-being-0x0-reported-in-4.patch -0213-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch -0215-Fixed-memory-leak-reported-in-456.patch -0212-Check-for-EOF-conditions-for-RLE-image-format.patch +0042-Check-for-EOF-conditions-for-RLE-image-format.patch +0043-Fixed-incorrect-call-to-WriteBlob-reported-in-490.patch +0044-Added-check-to-prevent-image-being-0x0-reported-in-4.patch +0045-Fixed-memory-leak-reported-in-456.patch +0046-CVE-2017-9098-use-of-uninitialized-memory-in-RLE-dec.patch +0047-CVE-2017-9261-Memory-leak-in-the-ReadMNGImage-functi.patch +0048-CVE-2017-9262-Memory-leak-in-the-ReadJNGImage-functi.patch +0049-CVE-2017-9409-the-ReadMPCImage-function-in-mpc.c-all.patch +0050-CVE-2017-9407-the-ReadPALMImage-function-in-palm.c-a.patch +0051-CVE-2017-9405-the-ReadICONImage-function-in-icon.c-4.patch +0052-CVE-2017-9439.patch +0053-CVE-2017-9440.patch +0054-CVE-2017-10928.patch +0055-CVE-2017-9144-fix-incomplete-patch.patch +0056-1-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch +0057-2-2-Enable-heap-overflow-check-for-stdin-for-mpc-fil.patch +0058-1-2-CPU-exhaustion-in-ReadDPXImage.patch +0059-1-2-CPU-exhaustion-in-ReadDPXImage.patch +0060-CPU-exhaustion-in-ReadRLEImage.patch +0061-Memory-exhaustion-in-ReadCINImage.patch +0062-memory-leak-in-ReadDIBImage-in-dib.c.patch +0063-memory-exhaustion-in-ReadDPXImage-in-dpx.c.patch +0064-assertion-failed-in-WriteBlob.patch +0065-Memory-exhaustion-in-ReadEPTImage-in-ept.c.patch +0066-CVE-2017-11141-memory-exhaustion-in-ReadMATImage.patch +0067-CVE-2017-11170-memory-exhaustion-in-ReadTGAImage.patch +0068-1-3-CVE-2017-9501-Fixed-incorrect-call-to-DestroyIma.patch +0069-2-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch +0070-3-3-CVE-2017-9501-Avoid-an-off-by-one-error.patch +0071-CPU-exhaustion-in-ReadOneJNGImage.patch +0072-CPU-exhaustion-in-ReadOneDJVUImag.patch +0073-Zero-pixel-buffer.patch +0074-memory-leak-in-ReadMATImage-in-mat.c.patch +0075-Avoid-heap-based-overflow-for-jpeg.patch +0076-Fixed-potential-memory-leak-in-screenshot-coders.patch