Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 192692 Details for
Bug 271502
<media-gfx/imagemagick-6.5.2.9 XMakeImage() Integer Overflow Vulnerability (CVE-2009-1882)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
imagemagick-r513.patch
imagemagick-r513.patch (text/plain), 18.19 KB, created by
Robert Buchholz (RETIRED)
on 2009-05-28 10:23:06 UTC
(
hide
)
Description:
imagemagick-r513.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-05-28 10:23:06 UTC
Size:
18.19 KB
patch
obsolete
>r513 | cristy | 2009-05-25 18:23:12 +0200 (Mon, 25 May 2009) | 1 line > >Index: magick/display.c >=================================================================== >--- magick/display.c (revision 512) >+++ magick/display.c (revision 513) >@@ -13677,6 +13677,10 @@ > */ > window_info.width=(unsigned int) image->columns; > window_info.height=(unsigned int) image->rows; >+ if ((image->columns != window_info.width) || >+ (image->rows != window_info.height)) >+ ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", >+ image->filename); > (void) FormatMagickString(geometry,MaxTextExtent,"%ux%u+0+0>", > window_attributes.width,window_attributes.height); > geometry_info.width=window_info.width; >@@ -14221,6 +14225,10 @@ > timestamp, > update_time; > >+ unsigned int >+ height, >+ width; >+ > unsigned long > delay; > >@@ -14359,8 +14367,8 @@ > windows->context.id=(Window) NULL; > XGetWindowInfo(display,visual_info,map_info,pixel,font_info, > resource_info,&windows->context); >- CloneString(&class_hints->res_name,"superclass"); >- CloneString(&class_hints->res_class,resource_info->client_name); >+ (void) CloneString(&class_hints->res_name,"superclass"); >+ (void) CloneString(&class_hints->res_class,resource_info->client_name); > manager_hints->flags=InputHint | StateHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=WithdrawnState; >@@ -14412,7 +14420,7 @@ > windows->icon.attributes.colormap=XDefaultColormap(display, > icon_visual->screen); > windows->icon.attributes.event_mask=ExposureMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"icon"); >+ (void) CloneString(&class_hints->res_name,"icon"); > manager_hints->flags=InputHint | StateHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=IconicState; >@@ -14511,7 +14519,7 @@ > ButtonReleaseMask; > windows->backdrop.attributes.event_mask=ButtonPressMask | KeyPressMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"backdrop"); >+ (void) CloneString(&class_hints->res_name,"backdrop"); > manager_hints->flags=IconWindowHint | InputHint | StateHint; > manager_hints->icon_window=windows->icon.id; > manager_hints->input=MagickTrue; >@@ -14539,9 +14547,9 @@ > (windows->image.height/2); > } > if (resource_info->name == (char *) NULL) >- CloneString(&class_hints->res_name,resource_info->client_name); >+ (void) CloneString(&class_hints->res_name,resource_info->client_name); > else >- CloneString(&class_hints->res_name,resource_info->name); >+ (void) CloneString(&class_hints->res_name,resource_info->name); > manager_hints->flags=IconWindowHint | InputHint | StateHint; > manager_hints->icon_window=windows->icon.id; > manager_hints->input=MagickTrue; >@@ -14584,7 +14592,7 @@ > windows->info.attributes.win_gravity=UnmapGravity; > windows->info.attributes.event_mask=ButtonPressMask | ExposureMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"info"); >+ (void) CloneString(&class_hints->res_name,"info"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=NormalState; >@@ -14618,7 +14626,7 @@ > windows->command.attributes.event_mask=ButtonMotionMask | ButtonPressMask | > ButtonReleaseMask | EnterWindowMask | ExposureMask | LeaveWindowMask | > OwnerGrabButtonMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"command"); >+ (void) CloneString(&class_hints->res_name,"command"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -14651,7 +14659,7 @@ > ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | > KeyReleaseMask | LeaveWindowMask | OwnerGrabButtonMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"widget"); >+ (void) CloneString(&class_hints->res_name,"widget"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -14676,7 +14684,7 @@ > windows->popup.attributes.event_mask=ButtonMotionMask | ButtonPressMask | > ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | > KeyReleaseMask | LeaveWindowMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"popup"); >+ (void) CloneString(&class_hints->res_name,"popup"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -14724,7 +14732,7 @@ > windows->magnify.attributes.event_mask=ButtonPressMask | ButtonReleaseMask | > ExposureMask | KeyPressMask | KeyReleaseMask | OwnerGrabButtonMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"magnify"); >+ (void) CloneString(&class_hints->res_name,"magnify"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -14754,7 +14762,7 @@ > windows->pan.attributes.event_mask=ButtonMotionMask | ButtonPressMask | > ButtonReleaseMask | ExposureMask | KeyPressMask | KeyReleaseMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"pan"); >+ (void) CloneString(&class_hints->res_name,"pan"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=NormalState; >@@ -14786,8 +14794,13 @@ > windows->image.x=0; > windows->image.y=0; > windows->magnify.shape=MagickFalse; >+ width=(unsigned int) display_image->columns; >+ height=(unsigned int) display_image->rows; >+ if ((display_image->columns != width) || (display_image->rows != height)) >+ ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", >+ display_image->filename); > status=XMakeImage(display,resource_info,&windows->image,display_image, >- (unsigned int) display_image->columns,(unsigned int) display_image->rows); >+ width,height); > if (status == MagickFalse) > ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", > display_image->filename); >Index: magick/xwindow.c >=================================================================== >--- magick/xwindow.c (revision 512) >+++ magick/xwindow.c (revision 513) >@@ -5368,6 +5368,9 @@ > const XResourceInfo *resource_info,XWindowInfo *window,Image *image, > unsigned int width,unsigned int height) > { >+#define CheckOverflowException(length,width,height) \ >+ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) >+ > int > depth, > format; >@@ -5507,9 +5510,11 @@ > (char *) NULL,&segment_info[1],width,height); > if (ximage == (XImage *) NULL) > window->shared_memory=MagickFalse; >+ length=(size_t) ximage->bytes_per_line*ximage->height; >+ if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height)) >+ window->shared_memory=MagickFalse; > if (window->shared_memory != MagickFalse) >- segment_info[1].shmid=shmget(IPC_PRIVATE,(unsigned int) >- (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777); >+ segment_info[1].shmid=shmget(IPC_PRIVATE,length,IPC_CREAT | 0777); > if (window->shared_memory != MagickFalse) > segment_info[1].shmaddr=(char *) shmat(segment_info[1].shmid,0,0); > if (segment_info[1].shmid < 0) >@@ -5612,11 +5617,12 @@ > } > if (window->shared_memory == MagickFalse) > { >- if (ximage->format == XYBitmap) >- length=(size_t) ximage->bytes_per_line*ximage->height*ximage->depth; >+ if (ximage->format != XYBitmap) >+ ximage->data=(char *) AcquireQuantumMemory((size_t) >+ ximage->bytes_per_line,(size_t) ximage->height); > else >- length=(size_t) ximage->bytes_per_line*ximage->height; >- ximage->data=(char *) malloc(length); >+ ximage->data=(char *) AcquireQuantumMemory((size_t) >+ ximage->bytes_per_line*ximage->depth,(size_t) ximage->height); > } > if (ximage->data == (char *) NULL) > { >@@ -5694,9 +5700,9 @@ > /* > Allocate matte image pixel data. > */ >- length=(size_t) matte_image->bytes_per_line* >- matte_image->height*matte_image->depth; >- matte_image->data=(char *) malloc(length); >+ matte_image->data=(char *) AcquireQuantumMemory((size_t) >+ matte_image->bytes_per_line*matte_image->depth, >+ (size_t) matte_image->height); > if (matte_image->data == (char *) NULL) > { > XDestroyImage(matte_image); >Index: magick/animate.c >=================================================================== >--- magick/animate.c (revision 512) >+++ magick/animate.c (revision 513) >@@ -938,6 +938,10 @@ > */ > window_info.width=(unsigned int) image_list[0]->columns; > window_info.height=(unsigned int) image_list[0]->rows; >+ if ((image_list[0]->columns != window_info.width) || >+ (image_list[0]->rows != window_info.height)) >+ ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", >+ image_list[0]->filename); > (void) FormatMagickString(geometry,MaxTextExtent,"%ux%u+0+0>", > window_attributes.width,window_attributes.height); > geometry_info.width=window_info.width; >@@ -1053,6 +1057,10 @@ > window_info.matte_pixmaps[0]=window_info.pixmap; > for (scene=1; scene < (int) number_scenes; scene++) > { >+ unsigned int >+ columns, >+ rows; >+ > /* > Create X image. > */ >@@ -1064,18 +1072,22 @@ > if (image_list[scene]->storage_class == PseudoClass) > XGetPixelPacket(display,visual_info,map_info,&resources, > image_list[scene],window_info.pixel_info); >+ columns=(unsigned int) image_list[scene]->columns; >+ rows=(unsigned int) image_list[scene]->rows; >+ if ((image_list[scene]->columns != columns) || >+ (image_list[scene]->rows != rows)) >+ ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", >+ image_list[scene]->filename); > status=XMakeImage(display,&resources,&window_info,image_list[scene], >- (unsigned int) image_list[scene]->columns, >- (unsigned int) image_list[scene]->rows); >+ columns,rows); > if (status == MagickFalse) > ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", > images->filename); > if (display_image->debug != MagickFalse) > { > (void) LogMagickEvent(X11Event,GetMagickModule(), >- "Image: [%lu] %s %lux%lu ",image_list[scene]->scene, >- image_list[scene]->filename,image_list[scene]->columns, >- image_list[scene]->rows); >+ "Image: [%lu] %s %ux%u ",image_list[scene]->scene, >+ image_list[scene]->filename,columns,rows); > if (image_list[scene]->colors != 0) > (void) LogMagickEvent(X11Event,GetMagickModule(),"%luc ", > image_list[scene]->colors); >@@ -1085,19 +1097,17 @@ > /* > Create the X pixmap. > */ >- window_info.pixmap=XCreatePixmap(display,window_info.id, >- (unsigned int) width,(unsigned int) height,window_info.depth); >+ window_info.pixmap=XCreatePixmap(display,window_info.id,width,height, >+ window_info.depth); > if (window_info.pixmap == (Pixmap) NULL) > ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXPixmap", > images->filename); > /* > Display pixmap on the window. > */ >- if (((unsigned int) width > window_info.width) || >- ((unsigned int) height > window_info.height)) >+ if ((width > window_info.width) || (height > window_info.height)) > (void) XFillRectangle(display,window_info.pixmap, >- window_info.annotate_context,0,0,(unsigned int) width, >- (unsigned int) height); >+ window_info.annotate_context,0,0,width,height); > (void) XPutImage(display,window_info.pixmap,window_info.annotate_context, > window_info.ximage,0,0,window_info.x,window_info.y,window_info.width, > window_info.height); >@@ -1536,8 +1546,8 @@ > windows->context.id=(Window) NULL; > XGetWindowInfo(display,visual_info,map_info,pixel,font_info, > resource_info,&windows->context); >- CloneString(&class_hints->res_name,"superclass"); >- CloneString(&class_hints->res_class,"Display"); >+ (void) CloneString(&class_hints->res_name,"superclass"); >+ (void) CloneString(&class_hints->res_class,"Display"); > manager_hints->flags=InputHint | StateHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=WithdrawnState; >@@ -1589,7 +1599,7 @@ > windows->icon.attributes.colormap= > XDefaultColormap(display,icon_visual->screen); > windows->icon.attributes.event_mask=ExposureMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"icon"); >+ (void) CloneString(&class_hints->res_name,"icon"); > manager_hints->flags=InputHint | StateHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=IconicState; >@@ -1684,7 +1694,7 @@ > ButtonReleaseMask; > windows->backdrop.attributes.event_mask=ButtonPressMask | KeyPressMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"backdrop"); >+ (void) CloneString(&class_hints->res_name,"backdrop"); > manager_hints->flags=IconWindowHint | InputHint | StateHint; > manager_hints->icon_window=windows->icon.id; > manager_hints->input=MagickTrue; >@@ -1712,9 +1722,9 @@ > (windows->image.height/2); > } > if (resource_info->name == (char *) NULL) >- CloneString(&class_hints->res_name,resource_info->client_name); >+ (void) CloneString(&class_hints->res_name,resource_info->client_name); > else >- CloneString(&class_hints->res_name,resource_info->name); >+ (void) CloneString(&class_hints->res_name,resource_info->name); > manager_hints->flags=IconWindowHint | InputHint | StateHint; > manager_hints->icon_window=windows->icon.id; > manager_hints->input=MagickTrue; >@@ -1755,9 +1765,9 @@ > windows->info.y=2; > windows->info.flags|=PPosition; > windows->info.attributes.win_gravity=UnmapGravity; >- windows->info.attributes.event_mask= >- ButtonPressMask | ExposureMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"info"); >+ windows->info.attributes.event_mask=ButtonPressMask | ExposureMask | >+ StructureNotifyMask; >+ (void) CloneString(&class_hints->res_name,"info"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickFalse; > manager_hints->initial_state=NormalState; >@@ -1791,7 +1801,7 @@ > windows->command.attributes.event_mask=ButtonMotionMask | ButtonPressMask | > ButtonReleaseMask | EnterWindowMask | ExposureMask | LeaveWindowMask | > OwnerGrabButtonMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"command"); >+ (void) CloneString(&class_hints->res_name,"command"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -1822,7 +1832,7 @@ > ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | > KeyReleaseMask | LeaveWindowMask | OwnerGrabButtonMask | > StructureNotifyMask; >- CloneString(&class_hints->res_name,"widget"); >+ (void) CloneString(&class_hints->res_name,"widget"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -1847,7 +1857,7 @@ > windows->popup.attributes.event_mask=ButtonMotionMask | ButtonPressMask | > ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | > KeyReleaseMask | LeaveWindowMask | StructureNotifyMask; >- CloneString(&class_hints->res_name,"popup"); >+ (void) CloneString(&class_hints->res_name,"popup"); > manager_hints->flags=InputHint | StateHint | WindowGroupHint; > manager_hints->input=MagickTrue; > manager_hints->initial_state=NormalState; >@@ -1903,6 +1913,10 @@ > windows->image.matte_pixmaps[0]=windows->image.matte_pixmap; > for (scene=1; scene < (long) number_scenes; scene++) > { >+ unsigned int >+ columns, >+ rows; >+ > /* > Create X image. > */ >@@ -1915,18 +1929,22 @@ > if (image_list[scene]->storage_class == PseudoClass) > XGetPixelPacket(display,visual_info,map_info,resource_info, > image_list[scene],windows->image.pixel_info); >+ columns=(unsigned int) image_list[scene]->columns; >+ rows=(unsigned int) image_list[scene]->rows; >+ if ((image_list[scene]->columns != columns) || >+ (image_list[scene]->rows != rows)) >+ ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", >+ image_list[scene]->filename); > status=XMakeImage(display,resource_info,&windows->image,image_list[scene], >- (unsigned int) image_list[scene]->columns, >- (unsigned int) image_list[scene]->rows); >+ columns,rows); > if (status == MagickFalse) > ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", > images->filename); > if (image_list[scene]->debug != MagickFalse) > { > (void) LogMagickEvent(X11Event,GetMagickModule(), >- "Image: [%lu] %s %lux%lu ",image_list[scene]->scene, >- image_list[scene]->filename,image_list[scene]->columns, >- image_list[scene]->rows); >+ "Image: [%lu] %s %ux%u ",image_list[scene]->scene, >+ image_list[scene]->filename,columns,rows); > if (image_list[scene]->colors != 0) > (void) LogMagickEvent(X11Event,GetMagickModule(),"%luc ", > image_list[scene]->colors); >Index: coders/xwd.c >=================================================================== >--- coders/xwd.c (revision 512) >+++ coders/xwd.c (revision 513) >@@ -146,7 +146,7 @@ > static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception) > { > #define CheckOverflowException(length,width,height) \ >- (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) >+ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) > > char > *comment; >Index: ChangeLog >=================================================================== >--- ChangeLog (revision 512) >+++ ChangeLog (revision 513) >@@ -1,4 +1,8 @@ >+2009-05-23 6.5.2-8 Cristy <quetzlzacatenango@image...> >+ * Check for XMakeImage() integer overflow vulnerability (Secunia Advisory >+ SA35216). >+ > 2009-05-23 6.5.2-8 Cristy <quetzlzacatenango@image...> > * Permit reading a specific frame of a multi-page TIFF with blobs. > > 2009-05-22 6.5.2-8 Anthony Thyssen <A.Thyssen@griffith...>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=192692">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 271502
: 192692
