Description from GraphicsMagick changelog for revision 1.231: [trimmed] 2009-10-09 Bob Friesenhahn * magick/xwindow.c (MagickXMakeImage): Fix for CVE-2009-1882 "Integer overflow in the XMakeImage function". The problem is that the shared memory segment allocated may be smaller than the image size requires due to integer overflow. On some systems it may be possible to crash GraphicsMagick (while displaying an image file) but not likely to overwrite the heap since shared memory segments are outside of the heap allocation. [/trimmed] --- GraphicsMagick/magick/xwindow.c 2009/09/16 02:13:01 1.230 +++ GraphicsMagick/magick/xwindow.c 2009/10/09 18:20:22 1.231 @@ -5350,8 +5350,8 @@ MagickExport Cursor MagickXMakeCursor(Di % The format of the MagickXMakeImage method is: % % unsigned int MagickXMakeImage(Display *display, -% const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image, -% unsigned int width,unsigned int height) +% const MagickXResourceInfo *resource_info,MagickXWindowInfo *window, +% Image *image,unsigned int width,unsigned int height) % % A description of each parameter follows: % @@ -5376,9 +5376,12 @@ MagickExport Cursor MagickXMakeCursor(Di % % */ -MagickExport unsigned int MagickXMakeImage(Display *display, - const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image, - unsigned int width,unsigned int height) +MagickExport unsigned int +MagickXMakeImage(Display *display, + const MagickXResourceInfo *resource_info, + MagickXWindowInfo *window, + Image *image, + unsigned int width,unsigned int height) { int depth, @@ -5496,7 +5499,9 @@ MagickExport unsigned int MagickXMakeIma } #endif width=(unsigned int) window->image->columns; + assert(width == window->image->columns); height=(unsigned int) window->image->rows; + assert(height == window->image->rows); } /* Create X image. @@ -5504,27 +5509,32 @@ MagickExport unsigned int MagickXMakeIma ximage=(XImage *) NULL; format=(depth == 1) ? XYBitmap : ZPixmap; #if defined(HasSharedMemory) - window->shared_memory&=XShmQueryExtension(display); + window->shared_memory &= XShmQueryExtension(display); if (window->shared_memory) { XShmSegmentInfo *segment_info; + size_t + shm_extent; + segment_info=(XShmSegmentInfo *) window->segment_info; segment_info[1].shmid=(-1); segment_info[1].shmaddr=NULL; ximage=XShmCreateImage(display,window->visual,depth,format,(char *) NULL, - &segment_info[1],width,height); - window->shared_memory&=(ximage != (XImage *) NULL); + &segment_info[1],width,height); + window->shared_memory &= (ximage != (XImage *) NULL); + + shm_extent=MagickArraySize(ximage->height,ximage->bytes_per_line); + window->shared_memory &= (shm_extent != 0); if (window->shared_memory) - segment_info[1].shmid=shmget(IPC_PRIVATE,(size_t) - (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777); - window->shared_memory&=(segment_info[1].shmid >= 0); + segment_info[1].shmid=shmget(IPC_PRIVATE,shm_extent,IPC_CREAT | 0777); + window->shared_memory &= (segment_info[1].shmid >= 0); if (window->shared_memory) segment_info[1].shmaddr=(char *) MagickShmAt(segment_info[1].shmid,0,0); - window->shared_memory&=(segment_info[1].shmaddr != NULL); + window->shared_memory &= (segment_info[1].shmaddr != NULL); if (!window->shared_memory) {