r513 | cristy | 2009-05-25 18:23:12 +0200 (Mon, 25 May 2009) | 1 line Index: magick/display.c =================================================================== --- magick/display.c (revision 512) +++ magick/display.c (revision 513) @@ -13677,6 +13677,10 @@ */ window_info.width=(unsigned int) image->columns; window_info.height=(unsigned int) image->rows; + if ((image->columns != window_info.width) || + (image->rows != window_info.height)) + ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", + image->filename); (void) FormatMagickString(geometry,MaxTextExtent,"%ux%u+0+0>", window_attributes.width,window_attributes.height); geometry_info.width=window_info.width; @@ -14221,6 +14225,10 @@ timestamp, update_time; + unsigned int + height, + width; + unsigned long delay; @@ -14359,8 +14367,8 @@ windows->context.id=(Window) NULL; XGetWindowInfo(display,visual_info,map_info,pixel,font_info, resource_info,&windows->context); - CloneString(&class_hints->res_name,"superclass"); - CloneString(&class_hints->res_class,resource_info->client_name); + (void) CloneString(&class_hints->res_name,"superclass"); + (void) CloneString(&class_hints->res_class,resource_info->client_name); manager_hints->flags=InputHint | StateHint; manager_hints->input=MagickFalse; manager_hints->initial_state=WithdrawnState; @@ -14412,7 +14420,7 @@ windows->icon.attributes.colormap=XDefaultColormap(display, icon_visual->screen); windows->icon.attributes.event_mask=ExposureMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"icon"); + (void) CloneString(&class_hints->res_name,"icon"); manager_hints->flags=InputHint | StateHint; manager_hints->input=MagickFalse; manager_hints->initial_state=IconicState; @@ -14511,7 +14519,7 @@ ButtonReleaseMask; windows->backdrop.attributes.event_mask=ButtonPressMask | KeyPressMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"backdrop"); + (void) CloneString(&class_hints->res_name,"backdrop"); manager_hints->flags=IconWindowHint | InputHint | StateHint; manager_hints->icon_window=windows->icon.id; manager_hints->input=MagickTrue; @@ -14539,9 +14547,9 @@ (windows->image.height/2); } if (resource_info->name == (char *) NULL) - CloneString(&class_hints->res_name,resource_info->client_name); + (void) CloneString(&class_hints->res_name,resource_info->client_name); else - CloneString(&class_hints->res_name,resource_info->name); + (void) CloneString(&class_hints->res_name,resource_info->name); manager_hints->flags=IconWindowHint | InputHint | StateHint; manager_hints->icon_window=windows->icon.id; manager_hints->input=MagickTrue; @@ -14584,7 +14592,7 @@ windows->info.attributes.win_gravity=UnmapGravity; windows->info.attributes.event_mask=ButtonPressMask | ExposureMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"info"); + (void) CloneString(&class_hints->res_name,"info"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickFalse; manager_hints->initial_state=NormalState; @@ -14618,7 +14626,7 @@ windows->command.attributes.event_mask=ButtonMotionMask | ButtonPressMask | ButtonReleaseMask | EnterWindowMask | ExposureMask | LeaveWindowMask | OwnerGrabButtonMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"command"); + (void) CloneString(&class_hints->res_name,"command"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -14651,7 +14659,7 @@ ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | KeyReleaseMask | LeaveWindowMask | OwnerGrabButtonMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"widget"); + (void) CloneString(&class_hints->res_name,"widget"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -14676,7 +14684,7 @@ windows->popup.attributes.event_mask=ButtonMotionMask | ButtonPressMask | ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | KeyReleaseMask | LeaveWindowMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"popup"); + (void) CloneString(&class_hints->res_name,"popup"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -14724,7 +14732,7 @@ windows->magnify.attributes.event_mask=ButtonPressMask | ButtonReleaseMask | ExposureMask | KeyPressMask | KeyReleaseMask | OwnerGrabButtonMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"magnify"); + (void) CloneString(&class_hints->res_name,"magnify"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -14754,7 +14762,7 @@ windows->pan.attributes.event_mask=ButtonMotionMask | ButtonPressMask | ButtonReleaseMask | ExposureMask | KeyPressMask | KeyReleaseMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"pan"); + (void) CloneString(&class_hints->res_name,"pan"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickFalse; manager_hints->initial_state=NormalState; @@ -14786,8 +14794,13 @@ windows->image.x=0; windows->image.y=0; windows->magnify.shape=MagickFalse; + width=(unsigned int) display_image->columns; + height=(unsigned int) display_image->rows; + if ((display_image->columns != width) || (display_image->rows != height)) + ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", + display_image->filename); status=XMakeImage(display,resource_info,&windows->image,display_image, - (unsigned int) display_image->columns,(unsigned int) display_image->rows); + width,height); if (status == MagickFalse) ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", display_image->filename); Index: magick/xwindow.c =================================================================== --- magick/xwindow.c (revision 512) +++ magick/xwindow.c (revision 513) @@ -5368,6 +5368,9 @@ const XResourceInfo *resource_info,XWindowInfo *window,Image *image, unsigned int width,unsigned int height) { +#define CheckOverflowException(length,width,height) \ + (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) + int depth, format; @@ -5507,9 +5510,11 @@ (char *) NULL,&segment_info[1],width,height); if (ximage == (XImage *) NULL) window->shared_memory=MagickFalse; + length=(size_t) ximage->bytes_per_line*ximage->height; + if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height)) + window->shared_memory=MagickFalse; if (window->shared_memory != MagickFalse) - segment_info[1].shmid=shmget(IPC_PRIVATE,(unsigned int) - (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777); + segment_info[1].shmid=shmget(IPC_PRIVATE,length,IPC_CREAT | 0777); if (window->shared_memory != MagickFalse) segment_info[1].shmaddr=(char *) shmat(segment_info[1].shmid,0,0); if (segment_info[1].shmid < 0) @@ -5612,11 +5617,12 @@ } if (window->shared_memory == MagickFalse) { - if (ximage->format == XYBitmap) - length=(size_t) ximage->bytes_per_line*ximage->height*ximage->depth; + if (ximage->format != XYBitmap) + ximage->data=(char *) AcquireQuantumMemory((size_t) + ximage->bytes_per_line,(size_t) ximage->height); else - length=(size_t) ximage->bytes_per_line*ximage->height; - ximage->data=(char *) malloc(length); + ximage->data=(char *) AcquireQuantumMemory((size_t) + ximage->bytes_per_line*ximage->depth,(size_t) ximage->height); } if (ximage->data == (char *) NULL) { @@ -5694,9 +5700,9 @@ /* Allocate matte image pixel data. */ - length=(size_t) matte_image->bytes_per_line* - matte_image->height*matte_image->depth; - matte_image->data=(char *) malloc(length); + matte_image->data=(char *) AcquireQuantumMemory((size_t) + matte_image->bytes_per_line*matte_image->depth, + (size_t) matte_image->height); if (matte_image->data == (char *) NULL) { XDestroyImage(matte_image); Index: magick/animate.c =================================================================== --- magick/animate.c (revision 512) +++ magick/animate.c (revision 513) @@ -938,6 +938,10 @@ */ window_info.width=(unsigned int) image_list[0]->columns; window_info.height=(unsigned int) image_list[0]->rows; + if ((image_list[0]->columns != window_info.width) || + (image_list[0]->rows != window_info.height)) + ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", + image_list[0]->filename); (void) FormatMagickString(geometry,MaxTextExtent,"%ux%u+0+0>", window_attributes.width,window_attributes.height); geometry_info.width=window_info.width; @@ -1053,6 +1057,10 @@ window_info.matte_pixmaps[0]=window_info.pixmap; for (scene=1; scene < (int) number_scenes; scene++) { + unsigned int + columns, + rows; + /* Create X image. */ @@ -1064,18 +1072,22 @@ if (image_list[scene]->storage_class == PseudoClass) XGetPixelPacket(display,visual_info,map_info,&resources, image_list[scene],window_info.pixel_info); + columns=(unsigned int) image_list[scene]->columns; + rows=(unsigned int) image_list[scene]->rows; + if ((image_list[scene]->columns != columns) || + (image_list[scene]->rows != rows)) + ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", + image_list[scene]->filename); status=XMakeImage(display,&resources,&window_info,image_list[scene], - (unsigned int) image_list[scene]->columns, - (unsigned int) image_list[scene]->rows); + columns,rows); if (status == MagickFalse) ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", images->filename); if (display_image->debug != MagickFalse) { (void) LogMagickEvent(X11Event,GetMagickModule(), - "Image: [%lu] %s %lux%lu ",image_list[scene]->scene, - image_list[scene]->filename,image_list[scene]->columns, - image_list[scene]->rows); + "Image: [%lu] %s %ux%u ",image_list[scene]->scene, + image_list[scene]->filename,columns,rows); if (image_list[scene]->colors != 0) (void) LogMagickEvent(X11Event,GetMagickModule(),"%luc ", image_list[scene]->colors); @@ -1085,19 +1097,17 @@ /* Create the X pixmap. */ - window_info.pixmap=XCreatePixmap(display,window_info.id, - (unsigned int) width,(unsigned int) height,window_info.depth); + window_info.pixmap=XCreatePixmap(display,window_info.id,width,height, + window_info.depth); if (window_info.pixmap == (Pixmap) NULL) ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXPixmap", images->filename); /* Display pixmap on the window. */ - if (((unsigned int) width > window_info.width) || - ((unsigned int) height > window_info.height)) + if ((width > window_info.width) || (height > window_info.height)) (void) XFillRectangle(display,window_info.pixmap, - window_info.annotate_context,0,0,(unsigned int) width, - (unsigned int) height); + window_info.annotate_context,0,0,width,height); (void) XPutImage(display,window_info.pixmap,window_info.annotate_context, window_info.ximage,0,0,window_info.x,window_info.y,window_info.width, window_info.height); @@ -1536,8 +1546,8 @@ windows->context.id=(Window) NULL; XGetWindowInfo(display,visual_info,map_info,pixel,font_info, resource_info,&windows->context); - CloneString(&class_hints->res_name,"superclass"); - CloneString(&class_hints->res_class,"Display"); + (void) CloneString(&class_hints->res_name,"superclass"); + (void) CloneString(&class_hints->res_class,"Display"); manager_hints->flags=InputHint | StateHint; manager_hints->input=MagickFalse; manager_hints->initial_state=WithdrawnState; @@ -1589,7 +1599,7 @@ windows->icon.attributes.colormap= XDefaultColormap(display,icon_visual->screen); windows->icon.attributes.event_mask=ExposureMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"icon"); + (void) CloneString(&class_hints->res_name,"icon"); manager_hints->flags=InputHint | StateHint; manager_hints->input=MagickFalse; manager_hints->initial_state=IconicState; @@ -1684,7 +1694,7 @@ ButtonReleaseMask; windows->backdrop.attributes.event_mask=ButtonPressMask | KeyPressMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"backdrop"); + (void) CloneString(&class_hints->res_name,"backdrop"); manager_hints->flags=IconWindowHint | InputHint | StateHint; manager_hints->icon_window=windows->icon.id; manager_hints->input=MagickTrue; @@ -1712,9 +1722,9 @@ (windows->image.height/2); } if (resource_info->name == (char *) NULL) - CloneString(&class_hints->res_name,resource_info->client_name); + (void) CloneString(&class_hints->res_name,resource_info->client_name); else - CloneString(&class_hints->res_name,resource_info->name); + (void) CloneString(&class_hints->res_name,resource_info->name); manager_hints->flags=IconWindowHint | InputHint | StateHint; manager_hints->icon_window=windows->icon.id; manager_hints->input=MagickTrue; @@ -1755,9 +1765,9 @@ windows->info.y=2; windows->info.flags|=PPosition; windows->info.attributes.win_gravity=UnmapGravity; - windows->info.attributes.event_mask= - ButtonPressMask | ExposureMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"info"); + windows->info.attributes.event_mask=ButtonPressMask | ExposureMask | + StructureNotifyMask; + (void) CloneString(&class_hints->res_name,"info"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickFalse; manager_hints->initial_state=NormalState; @@ -1791,7 +1801,7 @@ windows->command.attributes.event_mask=ButtonMotionMask | ButtonPressMask | ButtonReleaseMask | EnterWindowMask | ExposureMask | LeaveWindowMask | OwnerGrabButtonMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"command"); + (void) CloneString(&class_hints->res_name,"command"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -1822,7 +1832,7 @@ ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | KeyReleaseMask | LeaveWindowMask | OwnerGrabButtonMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"widget"); + (void) CloneString(&class_hints->res_name,"widget"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -1847,7 +1857,7 @@ windows->popup.attributes.event_mask=ButtonMotionMask | ButtonPressMask | ButtonReleaseMask | EnterWindowMask | ExposureMask | KeyPressMask | KeyReleaseMask | LeaveWindowMask | StructureNotifyMask; - CloneString(&class_hints->res_name,"popup"); + (void) CloneString(&class_hints->res_name,"popup"); manager_hints->flags=InputHint | StateHint | WindowGroupHint; manager_hints->input=MagickTrue; manager_hints->initial_state=NormalState; @@ -1903,6 +1913,10 @@ windows->image.matte_pixmaps[0]=windows->image.matte_pixmap; for (scene=1; scene < (long) number_scenes; scene++) { + unsigned int + columns, + rows; + /* Create X image. */ @@ -1915,18 +1929,22 @@ if (image_list[scene]->storage_class == PseudoClass) XGetPixelPacket(display,visual_info,map_info,resource_info, image_list[scene],windows->image.pixel_info); + columns=(unsigned int) image_list[scene]->columns; + rows=(unsigned int) image_list[scene]->rows; + if ((image_list[scene]->columns != columns) || + (image_list[scene]->rows != rows)) + ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", + image_list[scene]->filename); status=XMakeImage(display,resource_info,&windows->image,image_list[scene], - (unsigned int) image_list[scene]->columns, - (unsigned int) image_list[scene]->rows); + columns,rows); if (status == MagickFalse) ThrowXWindowFatalException(XServerFatalError,"UnableToCreateXImage", images->filename); if (image_list[scene]->debug != MagickFalse) { (void) LogMagickEvent(X11Event,GetMagickModule(), - "Image: [%lu] %s %lux%lu ",image_list[scene]->scene, - image_list[scene]->filename,image_list[scene]->columns, - image_list[scene]->rows); + "Image: [%lu] %s %ux%u ",image_list[scene]->scene, + image_list[scene]->filename,columns,rows); if (image_list[scene]->colors != 0) (void) LogMagickEvent(X11Event,GetMagickModule(),"%luc ", image_list[scene]->colors); Index: coders/xwd.c =================================================================== --- coders/xwd.c (revision 512) +++ coders/xwd.c (revision 513) @@ -146,7 +146,7 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception) { #define CheckOverflowException(length,width,height) \ - (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) + (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) char *comment; Index: ChangeLog =================================================================== --- ChangeLog (revision 512) +++ ChangeLog (revision 513) @@ -1,4 +1,8 @@ +2009-05-23 6.5.2-8 Cristy + * Check for XMakeImage() integer overflow vulnerability (Secunia Advisory + SA35216). + 2009-05-23 6.5.2-8 Cristy * Permit reading a specific frame of a multi-page TIFF with blobs. 2009-05-22 6.5.2-8 Anthony Thyssen