Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 211753 Details for
Bug 295425
=media-gfx/graphicsmagick-1.3.7 integer overflow in the XMakeImage function (CVE-2009-1882)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
[1/2] vulnerability fix
cve-2009-1882-part1.patch (text/plain), 3.61 KB, created by
Arseny Solokha
on 2009-12-02 11:50:11 UTC
(
hide
)
Description:
[1/2] vulnerability fix
Filename:
MIME Type:
Creator:
Arseny Solokha
Created:
2009-12-02 11:50:11 UTC
Size:
3.61 KB
patch
obsolete
>Description from GraphicsMagick changelog for revision 1.231: >[trimmed] >2009-10-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> > > * magick/xwindow.c (MagickXMakeImage): Fix for CVE-2009-1882 > "Integer overflow in the XMakeImage function". The problem is > that the shared memory segment allocated may be smaller than the > image size requires due to integer overflow. On some systems it > may be possible to crash GraphicsMagick (while displaying an image > file) but not likely to overwrite the heap since shared memory > segments are outside of the heap allocation. >[/trimmed] > >--- GraphicsMagick/magick/xwindow.c 2009/09/16 02:13:01 1.230 >+++ GraphicsMagick/magick/xwindow.c 2009/10/09 18:20:22 1.231 >@@ -5350,8 +5350,8 @@ MagickExport Cursor MagickXMakeCursor(Di > % The format of the MagickXMakeImage method is: > % > % unsigned int MagickXMakeImage(Display *display, >-% const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image, >-% unsigned int width,unsigned int height) >+% const MagickXResourceInfo *resource_info,MagickXWindowInfo *window, >+% Image *image,unsigned int width,unsigned int height) > % > % A description of each parameter follows: > % >@@ -5376,9 +5376,12 @@ MagickExport Cursor MagickXMakeCursor(Di > % > % > */ >-MagickExport unsigned int MagickXMakeImage(Display *display, >- const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image, >- unsigned int width,unsigned int height) >+MagickExport unsigned int >+MagickXMakeImage(Display *display, >+ const MagickXResourceInfo *resource_info, >+ MagickXWindowInfo *window, >+ Image *image, >+ unsigned int width,unsigned int height) > { > int > depth, >@@ -5496,7 +5499,9 @@ MagickExport unsigned int MagickXMakeIma > } > #endif > width=(unsigned int) window->image->columns; >+ assert(width == window->image->columns); > height=(unsigned int) window->image->rows; >+ assert(height == window->image->rows); > } > /* > Create X image. >@@ -5504,27 +5509,32 @@ MagickExport unsigned int MagickXMakeIma > ximage=(XImage *) NULL; > format=(depth == 1) ? XYBitmap : ZPixmap; > #if defined(HasSharedMemory) >- window->shared_memory&=XShmQueryExtension(display); >+ window->shared_memory &= XShmQueryExtension(display); > if (window->shared_memory) > { > XShmSegmentInfo > *segment_info; > >+ size_t >+ shm_extent; >+ > segment_info=(XShmSegmentInfo *) window->segment_info; > segment_info[1].shmid=(-1); > segment_info[1].shmaddr=NULL; > ximage=XShmCreateImage(display,window->visual,depth,format,(char *) NULL, >- &segment_info[1],width,height); >- window->shared_memory&=(ximage != (XImage *) NULL); >+ &segment_info[1],width,height); >+ window->shared_memory &= (ximage != (XImage *) NULL); >+ >+ shm_extent=MagickArraySize(ximage->height,ximage->bytes_per_line); >+ window->shared_memory &= (shm_extent != 0); > > if (window->shared_memory) >- segment_info[1].shmid=shmget(IPC_PRIVATE,(size_t) >- (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777); >- window->shared_memory&=(segment_info[1].shmid >= 0); >+ segment_info[1].shmid=shmget(IPC_PRIVATE,shm_extent,IPC_CREAT | 0777); >+ window->shared_memory &= (segment_info[1].shmid >= 0); > > if (window->shared_memory) > segment_info[1].shmaddr=(char *) MagickShmAt(segment_info[1].shmid,0,0); >- window->shared_memory&=(segment_info[1].shmaddr != NULL); >+ window->shared_memory &= (segment_info[1].shmaddr != NULL); > > if (!window->shared_memory) > {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 295425
: 211753 |
211754
|
211755