Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 94935 Details for
Bug 144854
media-gfx/imagemagick: heap and stack buffer overflow (CVE-2006-374{3|4})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
imagemagick-6.2.8-goo-sec.diff (text/plain), 4.37 KB, created by
Tavis Ormandy (RETIRED)
on 2006-08-23 06:45:50 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Tavis Ormandy (RETIRED)
Created:
2006-08-23 06:45:50 UTC
Size:
4.37 KB
patch
obsolete
>--- ImageMagick-6.2.8/coders/sun.c 2006-01-25 19:31:38.000000000 +0000 >+++ ImageMagick-6.2.8/coders/sun.c 2006-07-20 15:06:47.590663000 +0100 >@@ -134,10 +134,10 @@ > % > */ > static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, >- const size_t length,unsigned char *pixels) >+ const size_t length,unsigned char *pixels,size_t maxpixels) > { > register const unsigned char >- *p; >+ *p, *l; > > register unsigned char > *q; >@@ -153,7 +153,8 @@ > assert(pixels != (unsigned char *) NULL); > p=compressed_pixels; > q=pixels; >- while ((size_t) (p-compressed_pixels) < length) >+ l=q+maxpixels; >+ while ((size_t) (p-compressed_pixels) < length && q < l) > { > byte=(*p++); > if (byte != 128U) >@@ -166,7 +167,7 @@ > count=(ssize_t) (*p++); > if (count > 0) > byte=(*p++); >- while (count >= 0) >+ while (count >= 0 && q < l) > { > *q++=byte; > count--; >@@ -378,6 +379,8 @@ > CloseBlob(image); > return(GetFirstImageInList(image)); > } >+ if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length) >+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); > sun_data=(unsigned char *) > AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data)); > if (sun_data == (unsigned char *) NULL) >@@ -395,11 +398,28 @@ > Read run-length encoded raster pixels. > */ > height=sun_info.height; >- bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16; >+ >+ /* calculate bytes per line, verifying no overflow occurs */ >+ bytes_per_line=sun_info.width*sun_info.depth; >+ if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width) >+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); >+ >+ if ((ULONG_MAX - bytes_per_line) < 15) >+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); >+ >+ bytes_per_line += 15; >+ bytes_per_line <<= 1; >+ if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15) >+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); >+ >+ bytes_per_line >>= 4; >+ if ((bytes_per_line * height) / height != bytes_per_line) >+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); >+ > sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height); > if (sun_pixels == (unsigned char *) NULL) > ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); >- (void) DecodeImage(sun_data,sun_info.length,sun_pixels); >+ (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height); > sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); > } > /* >--- ImageMagick-6.2.8/coders/xcf.c 2006-06-20 21:53:04.000000000 +0100 >+++ ImageMagick-6.2.8/coders/xcf.c 2006-07-20 13:43:58.782219000 +0100 >@@ -269,7 +269,7 @@ > % > % > */ >-static char *ReadBlobStringWithLongSize(Image *image,char *string) >+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max) > { > int > c; >@@ -285,7 +285,7 @@ > if (image->debug != MagickFalse) > (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); > length = ReadBlobMSBLong(image); >- for (i=0; i < (long) length; i++) >+ for (i=0; i < (long) Min(length, max); i++) > { > c=ReadBlobByte(image); > if (c == EOF) >@@ -694,7 +694,7 @@ > outLayer->width = ReadBlobMSBLong(image); > outLayer->height = ReadBlobMSBLong(image); > outLayer->type = ReadBlobMSBLong(image); >- (void) ReadBlobStringWithLongSize(image, outLayer->name); >+ (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024); > > /* allocate the image for this layer */ > outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue, >@@ -702,7 +702,6 @@ > if (outLayer->image == (Image *) NULL) > return MagickFalse; > >- > /* read the layer properties! */ > foundPropEnd = 0; > while ( foundPropEnd == MagickFalse ) { >@@ -1102,7 +1101,7 @@ > /*float factor = (float) */ (void) ReadBlobMSBLong(image); > /* unsigned long digits = */ (void) ReadBlobMSBLong(image); > for (i=0; i<5; i++) >- (void) ReadBlobStringWithLongSize(image, unit_string); >+ (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string)); > } > break; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 144854
:
94933
|
94934
| 94935