guix/gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
Efraim Flashner 224bb4b6f9
gnu: graphicsmagick: Fix CVE-2017-14165.
* gnu/packages/imagemagick.scm (graphicsmagick)[source]: Add patch.
* gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
2017-09-10 21:45:45 +03:00

72 lines
2.3 KiB
Diff

http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
http://openwall.com/lists/oss-security/2017/09/06/4
some changes were made to make the patch apply
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1503257388 18000
# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
diff -r f87246749079 -r 493da54370aa coders/sun.c
--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
@@ -498,6 +498,12 @@
if (sun_info.depth < 8)
image->depth=sun_info.depth;
+ if (image_info->ping)
+ {
+ CloseBlob(image);
+ return(image);
+ }
+
/*
Compute bytes per line and bytes per image for an unencoded
image.
@@ -522,15 +528,37 @@
if (bytes_per_image > sun_info.length)
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
- if (image_info->ping)
- {
- CloseBlob(image);
- return(image);
- }
if (sun_info.type == RT_ENCODED)
sun_data_length=(size_t) sun_info.length;
else
sun_data_length=bytes_per_image;
+
+ /*
+ Verify that data length claimed by header is supported by file size
+ */
+ if (sun_info.type == RT_ENCODED)
+ {
+ if (sun_data_length < bytes_per_image/255U)
+ {
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ if (BlobIsSeekable(image))
+ {
+ const magick_off_t file_size = GetBlobSize(image);
+ const magick_off_t current_offset = TellBlob(image);
+ if ((file_size > 0) &&
+ (current_offset > 0) &&
+ (file_size > current_offset))
+ {
+ const magick_off_t remaining = file_size-current_offset;
+ if (remaining < (magick_off_t) sun_data_length)
+ {
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+ }
+ }
+
sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
if (sun_data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);