Source: imagemagick Version: 8:6.6.0.4-3 Tags: security patch Severity: important Control: fixed -1 8:6.6.0.4-3+squeeze7
This bug is about two security issues in image parsing code that had been reported to Ubuntu (and are tracked in the Debian security tracker): The one in coders/icon.c: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 The one in coders/pict.c: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 The attached patches fix both of those issues in squeeze. I guess they will be easy to forward-port to other versions. Both of those issues apply to all versions currently in Debian. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Description: Fix buffer overflow in icon parsing code This patch backports a small extract of a larger upstream commit that addresses this specific issue. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 Applied-Upstream: 7.0.0 Last-Update: 2015-11-26 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/coders/icon.c +++ b/coders/icon.c @@ -275,6 +275,8 @@ static Image *ReadICONImage(const ImageI Icon image encoded as a compressed PNG image. */ length=icon_file.directory[i].size; + if (~length < 12) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); png=(unsigned char *) AcquireQuantumMemory(length+12,sizeof(*png)); if (png == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
Description: Fix overflow in pict image parsing Backport a small part of an upstream commit fixing an issue with pict image parsing. Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 Applied-Upstream: 7.0.0 Last-Update: 2015-11-27 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/coders/pict.c +++ b/coders/pict.c @@ -1589,6 +1589,7 @@ static MagickBooleanType WritePICTImage( x; size_t + row_bytes, count; unsigned char @@ -1602,7 +1603,6 @@ static MagickBooleanType WritePICTImage( unsigned short base_address, - row_bytes, transfer_mode; /* @@ -1633,7 +1633,7 @@ static MagickBooleanType WritePICTImage( source_rectangle=size_rectangle; destination_rectangle=size_rectangle; base_address=0xff; - row_bytes=(unsigned short) (image->columns | 0x8000); + row_bytes=image->columns; bounds.top=0; bounds.left=0; bounds.bottom=(short) image->rows; @@ -1663,7 +1663,7 @@ static MagickBooleanType WritePICTImage( pixmap.bits_per_pixel=32; pixmap.pack_type=0x04; transfer_mode=0x40; - row_bytes=(unsigned short) ((4*image->columns) | 0x8000); + row_bytes=4*image->columns; } /* Allocate memory.
