-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
package/graphicsmagick: fix CVE-2020-12672
GraphicsMagick through 1.3.35 has a heap-based buffer overflow in ReadMNGImage in coders/png.c. Signed-off-by: Fabrice Fontaine <[email protected]> Signed-off-by: Yann E. MORIN <[email protected]>
- Loading branch information
1 parent
fb3b232
commit d0de564
Showing
2 changed files
with
81 additions
and
0 deletions.
There are no files selected for viewing
78 changes: 78 additions & 0 deletions
78
package/graphicsmagick/0001-MNG-Fix-small-heap-overwrite-or-assertion.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
# HG changeset patch | ||
# User Bob Friesenhahn <[email protected]> | ||
# Date 1590851896 18000 | ||
# Sat May 30 10:18:16 2020 -0500 | ||
# Node ID 50395430a37188d0d197e71bd85ed6dd0f649ee3 | ||
# Parent 4917a4242fc0a12f2f6baa10f1c5a9b3e68c20dd | ||
MNG: Fix small heap overwrite or assertion if magnifying and image to be magnified has rows or columns == 1. | ||
|
||
[Retrieved (and updated to remove ChangeLog and version changes) from: | ||
https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3] | ||
Signed-off-by: Fabrice Fontaine <[email protected]> | ||
|
||
diff -r 4917a4242fc0 -r 50395430a371 coders/png.c | ||
--- a/coders/png.c Fri May 01 13:49:13 2020 -0500 | ||
+++ b/coders/png.c Sat May 30 10:18:16 2020 -0500 | ||
@@ -5304,7 +5304,7 @@ | ||
if (logging) | ||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), | ||
"MAGN chunk (%lu bytes): " | ||
- "First_magnified_object_id=%u, Last_magnified_object_id=%u, " | ||
+ "First_magnified_object_id=%u, Las t_magnified_object_id=%u, " | ||
"MB=%u, ML=%u, MR=%u, MT=%u, MX=%u, MY=%u, " | ||
"X_method=%u, Y_method=%u", | ||
length, | ||
@@ -5679,6 +5679,8 @@ | ||
/* | ||
If magnifying and a supported method is requested then | ||
magnify the image. | ||
+ | ||
+ http://www.libpng.org/pub/mng/spec/mng-1.0-20010209-pdg.html#mng-MAGN | ||
*/ | ||
if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) && | ||
((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5))) | ||
@@ -5689,7 +5691,28 @@ | ||
|
||
if (logging) | ||
(void) LogMagickEvent(CoderEvent,GetMagickModule(), | ||
- " Processing MNG MAGN chunk"); | ||
+ " Processing MNG MAGN chunk: MB=%u, ML=%u," | ||
+ " MR=%u, MT=%u, MX=%u, MY=%u," | ||
+ " X_method=%u, Y_method=%u", | ||
+ mng_info->magn_mb,mng_info->magn_ml, | ||
+ mng_info->magn_mr,mng_info->magn_mt, | ||
+ mng_info->magn_mx,mng_info->magn_my, | ||
+ mng_info->magn_methx, | ||
+ mng_info->magn_methy); | ||
+ | ||
+ /* | ||
+ If the image width is 1, then X magnification is done | ||
+ by simple pixel replication. | ||
+ */ | ||
+ if (image->columns == 1) | ||
+ mng_info->magn_methx = 1; | ||
+ | ||
+ /* | ||
+ If the image height is 1, then Y magnification is done | ||
+ by simple pixel replication. | ||
+ */ | ||
+ if (image->rows == 1) | ||
+ mng_info->magn_methy = 1; | ||
|
||
if (mng_info->magn_methx == 1) | ||
{ | ||
@@ -5734,12 +5757,10 @@ | ||
Image | ||
*large_image; | ||
|
||
- int | ||
- yy; | ||
- | ||
long | ||
m, | ||
- y; | ||
+ y, | ||
+ yy; | ||
|
||
register long | ||
x; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters