1 |
From 21ed68245a7687a87e5c9823c7905ef1db157fdc Mon Sep 17 00:00:00 2001 |
2 |
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com> |
3 |
Date: Tue, 10 Apr 2012 16:59:48 +0200 |
4 |
Subject: [PATCH] Fix security holes JPEG/EXIF/TIFF |
5 |
|
6 |
An out-of heap-based buffer read flaw was found in the way ImageMagick, |
7 |
retrieved Exchangeable image file format (Exif) header tag information |
8 |
from certain JPEG files. |
9 |
|
10 |
A remote attacker could provide a JPEG image file, with EXIF header |
11 |
containing specially-crafted tag values, which once opened in some ImageMagick |
12 |
tool would lead to the crash of that tool (denial of service). |
13 |
|
14 |
Fix: |
15 |
* [CVE-2012-0259] JPEG EXIF tag crash. |
16 |
* [CVE-2012-0260] Excessive memory use with JPEG restart markers. |
17 |
* [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD. |
18 |
|
19 |
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259 |
20 |
Applied-Upstream: 6.7.6-3 |
21 |
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635 |
22 |
--- |
23 |
coders/jpeg.c | 8 +++++++- |
24 |
coders/tiff.c | 2 +- |
25 |
magick/property.c | 4 ++++ |
26 |
3 files changed, 12 insertions(+), 2 deletions(-) |
27 |
|
28 |
diff --git a/coders/jpeg.c b/coders/jpeg.c |
29 |
index 75d2e71..2fdc763 100644 |
30 |
--- a/coders/jpeg.c |
31 |
+++ b/coders/jpeg.c |
32 |
@@ -149,6 +149,9 @@ typedef struct _SourceManager |
33 |
static MagickBooleanType |
34 |
WriteJPEGImage(const ImageInfo *,Image *); |
35 |
#endif |
36 |
+static void |
37 |
+ JPEGErrorHandler(j_common_ptr); |
38 |
+ |
39 |
|
40 |
/* |
41 |
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% |
42 |
@@ -274,6 +277,8 @@ static MagickBooleanType IsITUFaxImage(const Image *image) |
43 |
|
44 |
static void JPEGErrorHandler(j_common_ptr jpeg_info) |
45 |
{ |
46 |
+ #define JPEGExcessiveWarnings 1000 |
47 |
+ |
48 |
char |
49 |
message[JMSG_LENGTH_MAX]; |
50 |
|
51 |
@@ -318,12 +323,13 @@ static MagickBooleanType JPEGWarningHandler(j_common_ptr jpeg_info,int level) |
52 |
/* |
53 |
Process warning message. |
54 |
*/ |
55 |
+ if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings) |
56 |
+ JPEGErrorHandler(jpeg_info); |
57 |
(jpeg_info->err->format_message)(jpeg_info,message); |
58 |
if ((jpeg_info->err->num_warnings == 0) || |
59 |
(jpeg_info->err->trace_level >= 3)) |
60 |
ThrowBinaryException(CorruptImageWarning,(char *) message, |
61 |
image->filename); |
62 |
- jpeg_info->err->num_warnings++; |
63 |
} |
64 |
else |
65 |
if ((image->debug != MagickFalse) && |
66 |
diff --git a/coders/tiff.c b/coders/tiff.c |
67 |
index 7dc8df4..c750f84 100644 |
68 |
--- a/coders/tiff.c |
69 |
+++ b/coders/tiff.c |
70 |
@@ -644,7 +644,7 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image) |
71 |
ascii=(char *) NULL; |
72 |
if ((TIFFGetField(tiff,exif_info[i].tag,&ascii,&sans,&sans) != 0) && |
73 |
(ascii != (char *) NULL) && (*ascii != '\0')) |
74 |
- (void) CopyMagickMemory(value,ascii,MaxTextExtent); |
75 |
+ (void) CopyMagickString(value,ascii,MaxTextExtent); |
76 |
break; |
77 |
} |
78 |
case TIFF_SHORT: |
79 |
diff --git a/magick/property.c b/magick/property.c |
80 |
index cef4891..78debb0 100644 |
81 |
--- a/magick/property.c |
82 |
+++ b/magick/property.c |
83 |
@@ -1284,6 +1284,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, |
84 |
break; |
85 |
components=(ssize_t) ((int) ReadPropertyLong(endian,q+4)); |
86 |
number_bytes=(size_t) components*tag_bytes[format]; |
87 |
+ if (number_bytes < components) |
88 |
+ break; /* prevent overflow */ |
89 |
if (number_bytes <= 4) |
90 |
p=q+8; |
91 |
else |
92 |
@@ -1307,6 +1309,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, |
93 |
buffer[MaxTextExtent], |
94 |
*value; |
95 |
|
96 |
+ value=(char *) NULL; |
97 |
+ *buffer='\0'; |
98 |
switch (format) |
99 |
{ |
100 |
case EXIF_FMT_BYTE: |
101 |
-- |
102 |
1.7.10 |
103 |
|