current/SOURCES/GraphicsMagick-1.3.20-CVE-2016-2317.patch

# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1461539977 18000
#      Sun Apr 24 18:19:37 2016 -0500
# Node ID 98394eb235a6dc5d6b4d445023ae1c70189a7667
# Parent  45ee571d38f5e131207fd62eaa8a1bb85886b019
Fix segmentation violation when reading aaphrbkwwe.svg.-1114777018469422437 from CVE-2016-2317 test cases.

diff -r 45ee571d38f5 -r 98394eb235a6 magick/render.c
--- a/magick/render.c   Sat Apr 23 15:15:02 2016 -0500
+++ b/magick/render.c   Sun Apr 24 18:19:37 2016 -0500
@@ -1738,6 +1738,8 @@
     return(MagickFail);
   primitive_extent=strlen(primitive);
   (void) SetImageAttribute(image,"[MVG]",primitive);
+  if (getenv("MAGICK_SKIP_RENDERING") != NULL)
+    return MagickPass;
   n=0;
   /*
     Allocate primitive info memory.
@@ -2751,12 +2753,24 @@
       }
       case RoundRectanglePrimitive:
       {
-        length*=8*BezierQuantum+5;
+        /*
+          Round rectangle is rectangle plus elipse
+        */
+        double
+          alpha,
+          beta,
+          radius;
+
+        alpha=bounds.x2-bounds.x1;
+        beta=bounds.y2-bounds.y1;
+        radius=hypot((double) alpha,(double) beta);
+        length*=5;
+        length+=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360;
         break;
       }
       case BezierPrimitive:
       {
-        if (primitive_info[j].coordinates > 109)
+        if (primitive_info[j].coordinates > 107)
           (void) ThrowException(&image->exception,DrawError,
                                 TooManyCoordinates,token);
         length=primitive_info[j].coordinates*BezierQuantum;
@@ -2806,7 +2820,6 @@
       default:
         break;
     }
-
     if ((size_t) (i+length) >= number_points)
       {
         number_points+=length+1;
@@ -2850,25 +2863,74 @@
       }
       case RectanglePrimitive:
       {
+        /*
+          Rectangle requires 2 primitives.
+        */
         if (primitive_info[j].coordinates != 2)
           {
             status=MagickFail;
             break;
           }
-        TraceRectangle(primitive_info+j,primitive_info[j].point,
+        /*
+          Negative width is an error
+        */
+        if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0)
+          {
+            status=MagickFail;
+            break;
+          }
+        /*
+          Negative height is an error
+        */
+        if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0)
+          {
+            status=MagickFail;
+            break;
+          }
+        TraceRectangle(/*start*/primitive_info+j,
+                       /*end*/primitive_info[j].point,
           primitive_info[j+1].point);
         i=(long) (j+primitive_info[j].coordinates);
         break;
       }
       case RoundRectanglePrimitive:
       {
+        /*
+          Round rectangle requires 3 primitives.
+        */
         if (primitive_info[j].coordinates != 3)
           {
             status=MagickFail;
             break;
           }
-        TraceRoundRectangle(primitive_info+j,primitive_info[j].point,
-          primitive_info[j+1].point,primitive_info[j+2].point);
+        /*
+          Negative radius values are an error.
+        */
+        if ((primitive_info[j+2].point.x < 0.0) || (primitive_info[j+2].point.y < 0.0))
+          {
+            status=MagickFail;
+            break;
+          }
+        /*
+          Negative width is an error
+        */
+        if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0)
+          {
+            status=MagickFail;
+            break;
+          }
+        /*
+          Negative height is an error
+        */
+        if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0)
+          {
+            status=MagickFail;
+            break;
+          }
+        TraceRoundRectangle(primitive_info+j,
+                            /*start*/primitive_info[j].point,
+                            /*end*/primitive_info[j+1].point,
+                            /*arc*/primitive_info[j+2].point);
         i=(long) (j+primitive_info[j].coordinates);
         break;
       }
@@ -5024,8 +5086,8 @@
           }
           if (strchr("CcSs",last_attribute) == (char *) NULL)
             {
-              points[0]=points[2];
-              points[1]=points[3];
+              points[0]=point;
+              points[1]=point;
             }
           for (i=0; i < 4; i++)
             (q+i)->point=points[i];
@@ -5062,8 +5124,8 @@
           }
           if (strchr("QqTt",last_attribute) == (char *) NULL)
             {
-              points[0]=points[2];
-              points[1]=points[3];
+              points[0]=point;
+              points[1]=point;
             }
           for (i=0; i < 3; i++)
             (q+i)->point=points[i];
1	# HG changeset patch
2	# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
3	# Date 1461539977 18000
4	# Sun Apr 24 18:19:37 2016 -0500
5	# Node ID 98394eb235a6dc5d6b4d445023ae1c70189a7667
6	# Parent 45ee571d38f5e131207fd62eaa8a1bb85886b019
7	Fix segmentation violation when reading aaphrbkwwe.svg.-1114777018469422437 from CVE-2016-2317 test cases.
8
9	diff -r 45ee571d38f5 -r 98394eb235a6 magick/render.c
10	--- a/magick/render.c Sat Apr 23 15:15:02 2016 -0500
11	+++ b/magick/render.c Sun Apr 24 18:19:37 2016 -0500
12	@@ -1738,6 +1738,8 @@
13	return(MagickFail);
14	primitive_extent=strlen(primitive);
15	(void) SetImageAttribute(image,"[MVG]",primitive);
16	+ if (getenv("MAGICK_SKIP_RENDERING") != NULL)
17	+ return MagickPass;
18	n=0;
19	/*
20	Allocate primitive info memory.
21	@@ -2751,12 +2753,24 @@
22	}
23	case RoundRectanglePrimitive:
24	{
25	- length=8BezierQuantum+5;
26	+ /*
27	+ Round rectangle is rectangle plus elipse
28	+ */
29	+ double
30	+ alpha,
31	+ beta,
32	+ radius;
33	+
34	+ alpha=bounds.x2-bounds.x1;
35	+ beta=bounds.y2-bounds.y1;
36	+ radius=hypot((double) alpha,(double) beta);
37	+ length*=5;
38	+ length+=2((size_t) ceil((double) MagickPIradius))+6*BezierQuantum+360;
39	break;
40	}
41	case BezierPrimitive:
42	{
43	- if (primitive_info[j].coordinates > 109)
44	+ if (primitive_info[j].coordinates > 107)
45	(void) ThrowException(&image->exception,DrawError,
46	TooManyCoordinates,token);
47	length=primitive_info[j].coordinates*BezierQuantum;
48	@@ -2806,7 +2820,6 @@
49	default:
50	break;
51	}
52	-
53	if ((size_t) (i+length) >= number_points)
54	{
55	number_points+=length+1;
56	@@ -2850,25 +2863,74 @@
57	}
58	case RectanglePrimitive:
59	{
60	+ /*
61	+ Rectangle requires 2 primitives.
62	+ */
63	if (primitive_info[j].coordinates != 2)
64	{
65	status=MagickFail;
66	break;
67	}
68	- TraceRectangle(primitive_info+j,primitive_info[j].point,
69	+ /*
70	+ Negative width is an error
71	+ */
72	+ if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0)
73	+ {
74	+ status=MagickFail;
75	+ break;
76	+ }
77	+ /*
78	+ Negative height is an error
79	+ */
80	+ if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0)
81	+ {
82	+ status=MagickFail;
83	+ break;
84	+ }
85	+ TraceRectangle(/start/primitive_info+j,
86	+ /end/primitive_info[j].point,
87	primitive_info[j+1].point);
88	i=(long) (j+primitive_info[j].coordinates);
89	break;
90	}
91	case RoundRectanglePrimitive:
92	{
93	+ /*
94	+ Round rectangle requires 3 primitives.
95	+ */
96	if (primitive_info[j].coordinates != 3)
97	{
98	status=MagickFail;
99	break;
100	}
101	- TraceRoundRectangle(primitive_info+j,primitive_info[j].point,
102	- primitive_info[j+1].point,primitive_info[j+2].point);
103	+ /*
104	+ Negative radius values are an error.
105	+ */
106	+ if ((primitive_info[j+2].point.x < 0.0) \|\| (primitive_info[j+2].point.y < 0.0))
107	+ {
108	+ status=MagickFail;
109	+ break;
110	+ }
111	+ /*
112	+ Negative width is an error
113	+ */
114	+ if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0)
115	+ {
116	+ status=MagickFail;
117	+ break;
118	+ }
119	+ /*
120	+ Negative height is an error
121	+ */
122	+ if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0)
123	+ {
124	+ status=MagickFail;
125	+ break;
126	+ }
127	+ TraceRoundRectangle(primitive_info+j,
128	+ /start/primitive_info[j].point,
129	+ /end/primitive_info[j+1].point,
130	+ /arc/primitive_info[j+2].point);
131	i=(long) (j+primitive_info[j].coordinates);
132	break;
133	}
134	@@ -5024,8 +5086,8 @@
135	}
136	if (strchr("CcSs",last_attribute) == (char *) NULL)
137	{
138	- points[0]=points[2];
139	- points[1]=points[3];
140	+ points[0]=point;
141	+ points[1]=point;
142	}
143	for (i=0; i < 4; i++)
144	(q+i)->point=points[i];
145	@@ -5062,8 +5124,8 @@
146	}
147	if (strchr("QqTt",last_attribute) == (char *) NULL)
148	{
149	- points[0]=points[2];
150	- points[1]=points[3];
151	+ points[0]=point;
152	+ points[1]=point;
153	}
154	for (i=0; i < 3; i++)
155	(q+i)->point=points[i];