current/SOURCES/GraphicsMagick-1.3.25-CVE-2016-8684.patch


# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544092 18000
# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54
# Parent  0a0dfa81906d1317895de9374ef5132710c3831c
SGI: Check that filesize is reasonable given header.

diff -r 0a0dfa81906d -r c53725cb5449 ChangeLog
--- a/ChangeLog Sat Sep 10 15:21:05 2016 -0500
+++ b/ChangeLog Sat Sep 10 16:48:12 2016 -0500
@@ -1,3 +1,10 @@
+2016-09-10  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+       * coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
+       given header.  Fixes excessive memory allocation followed by
+       eventual file truncation error for corrupt file.  Problem was
+       reported via email by Agostino Sarubbo on 2016-09-09.
+
 2016-10-01  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
        * coders/meta.c (parse8BIM): Fix unsigned underflow leading to
diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c
--- a/coders/sct.c      Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sct.c      Sat Sep 10 16:48:12 2016 -0500
@@ -1,5 +1,5 @@
 /*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2016 GraphicsMagick Group
 % Copyright (C) 2002 ImageMagick Studio
 % Copyright 1991-1999 E. I. du Pont de Nemours and Company
 %
diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c
--- a/coders/sgi.c      Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sgi.c      Sat Sep 10 16:48:12 2016 -0500
@@ -299,6 +299,9 @@
   size_t
     bytes_per_pixel;
 
+  magick_off_t
+    file_size;
+
   /*
     Open image file.
   */
@@ -314,6 +317,7 @@
     Read SGI raster header.
   */
   iris_info.magic=ReadBlobMSBShort(image);
+  file_size=GetBlobSize(image);
   do
     {
       /*
@@ -342,7 +346,8 @@
       (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                            "    Header: Storage=%u, BPC=%u, Dimension=%u, "
                             "XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
-                            "PixMax=%u, image_name=\"%.79s\", color_map=%u",
+                            "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
+                            "file_size=%" MAGICK_OFF_F "d",
                            (unsigned int) iris_info.storage,
                            (unsigned int) iris_info.bytes_per_pixel,
                            (unsigned int) iris_info.dimension,
@@ -352,7 +357,8 @@
                            iris_info.pix_min,
                            iris_info.pix_max,
                            iris_info.image_name,
-                           iris_info.color_map);
+                           iris_info.color_map,
+                            file_size);
 
       /*
        Validate image header and set image attributes.
@@ -492,6 +498,33 @@
         ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
 
       /*
+        Check that filesize is reasonable given header
+      */
+      {
+        double
+          uncompressed_size;
+
+        uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
+                           image->columns*image->rows*iris_info.bytes_per_pixel);
+        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                              "Uncompressed size: %.0f", uncompressed_size);
+        if (iris_info.storage != 0x01)
+          {
+            /* Not compressed */
+            if (uncompressed_size > file_size)
+              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+          }
+        else
+          {
+            /* RLE compressed */
+            if (uncompressed_size > file_size*254.0)
+              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+          }
+      }
+
+      /*
        Allocate SGI pixels.
       */
       bytes_per_pixel=iris_info.bytes_per_pixel;
diff -r 0a0dfa81906d -r c53725cb5449 www/Changelog.html
--- a/www/Changelog.html        Sat Sep 10 15:21:05 2016 -0500
+++ b/www/Changelog.html        Sat Sep 10 16:48:12 2016 -0500
@@ -38,3 +38,12 @@
+<p>2016-09-10  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+<ul class="simple">
+<li>coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
+given header.  Fixes excessive memory allocation followed by
+eventual file truncation error for corrupt file.  Problem was
+reported via email by Agostino Sarubbo on 2016-09-09.</li>
+</ul>
+</blockquote>
 <p>2016-10-01  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 <blockquote>
 <ul class="simple">
1
2	# HG changeset patch
3	# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
4	# Date 1473544092 18000
5	# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54
6	# Parent 0a0dfa81906d1317895de9374ef5132710c3831c
7	SGI: Check that filesize is reasonable given header.
8
9	diff -r 0a0dfa81906d -r c53725cb5449 ChangeLog
10	--- a/ChangeLog Sat Sep 10 15:21:05 2016 -0500
11	+++ b/ChangeLog Sat Sep 10 16:48:12 2016 -0500
12	@@ -1,3 +1,10 @@
13	+2016-09-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
14	+
15	+ * coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
16	+ given header. Fixes excessive memory allocation followed by
17	+ eventual file truncation error for corrupt file. Problem was
18	+ reported via email by Agostino Sarubbo on 2016-09-09.
19	+
20	2016-10-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
21
22	* coders/meta.c (parse8BIM): Fix unsigned underflow leading to
23	diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c
24	--- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500
25	+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500
26	@@ -1,5 +1,5 @@
27	/*
28	-% Copyright (C) 2003-2015 GraphicsMagick Group
29	+% Copyright (C) 2003-2016 GraphicsMagick Group
30	% Copyright (C) 2002 ImageMagick Studio
31	% Copyright 1991-1999 E. I. du Pont de Nemours and Company
32	%
33	diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c
34	--- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500
35	+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500
36	@@ -299,6 +299,9 @@
37	size_t
38	bytes_per_pixel;
39
40	+ magick_off_t
41	+ file_size;
42	+
43	/*
44	Open image file.
45	*/
46	@@ -314,6 +317,7 @@
47	Read SGI raster header.
48	*/
49	iris_info.magic=ReadBlobMSBShort(image);
50	+ file_size=GetBlobSize(image);
51	do
52	{
53	/*
54	@@ -342,7 +346,8 @@
55	(void) LogMagickEvent(CoderEvent,GetMagickModule(),
56	" Header: Storage=%u, BPC=%u, Dimension=%u, "
57	"XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
58	- "PixMax=%u, image_name=\"%.79s\", color_map=%u",
59	+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
60	+ "file_size=%" MAGICK_OFF_F "d",
61	(unsigned int) iris_info.storage,
62	(unsigned int) iris_info.bytes_per_pixel,
63	(unsigned int) iris_info.dimension,
64	@@ -352,7 +357,8 @@
65	iris_info.pix_min,
66	iris_info.pix_max,
67	iris_info.image_name,
68	- iris_info.color_map);
69	+ iris_info.color_map,
70	+ file_size);
71
72	/*
73	Validate image header and set image attributes.
74	@@ -492,6 +498,33 @@
75	ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
76
77	/*
78	+ Check that filesize is reasonable given header
79	+ */
80	+ {
81	+ double
82	+ uncompressed_size;
83	+
84	+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
85	+ image->columnsimage->rowsiris_info.bytes_per_pixel);
86	+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
87	+ "Uncompressed size: %.0f", uncompressed_size);
88	+ if (iris_info.storage != 0x01)
89	+ {
90	+ /* Not compressed */
91	+ if (uncompressed_size > file_size)
92	+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
93	+ image);
94	+ }
95	+ else
96	+ {
97	+ /* RLE compressed */
98	+ if (uncompressed_size > file_size*254.0)
99	+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
100	+ image);
101	+ }
102	+ }
103	+
104	+ /*
105	Allocate SGI pixels.
106	*/
107	bytes_per_pixel=iris_info.bytes_per_pixel;
108	diff -r 0a0dfa81906d -r c53725cb5449 www/Changelog.html
109	--- a/www/Changelog.html Sat Sep 10 15:21:05 2016 -0500
110	+++ b/www/Changelog.html Sat Sep 10 16:48:12 2016 -0500
111	@@ -38,3 +38,12 @@
112	+<p>2016-09-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
113	+<blockquote>
114	+<ul class="simple">
115	+<li>coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
116	+given header. Fixes excessive memory allocation followed by
117	+eventual file truncation error for corrupt file. Problem was
118	+reported via email by Agostino Sarubbo on 2016-09-09.</li>
119	+</ul>
120	+</blockquote>
121	<p>2016-10-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
122	<blockquote>
123	<ul class="simple">