GraphicsMagick/GraphicsMagick-CVE-2017-111...


# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1499523658 18000
# Node ID b4139088b49afaad8ac76b74f8a10ad5a63d3f3b
# Parent  c94d4172aca78ff942c0b6bd5537275873acb408
Defer creating pixel cache until first scanline.  Classify some libjpeg warnings as errors.

diff -r c94d4172aca7 -r b4139088b49a coders/jpeg.c
--- a/coders/jpeg.c	Thu Jul 06 18:54:30 2017 -0500
+++ b/coders/jpeg.c	Sat Jul 08 09:20:58 2017 -0500
@@ -240,10 +240,34 @@
 				err->msg_parm.i[4], err->msg_parm.i[5],
 				err->msg_parm.i[6], err->msg_parm.i[7]);
 	}
-      if ((err->num_warnings == 0) ||
-          (err->trace_level >= 3))
-	ThrowBinaryException2(CorruptImageWarning,(char *) message,
+      /*
+        Treat some "warnings" as errors
+      */
+      switch (err->msg_code)
+        {
+        case JWRN_HIT_MARKER: /* Corrupt JPEG data: premature end of data segment */
+        case JWRN_JPEG_EOF: /* Premature end of JPEG file */
+          {
+            ThrowBinaryException2(CorruptImageError,(char *) message,
+                                  image->filename);
+            break;
+          }
+        case JWRN_HUFF_BAD_CODE: /* Corrupt JPEG data: bad Huffman code */
+        case JWRN_MUST_RESYNC: /* Corrupt JPEG data: found marker 0x%02x instead of RST%d */
+        case JWRN_NOT_SEQUENTIAL: /* "Invalid SOS parameters for sequential JPEG */
+          {
+            ThrowBinaryException2(CorruptImageError,(char *) message,
 			      image->filename);
+            break;
+          }
+        default:
+          {
+            if ((err->num_warnings == 0) ||
+                (err->trace_level >= 3))
+              ThrowBinaryException2(CorruptImageWarning,(char *) message,
+                                    image->filename);
+          }
+        }
       err->num_warnings++;
     }
   else
@@ -1350,6 +1374,16 @@
       register PixelPacket
 	*q;
 
+      /*
+        Read scanlines. Stop at first serious error.
+       */
+      if ((jpeg_read_scanlines(&jpeg_info,scanline,1) != 1) ||
+          (image->exception.severity >= ErrorException))
+	{
+	  status=MagickFail;
+	  break;
+	}
+
       q=SetImagePixels(image,0,y,image->columns,1);
       if (q == (PixelPacket *) NULL)
 	{
@@ -1358,12 +1392,6 @@
 	}
       indexes=AccessMutableIndexes(image);
 
-      if (jpeg_read_scanlines(&jpeg_info,scanline,1) != 1)
-	{
-	  status=MagickFail;
-	  break;
-	}
-
       p=jpeg_pixels;
 
       if (jpeg_info.output_components == 1)
CVE-2017-11102 (#1473728) CVE-2017-11139 (#1473739) CVE-2017-11140 (#1473750) CVE-2017-11636 (#1475456) CVE-2017-11637 (#1475452) CVE-2017-11638 (#1475708) CVE-2017-11641 (#1475489) 8 years ago
			`# HG changeset patch`
			`# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>`
			`# Date 1499523658 18000`
			`# Node ID b4139088b49afaad8ac76b74f8a10ad5a63d3f3b`
			`# Parent c94d4172aca78ff942c0b6bd5537275873acb408`
			`Defer creating pixel cache until first scanline. Classify some libjpeg warnings as errors.`

			`diff -r c94d4172aca7 -r b4139088b49a coders/jpeg.c`
			`--- a/coders/jpeg.c Thu Jul 06 18:54:30 2017 -0500`
			`+++ b/coders/jpeg.c Sat Jul 08 09:20:58 2017 -0500`
			`@@ -240,10 +240,34 @@`
			`err->msg_parm.i[4], err->msg_parm.i[5],`
			`err->msg_parm.i[6], err->msg_parm.i[7]);`
			`}`
			`- if ((err->num_warnings == 0) \|\|`
			`- (err->trace_level >= 3))`
			`- ThrowBinaryException2(CorruptImageWarning,(char *) message,`
			`+ /*`
			`+ Treat some "warnings" as errors`
			`+ */`
			`+ switch (err->msg_code)`
			`+ {`
			`+ case JWRN_HIT_MARKER: /* Corrupt JPEG data: premature end of data segment */`
			`+ case JWRN_JPEG_EOF: /* Premature end of JPEG file */`
			`+ {`
			`+ ThrowBinaryException2(CorruptImageError,(char *) message,`
			`+ image->filename);`
			`+ break;`
			`+ }`
			`+ case JWRN_HUFF_BAD_CODE: /* Corrupt JPEG data: bad Huffman code */`
			`+ case JWRN_MUST_RESYNC: /* Corrupt JPEG data: found marker 0x%02x instead of RST%d */`
			`+ case JWRN_NOT_SEQUENTIAL: /* "Invalid SOS parameters for sequential JPEG */`
			`+ {`
			`+ ThrowBinaryException2(CorruptImageError,(char *) message,`
			`image->filename);`
			`+ break;`
			`+ }`
			`+ default:`
			`+ {`
			`+ if ((err->num_warnings == 0) \|\|`
			`+ (err->trace_level >= 3))`
			`+ ThrowBinaryException2(CorruptImageWarning,(char *) message,`
			`+ image->filename);`
			`+ }`
			`+ }`
			`err->num_warnings++;`
			`}`
			`else`
			`@@ -1350,6 +1374,16 @@`
			`register PixelPacket`
			`*q;`

			`+ /*`
			`+ Read scanlines. Stop at first serious error.`
			`+ */`
			`+ if ((jpeg_read_scanlines(&jpeg_info,scanline,1) != 1) \|\|`
			`+ (image->exception.severity >= ErrorException))`
			`+ {`
			`+ status=MagickFail;`
			`+ break;`
			`+ }`
			`+`
			`q=SetImagePixels(image,0,y,image->columns,1);`
			`if (q == (PixelPacket *) NULL)`
			`{`
			`@@ -1358,12 +1392,6 @@`
			`}`
			`indexes=AccessMutableIndexes(image);`

			`- if (jpeg_read_scanlines(&jpeg_info,scanline,1) != 1)`
			`- {`
			`- status=MagickFail;`
			`- break;`
			`- }`
			`-`
			`p=jpeg_pixels;`

			`if (jpeg_info.output_components == 1)`