GraphicsMagick/GraphicsMagick-CVE-2016-868...


# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544092 18000
# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54
# Parent  0a0dfa81906d1317895de9374ef5132710c3831c
SGI: Check that filesize is reasonable given header.

diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c
--- a/coders/sct.c	Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sct.c	Sat Sep 10 16:48:12 2016 -0500
@@ -1,5 +1,5 @@
 /*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2016 GraphicsMagick Group
 % Copyright (C) 2002 ImageMagick Studio
 % Copyright 1991-1999 E. I. du Pont de Nemours and Company
 %
diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c
--- a/coders/sgi.c	Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sgi.c	Sat Sep 10 16:48:12 2016 -0500
@@ -299,6 +299,9 @@
   size_t
     bytes_per_pixel;
 
+  magick_off_t
+    file_size;
+
   /*
     Open image file.
   */
@@ -314,6 +317,7 @@
     Read SGI raster header.
   */
   iris_info.magic=ReadBlobMSBShort(image);
+  file_size=GetBlobSize(image);
   do
     {
       /*
@@ -342,7 +346,8 @@
       (void) LogMagickEvent(CoderEvent,GetMagickModule(),
 			    "    Header: Storage=%u, BPC=%u, Dimension=%u, "
                             "XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
-                            "PixMax=%u, image_name=\"%.79s\", color_map=%u",
+                            "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
+                            "file_size=%" MAGICK_OFF_F "d",
 			    (unsigned int) iris_info.storage,
 			    (unsigned int) iris_info.bytes_per_pixel,
 			    (unsigned int) iris_info.dimension,
@@ -352,7 +357,8 @@
 			    iris_info.pix_min,
 			    iris_info.pix_max,
 			    iris_info.image_name,
-			    iris_info.color_map);
+			    iris_info.color_map,
+                            file_size);
 
       /*
 	Validate image header and set image attributes.
@@ -492,6 +498,33 @@
         ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
 
       /*
+        Check that filesize is reasonable given header
+      */
+      {
+        double
+          uncompressed_size;
+
+        uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
+                           image->columns*image->rows*iris_info.bytes_per_pixel);
+        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                              "Uncompressed size: %.0f", uncompressed_size);
+        if (iris_info.storage != 0x01)
+          {
+            /* Not compressed */
+            if (uncompressed_size > file_size)
+              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+          }
+        else
+          {
+            /* RLE compressed */
+            if (uncompressed_size > file_size*254.0)
+              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+          }
+      }
+
+      /*
 	Allocate SGI pixels.
       */
       bytes_per_pixel=iris_info.bytes_per_pixel;
CVE-2016-7800 (#1381148) CVE-2016-7996, CVE-2016-7997 (#1383223) CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583) 8 years ago
			`# HG changeset patch`
			`# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>`
			`# Date 1473544092 18000`
			`# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54`
			`# Parent 0a0dfa81906d1317895de9374ef5132710c3831c`
			`SGI: Check that filesize is reasonable given header.`

			`diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c`
			`--- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500`
			`+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500`
			`@@ -1,5 +1,5 @@`
			`/*`
			`-% Copyright (C) 2003-2015 GraphicsMagick Group`
			`+% Copyright (C) 2003-2016 GraphicsMagick Group`
			`% Copyright (C) 2002 ImageMagick Studio`
			`% Copyright 1991-1999 E. I. du Pont de Nemours and Company`
			`%`
			`diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c`
			`--- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500`
			`+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500`
			`@@ -299,6 +299,9 @@`
			`size_t`
			`bytes_per_pixel;`

			`+ magick_off_t`
			`+ file_size;`
			`+`
			`/*`
			`Open image file.`
			`*/`
			`@@ -314,6 +317,7 @@`
			`Read SGI raster header.`
			`*/`
			`iris_info.magic=ReadBlobMSBShort(image);`
			`+ file_size=GetBlobSize(image);`
			`do`
			`{`
			`/*`
			`@@ -342,7 +346,8 @@`
			`(void) LogMagickEvent(CoderEvent,GetMagickModule(),`
			`" Header: Storage=%u, BPC=%u, Dimension=%u, "`
			`"XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "`
			`- "PixMax=%u, image_name=\"%.79s\", color_map=%u",`
			`+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, "`
			`+ "file_size=%" MAGICK_OFF_F "d",`
			`(unsigned int) iris_info.storage,`
			`(unsigned int) iris_info.bytes_per_pixel,`
			`(unsigned int) iris_info.dimension,`
			`@@ -352,7 +357,8 @@`
			`iris_info.pix_min,`
			`iris_info.pix_max,`
			`iris_info.image_name,`
			`- iris_info.color_map);`
			`+ iris_info.color_map,`
			`+ file_size);`

			`/*`
			`Validate image header and set image attributes.`
			`@@ -492,6 +498,33 @@`
			`ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);`

			`/*`
			`+ Check that filesize is reasonable given header`
			`+ */`
			`+ {`
			`+ double`
			`+ uncompressed_size;`
			`+`
			`+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*`
			`+ image->columnsimage->rowsiris_info.bytes_per_pixel);`
			`+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),`
			`+ "Uncompressed size: %.0f", uncompressed_size);`
			`+ if (iris_info.storage != 0x01)`
			`+ {`
			`+ /* Not compressed */`
			`+ if (uncompressed_size > file_size)`
			`+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,`
			`+ image);`
			`+ }`
			`+ else`
			`+ {`
			`+ /* RLE compressed */`
			`+ if (uncompressed_size > file_size*254.0)`
			`+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,`
			`+ image);`
			`+ }`
			`+ }`
			`+`
			`+ /*`
			`Allocate SGI pixels.`
			`*/`
			`bytes_per_pixel=iris_info.bytes_per_pixel;`