rpms
/
GraphicsMagick
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- CVE-2009-1882 (#503017)

Browse Source
epel9
Rex Dieter 15 years ago
parent 949479d5ae
commit 1a933201d7
2 changed files with 503 additions and 3 deletions
Show Stats Download Patch File Download Diff File

482
GraphicsMagick-CVE-2009-1882.patch
Unescape View File

@ -0,0 +1,482 @@
--- GraphicsMagick/magick/xwindow.c 2009/09/16 02:13:01 1.230
+++ GraphicsMagick/magick/xwindow.c 2009/10/10 17:55:17 1.232
@@ -43,10 +43,12 @@
#include "magick/describe.h"
#include "magick/log.h"
#include "magick/magick.h"
+#include "magick/monitor.h"
#include "magick/pixel_cache.h"
#include "magick/resize.h"
#include "magick/shear.h"
#include "magick/tempfile.h"
+#include "magick/texture.h"
#include "magick/transform.h"
#include "magick/utility.h"
#include "magick/version.h"
@@ -2937,7 +2939,7 @@ MagickExport void MagickXGetImportInfo(M
% %
% %
% %
-% M a g i c k X G e t P i x e l I n f o %
+% M a g i c k X G e t P i x e l P a c k e t %
% %
% %
% %
@@ -5350,8 +5352,8 @@ MagickExport Cursor MagickXMakeCursor(Di
% The format of the MagickXMakeImage method is:
%
% unsigned int MagickXMakeImage(Display *display,
-% const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image,
-% unsigned int width,unsigned int height)
+% const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,
+% Image *image,unsigned int width,unsigned int height)
%
% A description of each parameter follows:
%
@@ -5376,9 +5378,49 @@ MagickExport Cursor MagickXMakeCursor(Di
%
%
*/
-MagickExport unsigned int MagickXMakeImage(Display *display,
- const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image,
- unsigned int width,unsigned int height)
+static const char *
+MagickXImageFormatToString(int xformat)
+{
+ static const char
+ *formats[] =
+ {
+ "XYBitmap",
+ "XYPixmap",
+ "ZPixmap"
+ };
+
+ const char
+ *format = "Unknown";
+
+ if ((size_t) xformat < sizeof(formats)/sizeof(formats[0]))
+ format=formats[xformat];
+
+ return format;
+}
+static const char *
+MagickXByteOrderToString(int xbyte_order)
+{
+ static const char
+ *byte_orders[] =
+ {
+ "LSBFirst",
+ "MSBFirst"
+ };
+
+ const char
+ *byte_order = "Unknown";
+
+ if ((size_t) xbyte_order < sizeof(byte_orders)/sizeof(byte_orders[0]))
+ byte_order=byte_orders[xbyte_order];
+
+ return byte_order;
+}
+MagickExport unsigned int
+MagickXMakeImage(Display *display,
+ const MagickXResourceInfo *resource_info,
+ MagickXWindowInfo *window,
+ Image *image,
+ unsigned int width,unsigned int height)
{
int
depth,
@@ -5410,6 +5452,10 @@ MagickExport unsigned int MagickXMakeIma
window->destroy=False;
if (window->image != (Image *) NULL)
{
+ MonitorHandler
+ handler=(MonitorHandler) NULL;
+
+ handler=SetMonitorHandler((MonitorHandler) NULL);
if (window->crop_geometry)
{
Image
@@ -5459,44 +5505,49 @@ MagickExport unsigned int MagickXMakeIma
window->destroy=MagickTrue;
}
}
-#if 0
- if ((window->immutable == MagickFalse) &&
- (window->image->matte != MagickFalse) &&
- (window->pixel_info->colors == 0))
+ if ((window->image->matte != MagickFalse) &&
+ (window->pixel_info->colors == 0)
+ /* && (window->immutable == MagickFalse) */)
{
Image
*texture;
/*
- Tile background with texture.
+ Tile background with texture according to opacity
*/
- strlcpy(resource_info->image_info->filename,"image:checkerboard",MaxTextExtent);
+ strlcpy(resource_info->image_info->filename,"image:checkerboard",
+ sizeof(resource_info->image_info->filename));
texture=ReadImage(resource_info->image_info,&window->image->exception);
if (texture != (Image *) NULL)
{
Image
*textured_image;
- textured_image=CloneImage(window->image,window->image->columns,
- window->image->rows,MagickTrue,&window->image->exception);
+ textured_image=CloneImage(window->image,0,0,MagickTrue,
+ &window->image->exception);
if (textured_image != (Image *) NULL)
{
-/* strlcpy(window->image->filename,"textured_image.miff", MaxTextExtent); */
-/* WriteImage(resource_info->image_info,window->image); */
- TextureImage(textured_image,texture);
- textured_image->matte=MagickFalse;
- if (window->image != image)
- DestroyImage(window->image);
- window->image=textured_image;
- window->destroy=MagickTrue;
+ if (TextureImage(textured_image,texture) != MagickFail)
+ {
+ if (window->image != image)
+ DestroyImage(window->image);
+ window->image=textured_image;
+ window->destroy=MagickTrue;
+ }
+ else
+ {
+ DestroyImage(textured_image);
+ }
}
DestroyImage(texture);
texture=(Image *) NULL;
}
}
-#endif
width=(unsigned int) window->image->columns;
+ assert(width == window->image->columns);
height=(unsigned int) window->image->rows;
+ assert(height == window->image->rows);
+ (void) SetMonitorHandler(handler);
}
/*
Create X image.
@@ -5504,27 +5555,32 @@ MagickExport unsigned int MagickXMakeIma
ximage=(XImage *) NULL;
format=(depth == 1) ? XYBitmap : ZPixmap;
#if defined(HasSharedMemory)
- window->shared_memory&=XShmQueryExtension(display);
+ window->shared_memory &= XShmQueryExtension(display);
if (window->shared_memory)
{
XShmSegmentInfo
*segment_info;
+ size_t
+ shm_extent;
+
segment_info=(XShmSegmentInfo *) window->segment_info;
segment_info[1].shmid=(-1);
segment_info[1].shmaddr=NULL;
ximage=XShmCreateImage(display,window->visual,depth,format,(char *) NULL,
- &segment_info[1],width,height);
- window->shared_memory&=(ximage != (XImage *) NULL);
+ &segment_info[1],width,height);
+ window->shared_memory &= (ximage != (XImage *) NULL);
+
+ shm_extent=MagickArraySize(ximage->height,ximage->bytes_per_line);
+ window->shared_memory &= (shm_extent != 0);
if (window->shared_memory)
- segment_info[1].shmid=shmget(IPC_PRIVATE,(size_t)
- (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777);
- window->shared_memory&=(segment_info[1].shmid >= 0);
+ segment_info[1].shmid=shmget(IPC_PRIVATE,shm_extent,IPC_CREAT | 0777);
+ window->shared_memory &= (segment_info[1].shmid >= 0);
if (window->shared_memory)
segment_info[1].shmaddr=(char *) MagickShmAt(segment_info[1].shmid,0,0);
- window->shared_memory&=(segment_info[1].shmaddr != NULL);
+ window->shared_memory &= (segment_info[1].shmaddr != NULL);
if (!window->shared_memory)
{
@@ -5607,12 +5663,12 @@ MagickExport unsigned int MagickXMakeIma
if (IsEventLogging())
{
(void) LogMagickEvent(X11Event,GetMagickModule(),"XImage:");
- (void) LogMagickEvent(X11Event,GetMagickModule()," width, height: %dx%d",
+ (void) LogMagickEvent(X11Event,GetMagickModule()," width x height: %dx%d",
ximage->width,ximage->height);
- (void) LogMagickEvent(X11Event,GetMagickModule()," format: %d",
- ximage->format);
- (void) LogMagickEvent(X11Event,GetMagickModule()," byte order: %d",
- ximage->byte_order);
+ (void) LogMagickEvent(X11Event,GetMagickModule()," format: %s",
+ MagickXImageFormatToString(ximage->format));
+ (void) LogMagickEvent(X11Event,GetMagickModule()," byte order: %s",
+ MagickXByteOrderToString(ximage->byte_order));
(void) LogMagickEvent(X11Event,GetMagickModule(),
" bitmap unit, bit order, pad: %d %d %d",ximage->bitmap_unit,
ximage->bitmap_bit_order,ximage->bitmap_pad);
@@ -5629,11 +5685,13 @@ MagickExport unsigned int MagickXMakeIma
if (!window->shared_memory)
{
if (ximage->format == XYBitmap)
- ximage->data=MagickAllocateArray(char *,
- ximage->height*ximage->depth,ximage->bytes_per_line);
+ ximage->data=
+ MagickAllocateArray(char *,
+ MagickArraySize(ximage->height,ximage->bytes_per_line),
+ ximage->depth);
else
- ximage->data=MagickAllocateArray(char *,
- ximage->height,ximage->bytes_per_line);
+ ximage->data=
+ MagickAllocateArray(char *,ximage->height,ximage->bytes_per_line);
}
if (ximage->data == (char *) NULL)
{
@@ -5709,8 +5767,9 @@ MagickExport unsigned int MagickXMakeIma
/*
Allocate matte image pixel data.
*/
- length=matte_image->bytes_per_line*
- matte_image->height*matte_image->depth;
+ length=MagickArraySize(MagickArraySize(matte_image->bytes_per_line,
+ matte_image->height),
+ matte_image->depth);
matte_image->data=MagickAllocateMemory(char *,length);
if (matte_image->data == (char *) NULL)
{
@@ -7371,9 +7430,9 @@ MagickExport void MagickXMakeMagnifyImag
%
% The format of the MagickXMakePixmap method is:
%
-% void MagickXMakeStandardColormap(Display *display,XVisualInfo *visual_info,
-% MagickXResourceInfo *resource_info,Image *image,XStandardColormap *map_info,
-% MagickXPixelInfo *pixel)
+% unsigned int MagickXMakePixmap(Display *display,
+% const MagickXResourceInfo *resource_info,
+% MagickXWindowInfo *window)
%
% A description of each parameter follows:
%
--- GraphicsMagick/magick/xwindow.c 2009/10/10 17:55:17 1.232
+++ GraphicsMagick/magick/xwindow.c 2009/10/11 00:46:55 1.233
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003, 2004 GraphicsMagick Group
+% Copyright (C) 2003 - 2009 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
%
% This program is covered by multiple licenses, which are described in
@@ -808,7 +808,7 @@ static char **MagickFontToList(char *fon
for (p=font; *p != '\0'; p++)
if ((*p == ':') || (*p == ';') || (*p == ','))
fonts++;
- fontlist=MagickAllocateMemory(char **,(fonts+1)*sizeof(char *));
+ fontlist=MagickAllocateArray(char **,(fonts+1),sizeof(char *));
if (fontlist == (char **) NULL)
{
MagickError3(ResourceLimitError,MemoryAllocationFailed,
@@ -1103,7 +1103,7 @@ MagickExport void MagickXBestPixel(Displ
/*
Read X server colormap.
*/
- colors=MagickAllocateMemory(XColor *,number_colors*sizeof(XColor));
+ colors=MagickAllocateArray(XColor *,number_colors,sizeof(XColor));
if (colors == (XColor *) NULL)
{
MagickError3(ResourceLimitError,MemoryAllocationFailed,
@@ -2133,10 +2133,10 @@ static void MagickXDitherImage(Image *im
for (i=0; i < 2; i++)
for (j=0; j < 16; j++)
{
- red_map[i][j]=MagickAllocateMemory(unsigned char *,256*sizeof(unsigned char));
- green_map[i][j]=MagickAllocateMemory(unsigned char *,
- 256*sizeof(unsigned char));
- blue_map[i][j]=MagickAllocateMemory(unsigned char *,256*sizeof(unsigned char));
+ red_map[i][j]=MagickAllocateArray(unsigned char *,256,sizeof(unsigned char));
+ green_map[i][j]=MagickAllocateArray(unsigned char *,
+ 256,sizeof(unsigned char));
+ blue_map[i][j]=MagickAllocateArray(unsigned char *,256,sizeof(unsigned char));
if ((red_map[i][j] == (unsigned char *) NULL) ||
(green_map[i][j] == (unsigned char *) NULL) ||
(blue_map[i][j] == (unsigned char *) NULL))
@@ -3022,7 +3022,7 @@ MagickExport void MagickXGetPixelPacket(
if (pixel->pixels != (unsigned long *) NULL)
MagickFreeMemory(pixel->pixels);
pixel->pixels=
- MagickAllocateMemory(unsigned long *,packets*sizeof(unsigned long));
+ MagickAllocateArray(unsigned long *,packets,sizeof(unsigned long));
if (pixel->pixels == (unsigned long *) NULL)
MagickFatalError(ResourceLimitFatalError,MemoryAllocationFailed,
MagickMsg(XServerFatalError,UnableToGetPixelInfo));
@@ -4073,8 +4073,8 @@ static Image *MagickXGetWindowImage(Disp
*/
max_windows+=1024;
if (window_info == (WindowInfo *) NULL)
- window_info=MagickAllocateMemory(WindowInfo *,
- max_windows*sizeof(WindowInfo));
+ window_info=MagickAllocateArray(WindowInfo *,
+ max_windows,sizeof(WindowInfo));
else
MagickReallocMemory(WindowInfo *,window_info,max_windows*sizeof(WindowInfo));
}
@@ -4227,7 +4227,7 @@ static Image *MagickXGetWindowImage(Disp
/*
Get the window colormap.
*/
- colors=MagickAllocateMemory(XColor *,number_colors*sizeof(XColor));
+ colors=MagickAllocateArray(XColor *,number_colors,sizeof(XColor));
if (colors == (XColor *) NULL)
{
XDestroyImage(ximage);
@@ -4577,7 +4577,7 @@ MagickExport void MagickXGetWindowInfo(D
*segment_info;
if (window->segment_info == (void *) NULL)
- window->segment_info=MagickAllocateMemory(void *,2*sizeof(XShmSegmentInfo));
+ window->segment_info=MagickAllocateArray(void *,2,sizeof(XShmSegmentInfo));
segment_info=(XShmSegmentInfo *) window->segment_info;
segment_info[0].shmid=(-1);
segment_info[0].shmaddr=NULL;
@@ -7734,8 +7734,8 @@ MagickExport void MagickXMakeStandardCol
Define Standard Colormap for StaticGray or StaticColor visual.
*/
number_colors=image->colors;
- colors=MagickAllocateMemory(XColor *,
- visual_info->colormap_size*sizeof(XColor));
+ colors=MagickAllocateArray(XColor *,
+ visual_info->colormap_size,sizeof(XColor));
if (colors == (XColor *) NULL)
MagickFatalError3(ResourceLimitError,MemoryAllocationFailed,
UnableToCreateColormap);
@@ -7774,8 +7774,8 @@ MagickExport void MagickXMakeStandardCol
Define Standard Colormap for GrayScale or PseudoColor visual.
*/
number_colors=image->colors;
- colors=MagickAllocateMemory(XColor *,
- visual_info->colormap_size*sizeof(XColor));
+ colors=MagickAllocateArray(XColor *,
+ visual_info->colormap_size,sizeof(XColor));
if (colors == (XColor *) NULL)
MagickFatalError3(ResourceLimitFatalError,MemoryAllocationFailed,
UnableToCreateColormap);
@@ -7820,8 +7820,8 @@ MagickExport void MagickXMakeStandardCol
/*
Define Standard colormap for shared GrayScale or PseudoColor visual.
*/
- diversity=MagickAllocateMemory(DiversityPacket *,
- image->colors*sizeof(DiversityPacket));
+ diversity=MagickAllocateArray(DiversityPacket *,
+ image->colors,sizeof(DiversityPacket));
if (diversity == (DiversityPacket *) NULL)
MagickFatalError3(ResourceLimitFatalError,MemoryAllocationFailed,
UnableToCreateColormap);
@@ -7882,8 +7882,9 @@ MagickExport void MagickXMakeStandardCol
/*
Read X server colormap.
*/
- server_colors=MagickAllocateMemory(XColor *,
- visual_info->colormap_size*sizeof(XColor));
+ server_colors=MagickAllocateArray(XColor *,
+ visual_info->colormap_size,
+ sizeof(XColor));
if (server_colors == (XColor *) NULL)
MagickFatalError3(ResourceLimitFatalError,MemoryAllocationFailed,
UnableToCreateColormap);
@@ -8023,7 +8024,7 @@ MagickExport void MagickXMakeStandardCol
/*
Allocate color array.
*/
- colors=MagickAllocateMemory(XColor *,number_colors*sizeof(XColor));
+ colors=MagickAllocateArray(XColor *,number_colors,sizeof(XColor));
if (colors == (XColor *) NULL)
MagickFatalError3(ResourceLimitFatalError,MemoryAllocationFailed,
UnableToCreateColormap);
--- GraphicsMagick/magick/memory.c 2009/10/05 23:57:54 1.54
+++ GraphicsMagick/magick/memory.c 2009/10/09 18:20:22 1.55
@@ -90,6 +90,43 @@ MagickExport void MagickAllocFunctions(M
% %
% %
% %
++ M a g i c k A r r a y Si z e %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% MagickArraySize() returnes the size of an array given two size_t arguments.
+% Zero is returned if the computed result overflows the size_t type.
+%
+% The format of the MagickArraySize method is:
+%
+% size_t MagickArraySize(const size_t count, const size_t size);
+%
+% A description of each parameter follows:
+%
+% o count: The number of elements in the array.
+%
+% o size: The size of one array element.
+%
+*/
+MagickExport size_t MagickArraySize(const size_t count, const size_t size)
+{
+ size_t
+ allocation_size;
+
+ allocation_size = size * count;
+ if ((count != 0) && (size != allocation_size/count))
+ allocation_size = 0;
+
+ return allocation_size;
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
% M a g i c k M a l l o c %
% %
% %
@@ -155,9 +192,8 @@ MagickExport void *MagickMallocArray(con
*allocation;
allocation = (void *) NULL;
- allocation_size = size * count;
- if ((count != 0) && (size != allocation_size/count))
- allocation_size = 0;
+ allocation_size=MagickArraySize(count,size);
+
if (allocation_size)
allocation = (MallocFunc)(allocation_size);
return allocation;
--- GraphicsMagick/magick/memory.h 2009/06/10 00:38:07 1.16
+++ GraphicsMagick/magick/memory.h 2009/10/09 18:20:22 1.17
@@ -22,7 +22,6 @@ extern MagickExport void
MagickAllocFunctions(MagickFreeFunc free_func,MagickMallocFunc malloc_func,
MagickReallocFunc realloc_func),
*MagickMalloc(const size_t size),
- *MagickMallocArray(const size_t count,const size_t size),
*MagickMallocCleared(const size_t size),
*MagickCloneMemory(void *destination,const void *source,const size_t size),
*MagickRealloc(void *memory,const size_t size),
@@ -30,6 +29,12 @@ extern MagickExport void
#if defined(MAGICK_IMPLEMENTATION)
+extern MagickExport void
+ *MagickMallocArray(const size_t count,const size_t size);
+
+extern MagickExport size_t
+ MagickArraySize(const size_t count,const size_t size);
+
/*
Allocate memory
*/

22
GraphicsMagick.spec
Unescape View File

@ -2,14 +2,13 @@
Summary: An ImageMagick fork, offering faster image generation and better quality
Name: GraphicsMagick
Version: 1.3.7
Release: 3%{?dist}
Release: 4%{?dist}
License: MIT
Group: Applications/Multimedia
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.lzma
Url: http://www.graphicsmagick.org/
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: automake >= 1.7 autoconf >= 2.58 libtool >= 1.5
BuildRequires: bzip2-devel
BuildRequires: freetype-devel
BuildRequires: jasper-devel
@ -28,6 +27,12 @@ BuildRequires: perl-devel
%endif
BuildRequires: zlib-devel
# http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/magick/xwindow.c.diff?r1=1.230;r2=1.232'
# http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/magick/xwindow.c.diff?r1=1.232;r2=1.233'
# http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/magick/memory.c.diff?r1=1.54;r2=1.55
# http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/magick/memory.h.diff?r1=1.16;r2=1.17'
Patch100: GraphicsMagick-CVE-2009-1882.patch
%description
GraphicsMagick is a comprehensive image processing package which is initially
based on ImageMagick 5.5.2, but which has undergone significant re-work by
@ -96,6 +101,8 @@ however.
%prep
%setup -q
%patch100 -p1 -b .CVE-2009-1882
iconv -f iso-8859-2 -t utf8 < ChangeLog > ChangeLog.utf8
mv -f ChangeLog.utf8 ChangeLog
@ -185,9 +192,16 @@ cat >%{buildroot}%{_includedir}/GraphicsMagick/magick/magick_config.h <<EOF
EOF
#check
## FIXME: seems to need -fno-var-tracking-assignments in a couple of places
## else, takes a *very* long time
#make check
%clean
rm -rf %{buildroot}
%post -p /sbin/ldconfig
%post c++ -p /sbin/ldconfig
@ -196,6 +210,7 @@ rm -rf %{buildroot}
%postun c++ -p /sbin/ldconfig
%files
%defattr(-,root,root,-)
%doc Copyright.txt
@ -242,6 +257,9 @@ rm -rf %{buildroot}
%changelog
* Mon Dec 28 2009 Rex Dieter <rdieter@fedoraproject.org> - 1.3.7-4
- CVE-2009-1882 (#503017)
* Fri Dec 4 2009 Stepan Kasal <skasal@redhat.com> - 1.3.7-3
- rebuild against perl 5.10.1

Write Preview
Loading…
Cancel
Save