CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)

epel9
Rex Dieter 13 years ago
parent 28a99f50cc
commit 4a7199bded

@ -0,0 +1,65 @@
# HG changeset patch
# User Glenn Randers-Pehrson <glennrp@simple...>
# Date 1343491548 18000
# Node ID d6e469d02cd260b6531e86a8a6c8a5a2b9ff51cb
# Parent fe9e2eb655ce8b85abfd9b88d20a8a1648ad71e7
coders/png.c: Some typecasts were inconsistent with libpng-1.4 and later.
diff -r fe9e2eb655ce -r d6e469d02cd2 coders/png.c
--- a/coders/png.c Thu Jul 26 20:24:26 2012 -0500
+++ b/coders/png.c Sat Jul 28 11:05:48 2012 -0500
@@ -1360,7 +1360,11 @@
}
#ifdef PNG_USER_MEM_SUPPORTED
-static png_voidp png_IM_malloc(png_structp png_ptr,png_uint_32 size)
+#if PNG_LIBPNG_VER >= 14000
+static png_voidp png_IM_malloc(png_structp png_ptr,png_alloc_size_t size)
+#else
+static png_voidp png_IM_malloc(png_structp png_ptr,png_size_t size)
+#endif
{
(void) png_ptr;
return MagickAllocateMemory(png_voidp,(size_t) size);
@@ -6169,12 +6173,22 @@
(void) printf("writing raw profile: type=%.1024s, length=%lu\n",
profile_type, (unsigned long)length);
}
- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
+#if PNG_LIBPNG_VER >= 14000
+ text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
+#else
+ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
+#endif
description_length=strlen((const char *) profile_description);
allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
+ description_length);
- text[0].text=(png_charp) png_malloc(ping,allocated_length);
- text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
+#if PNG_LIBPNG_VER >= 14000
+ text[0].text=(png_charp) png_malloc(ping,
+ (png_alloc_size_t) allocated_length);
+ text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
+#else
+ text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length);
+ text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80);
+#endif
text[0].key[0]='\0';
(void) strcat(text[0].key, "Raw profile type ");
(void) strncat(text[0].key, (const char *) profile_type, 61);
@@ -7620,7 +7634,12 @@
if (*attribute->key == '[')
continue;
- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
+#if PNG_LIBPNG_VER >= 14000
+ text=(png_textp) png_malloc(ping,
+ (png_alloc_size_t) sizeof(png_text));
+#else
+ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
+#endif
text[0].key=attribute->key;
text[0].text=attribute->value;
text[0].text_length=strlen(attribute->value);

@ -8,7 +8,7 @@
Summary: An ImageMagick fork, offering faster image generation and better quality
Name: GraphicsMagick
Version: 1.3.16
Release: 4%{?dist}
Release: 5%{?dist}
License: MIT
Group: Applications/Multimedia
Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@ -21,6 +21,11 @@ Patch1: GraphicsMagick-1.3.16-multilib.patch
## upstreamable patches
Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
## upstream patches
# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438
# http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
Patch100: GraphicsMagick-CVE-2012-3438.patch
BuildRequires: bzip2-devel
BuildRequires: freetype-devel
BuildRequires: jasper-devel
@ -110,6 +115,7 @@ however.
%patch1 -p1 -b .multilib
%patch50 -p1 -b .perl_linkage
%patch100 -p1 -b .CVE-2012-3438
iconv -f iso-8859-2 -t utf8 < ChangeLog > ChangeLog.utf8
mv -f ChangeLog.utf8 ChangeLog
@ -263,6 +269,9 @@ rm -rf %{buildroot}
%changelog
* Mon Aug 20 2012 Rex Dieter <rdieter@fedoraproject.org> 1.3.16-5
- CVE-2012-3438 GraphicsMagick: png_IM_malloc() size argument (#844106, #844107)
* Mon Aug 20 2012 Rex Dieter <rdieter@fedoraproject.org> 1.3.16-4
- link GraphicsMagick against lcms2 instead of lcms1 (#849778)

Loading…
Cancel
Save