From 5ce4896ed82f84110479d860cea98fdc89cddf72 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Mon, 11 Dec 2017 09:00:08 -0600 Subject: [PATCH] 1.3.27 --- .gitignore | 3 +- GraphicsMagick-CVE-2017-11102-1.patch | 30 ---- GraphicsMagick-CVE-2017-11102-2.patch | 192 -------------------------- GraphicsMagick-CVE-2017-11139.patch | 23 --- GraphicsMagick-CVE-2017-11140.patch | 80 ----------- GraphicsMagick-CVE-2017-11403.patch | 24 ---- GraphicsMagick-CVE-2017-11636.patch | 155 --------------------- GraphicsMagick-CVE-2017-11637.patch | 54 -------- GraphicsMagick-CVE-2017-11638.patch | 43 ------ GraphicsMagick-CVE-2017-11641.patch | 42 ------ GraphicsMagick-CVE-2017-11643.patch | 187 ------------------------- GraphicsMagick.spec | 30 +--- sources | 2 +- 13 files changed, 8 insertions(+), 857 deletions(-) delete mode 100644 GraphicsMagick-CVE-2017-11102-1.patch delete mode 100644 GraphicsMagick-CVE-2017-11102-2.patch delete mode 100644 GraphicsMagick-CVE-2017-11139.patch delete mode 100644 GraphicsMagick-CVE-2017-11140.patch delete mode 100644 GraphicsMagick-CVE-2017-11403.patch delete mode 100644 GraphicsMagick-CVE-2017-11636.patch delete mode 100644 GraphicsMagick-CVE-2017-11637.patch delete mode 100644 GraphicsMagick-CVE-2017-11638.patch delete mode 100644 GraphicsMagick-CVE-2017-11641.patch delete mode 100644 GraphicsMagick-CVE-2017-11643.patch diff --git a/.gitignore b/.gitignore index 450e94d..2ef3cf2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -/GraphicsMagick-1.3.25.tar.xz -/GraphicsMagick-1.3.26.tar.xz +/GraphicsMagick-1.3.27.tar.xz diff --git a/GraphicsMagick-CVE-2017-11102-1.patch b/GraphicsMagick-CVE-2017-11102-1.patch deleted file mode 100644 index 6ffc037..0000000 --- a/GraphicsMagick-CVE-2017-11102-1.patch +++ /dev/null @@ -1,30 +0,0 @@ - -# HG changeset patch -# User Glenn Randers-Pehrson -# Date 1499262082 14400 -# Node ID dea93a690fc125f70fb8688a0ff3035b96b0045e -# Parent a42ae8447fe7a457790bf699371a1a6f3c6d4e57 -Stop crash due to zero-length color_image while reading a JNG - -diff -r a42ae8447fe7 -r dea93a690fc1 coders/png.c ---- a/coders/png.c Tue Jul 04 16:33:37 2017 -0500 -+++ b/coders/png.c Wed Jul 05 09:41:22 2017 -0400 -@@ -3314,12 +3314,13 @@ - - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- " Copying JDAT chunk data" -- " to color_blob."); -- if (color_image != (Image *)NULL) -+ " Copying %lu bytes of JDAT chunk data" -+ " to color_blob.",length); -+ if (length && color_image != (Image *)NULL) -+ { - (void) WriteBlob(color_image,length,(char *) chunk); -- if (length) - MagickFreeMemory(chunk); -+ } - continue; - } - - diff --git a/GraphicsMagick-CVE-2017-11102-2.patch b/GraphicsMagick-CVE-2017-11102-2.patch deleted file mode 100644 index 9ed271d..0000000 --- a/GraphicsMagick-CVE-2017-11102-2.patch +++ /dev/null @@ -1,192 +0,0 @@ - -# HG changeset patch -# User Glenn Randers-Pehrson -# Date 1499352170 14400 -# Node ID d445af60a8d50c4c6f063c7e65fea255b6db2b33 -# Parent dea93a690fc125f70fb8688a0ff3035b96b0045e -coders/png.c: Consolidate JNG cleanup into a new DestroyJNG() function. - -diff -r dea93a690fc1 -r d445af60a8d5 coders/png.c ---- a/coders/png.c Wed Jul 05 09:41:22 2017 -0400 -+++ b/coders/png.c Thu Jul 06 10:42:50 2017 -0400 -@@ -2924,18 +2924,20 @@ - - #if defined(JNG_SUPPORTED) - -- - void --DestroyJNGInfo(ImageInfo *color_image_info, ImageInfo *alpha_image_info) -+DestroyJNG(unsigned char *chunk,Image *color_image,ImageInfo *color_image_info, -+ Image *alpha_image,ImageInfo *alpha_image_info) - { -- if (color_image_info != (ImageInfo *)NULL) -- { -- DestroyImageInfo(color_image_info); -- } -- if (alpha_image_info != (ImageInfo *)NULL) -- { -- DestroyImageInfo(alpha_image_info); -- } -+ if (chunk) -+ MagickFreeMemory(chunk); -+ if (color_image_info) -+ DestroyImageInfo(color_image_info); -+ if (alpha_image_info) -+ DestroyImageInfo(alpha_image_info); -+ if (color_image) -+ DestroyImage(color_image); -+ if (alpha_image) -+ DestroyImage(alpha_image); - } - /* - %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -@@ -3105,7 +3107,8 @@ - - if (length > PNG_MAX_UINT || count == 0) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(NULL,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(CorruptImageError,CorruptImage,image); - } - -@@ -3116,13 +3119,15 @@ - chunk=MagickAllocateMemory(unsigned char *,length); - if (chunk == (unsigned char *) NULL) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, - image); - } - if (ReadBlob(image,length,chunk) < length) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(CorruptImageError,CorruptImage,image); - } - p=chunk; -@@ -3133,8 +3138,8 @@ - { - if (length != 16) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -- MagickFreeMemory(chunk); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - (void) ThrowException2(&image->exception,CoderWarning, - "Invalid JHDR chunk length",(char *) NULL); - return (MagickFail); -@@ -3196,8 +3201,8 @@ - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " JNG width or height too large: (%lu x %lu)", - jng_width, jng_height); -- MagickFreeMemory(chunk); -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(CorruptImageError,ImproperImageHeader,image); - } - -@@ -3224,7 +3229,8 @@ - color_image_info=MagickAllocateMemory(ImageInfo *,sizeof(ImageInfo)); - if (color_image_info == (ImageInfo *) NULL) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, - image); - } -@@ -3232,7 +3238,8 @@ - color_image=AllocateImage(color_image_info); - if (color_image == (Image *) NULL) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(ResourceLimitError,MemoryAllocationFailed, - image); - } -@@ -3244,7 +3251,8 @@ - exception); - if (status == MagickFalse) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(CoderError,UnableToOpenBlob,color_image); - } - -@@ -3254,7 +3262,8 @@ - sizeof(ImageInfo)); - if (alpha_image_info == (ImageInfo *) NULL) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(ResourceLimitError, - MemoryAllocationFailed, image); - } -@@ -3262,7 +3271,8 @@ - alpha_image=AllocateImage(alpha_image_info); - if (alpha_image == (Image *) NULL) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(ResourceLimitError, - MemoryAllocationFailed, - alpha_image); -@@ -3275,8 +3285,8 @@ - exception); - if (status == MagickFalse) - { -- DestroyJNGInfo(color_image_info,alpha_image_info); -- DestroyImage(alpha_image); -+ DestroyJNG(chunk,color_image,color_image_info, -+ alpha_image,alpha_image_info); - ThrowReaderException(CoderError,UnableToOpenBlob,image); - } - if (jng_alpha_compression_method == 0) -@@ -3496,7 +3506,7 @@ - } - - -- /* IEND found */ -+ /* IEND found or loop ended */ - - /* - Finish up reading image data: -@@ -3610,10 +3620,8 @@ - break; - } - (void) LiberateUniqueFileResource(alpha_image->filename); -- DestroyImage(alpha_image); -- alpha_image = (Image *)NULL; -- DestroyImageInfo(alpha_image_info); -- alpha_image_info = (ImageInfo *)NULL; -+ DestroyJNG(NULL,color_image,color_image_info, -+ alpha_image,alpha_image_info); - DestroyImage(jng_image); - jng_image = (Image *)NULL; - } -@@ -3636,13 +3644,8 @@ - - /* Clean up in case we didn't earlier */ - -- DestroyJNGInfo(color_image_info,alpha_image_info); -- -- if (alpha_image != (Image *)NULL) -- { -- (void) LiberateUniqueFileResource(alpha_image->filename); -- DestroyImage(alpha_image); -- } -+ DestroyJNG(NULL,color_image,color_image_info, -+ alpha_image,alpha_image_info); - - if (logging) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - diff --git a/GraphicsMagick-CVE-2017-11139.patch b/GraphicsMagick-CVE-2017-11139.patch deleted file mode 100644 index e7fba03..0000000 --- a/GraphicsMagick-CVE-2017-11139.patch +++ /dev/null @@ -1,23 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1499536785 18000 -# Node ID 4d0baa77245b386754cd65bbdb7b0937088cb3de -# Parent b4139088b49afaad8ac76b74f8a10ad5a63d3f3b -JNG: Fix double frees caused by changeset 15060:d445af60a8d5 commited on 2017-07-06 - -diff -r b4139088b49a -r 4d0baa77245b coders/png.c ---- a/coders/png.c Sat Jul 08 09:20:58 2017 -0500 -+++ b/coders/png.c Sat Jul 08 12:59:45 2017 -0500 -@@ -3622,6 +3622,10 @@ - (void) LiberateUniqueFileResource(alpha_image->filename); - DestroyJNG(NULL,color_image,color_image_info, - alpha_image,alpha_image_info); -+ color_image = (Image *)NULL; -+ color_image_info = (ImageInfo *) NULL; -+ alpha_image = (Image *)NULL; -+ alpha_image_info = (ImageInfo *) NULL; - DestroyImage(jng_image); - jng_image = (Image *)NULL; - } - diff --git a/GraphicsMagick-CVE-2017-11140.patch b/GraphicsMagick-CVE-2017-11140.patch deleted file mode 100644 index 74ce17a..0000000 --- a/GraphicsMagick-CVE-2017-11140.patch +++ /dev/null @@ -1,80 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1499523658 18000 -# Node ID b4139088b49afaad8ac76b74f8a10ad5a63d3f3b -# Parent c94d4172aca78ff942c0b6bd5537275873acb408 -Defer creating pixel cache until first scanline. Classify some libjpeg warnings as errors. - -diff -r c94d4172aca7 -r b4139088b49a coders/jpeg.c ---- a/coders/jpeg.c Thu Jul 06 18:54:30 2017 -0500 -+++ b/coders/jpeg.c Sat Jul 08 09:20:58 2017 -0500 -@@ -240,10 +240,34 @@ - err->msg_parm.i[4], err->msg_parm.i[5], - err->msg_parm.i[6], err->msg_parm.i[7]); - } -- if ((err->num_warnings == 0) || -- (err->trace_level >= 3)) -- ThrowBinaryException2(CorruptImageWarning,(char *) message, -+ /* -+ Treat some "warnings" as errors -+ */ -+ switch (err->msg_code) -+ { -+ case JWRN_HIT_MARKER: /* Corrupt JPEG data: premature end of data segment */ -+ case JWRN_JPEG_EOF: /* Premature end of JPEG file */ -+ { -+ ThrowBinaryException2(CorruptImageError,(char *) message, -+ image->filename); -+ break; -+ } -+ case JWRN_HUFF_BAD_CODE: /* Corrupt JPEG data: bad Huffman code */ -+ case JWRN_MUST_RESYNC: /* Corrupt JPEG data: found marker 0x%02x instead of RST%d */ -+ case JWRN_NOT_SEQUENTIAL: /* "Invalid SOS parameters for sequential JPEG */ -+ { -+ ThrowBinaryException2(CorruptImageError,(char *) message, - image->filename); -+ break; -+ } -+ default: -+ { -+ if ((err->num_warnings == 0) || -+ (err->trace_level >= 3)) -+ ThrowBinaryException2(CorruptImageWarning,(char *) message, -+ image->filename); -+ } -+ } - err->num_warnings++; - } - else -@@ -1350,6 +1374,16 @@ - register PixelPacket - *q; - -+ /* -+ Read scanlines. Stop at first serious error. -+ */ -+ if ((jpeg_read_scanlines(&jpeg_info,scanline,1) != 1) || -+ (image->exception.severity >= ErrorException)) -+ { -+ status=MagickFail; -+ break; -+ } -+ - q=SetImagePixels(image,0,y,image->columns,1); - if (q == (PixelPacket *) NULL) - { -@@ -1358,12 +1392,6 @@ - } - indexes=AccessMutableIndexes(image); - -- if (jpeg_read_scanlines(&jpeg_info,scanline,1) != 1) -- { -- status=MagickFail; -- break; -- } -- - p=jpeg_pixels; - - if (jpeg_info.output_components == 1) - diff --git a/GraphicsMagick-CVE-2017-11403.patch b/GraphicsMagick-CVE-2017-11403.patch deleted file mode 100644 index 987a4f2..0000000 --- a/GraphicsMagick-CVE-2017-11403.patch +++ /dev/null @@ -1,24 +0,0 @@ - -# HG changeset patch -# User Glenn Randers-Pehrson -# Date 1499704855 14400 -# Node ID d0a76868ca37ae482eb3e8cecbb9150c5348ffe8 -# Parent b24f2a9b0dd70506d429e537ff3e81532b5bfc23 -coders/png.c (ReadMNGImage): Fix out-of-order CloseBlob() - -and DestroyImageList() that caused a use-after-free crash. - -diff -r b24f2a9b0dd7 -r d0a76868ca37 coders/png.c ---- a/coders/png.c Mon Jul 10 11:31:05 2017 -0400 -+++ b/coders/png.c Mon Jul 10 12:40:55 2017 -0400 -@@ -5161,8 +5161,8 @@ - - if (image == (Image *) NULL) - { -+ CloseBlob(previous); - DestroyImageList(previous); -- CloseBlob(previous); - MngInfoFreeStruct(mng_info,&have_mng_structure); - return((Image *) NULL); - } - diff --git a/GraphicsMagick-CVE-2017-11636.patch b/GraphicsMagick-CVE-2017-11636.patch deleted file mode 100644 index cd62c2e..0000000 --- a/GraphicsMagick-CVE-2017-11636.patch +++ /dev/null @@ -1,155 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1500755964 18000 -# Node ID 39961adf974c7e284e3f95d2fc1609da4461d3ff -# Parent d00b74315a716a62386de06732afdd2822b9f1fd -RGB: Fixed heap overflow with multiple frames with varying widths. - -diff -r d00b74315a71 -r 39961adf974c coders/rgb.c ---- a/coders/rgb.c Sat Jul 22 15:39:14 2017 -0500 -+++ b/coders/rgb.c Sat Jul 22 15:39:24 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003 - 2015 GraphicsMagick Group -+% Copyright (C) 2003 - 2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -570,19 +570,20 @@ - */ - static unsigned int WriteRGBImage(const ImageInfo *image_info,Image *image) - { -- int -+ long - y; - - register const PixelPacket - *p; - - unsigned char -- *pixels; -+ *pixels = (unsigned char *) NULL; - - unsigned int - status; - - unsigned int -+ depth, - packet_size, - quantum_size, - scene; -@@ -593,27 +594,11 @@ - ExportPixelAreaInfo - export_info; - -- /* -- Allocate memory for pixels. -- */ - assert(image_info != (const ImageInfo *) NULL); - assert(image_info->signature == MagickSignature); - assert(image != (Image *) NULL); - assert(image->signature == MagickSignature); - -- if (image->depth <= 8) -- quantum_size=8; -- else if (image->depth <= 16) -- quantum_size=16; -- else -- quantum_size=32; -- -- packet_size=(quantum_size*3)/8; -- if (LocaleCompare(image_info->magick,"RGBA") == 0) -- packet_size=(quantum_size*4)/8; -- pixels=MagickAllocateArray(unsigned char *,packet_size,image->columns); -- if (pixels == (unsigned char *) NULL) -- ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); - if (image_info->interlace != PartitionInterlace) - { - /* -@@ -623,30 +608,70 @@ - if (status == False) - ThrowWriterException(FileOpenError,UnableToOpenFile,image); - } -+ -+ /* -+ Support depth in multiples of 8 bits. -+ */ -+ if (image->depth > 16) -+ depth=32; -+ else if (image->depth > 8) -+ depth=16; -+ else -+ depth=8; -+ -+ if (depth <= 8) -+ quantum_size=8; -+ else if (depth <= 16) -+ quantum_size=16; -+ else -+ quantum_size=32; -+ -+ packet_size=(quantum_size*3)/8; -+ if (LocaleCompare(image_info->magick,"RGBA") == 0) -+ packet_size=(quantum_size*4)/8; -+ - scene=0; -- /* -- Initialize export options. -- */ -- ExportPixelAreaOptionsInit(&export_options); -- if (image->endian != UndefinedEndian) -- export_options.endian=image->endian; -- else if (image_info->endian != UndefinedEndian) -- export_options.endian=image_info->endian; -- if (image->logging) -- (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- "Depth %u bits, Endian %s, Interlace %s", -- quantum_size, -- EndianTypeToString(export_options.endian), -- InterlaceTypeToString(image_info->interlace)); - do - { - /* -+ Allocate memory for pixels. -+ */ -+ MagickReallocMemory(unsigned char *,pixels, -+ MagickArraySize(packet_size,image->columns)); -+ if (pixels == (unsigned char *) NULL) -+ ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); -+ -+ /* -+ Initialize export options. -+ */ -+ ExportPixelAreaOptionsInit(&export_options); -+ if (image->endian != UndefinedEndian) -+ export_options.endian=image->endian; -+ else if (image_info->endian != UndefinedEndian) -+ export_options.endian=image_info->endian; -+ -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "%lu: " -+ "Geometry %lux%lu, " -+ "Depth %u bits, " -+ "Endian %s, " -+ "Packet Size %u, " -+ "Row bytes %" MAGICK_SIZE_T_F "u", -+ image->scene, -+ image->columns,image->rows, -+ quantum_size, -+ EndianTypeToString(export_options.endian), -+ packet_size, -+ (MAGICK_SIZE_T) MagickArraySize(packet_size,image->columns)); -+ -+ /* - Convert MIFF to RGB raster pixels. - */ - (void) TransformColorspace(image,RGBColorspace); - if (LocaleCompare(image_info->magick,"RGBA") == 0) - if (!image->matte) - SetImageOpacity(image,OpaqueOpacity); -+ - switch (image_info->interlace) - { - case NoInterlace: - diff --git a/GraphicsMagick-CVE-2017-11637.patch b/GraphicsMagick-CVE-2017-11637.patch deleted file mode 100644 index be74ad8..0000000 --- a/GraphicsMagick-CVE-2017-11637.patch +++ /dev/null @@ -1,54 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1500771092 18000 -# Node ID f3ffc5541257cfbbe1dc93e3f0775cc8d2de96fd -# Parent db732abd9318246cca5b07b56b58a22f39d342e0 -PCL: Fix null pointer dereference in writing monochrome images. - -diff -r db732abd9318 -r f3ffc5541257 coders/pcl.c ---- a/coders/pcl.c Sat Jul 22 17:56:27 2017 -0500 -+++ b/coders/pcl.c Sat Jul 22 19:51:32 2017 -0500 -@@ -1010,7 +1010,16 @@ - for (x=0; x < (long) image->columns; x++) - { - byte<<=1; -- if (indexes[x] == blk_ind) byte |= 1; -+ if (image->storage_class == PseudoClass) -+ { -+ if (indexes[x] == blk_ind) -+ byte |= 1; -+ } -+ else -+ { -+ if (p[x].red == 0) -+ byte |= 1; -+ } - bit++; - if (bit == 8) - { -@@ -1028,10 +1037,20 @@ - /* - 8 bit PseudoClass row - */ -- indexes=AccessImmutableIndexes(image); -- for (x=0; x < (long) image->columns; x++) -+ if (image->storage_class == PseudoClass) - { -- *q++=indexes[x]; -+ indexes=AccessImmutableIndexes(image); -+ for (x=0; x < (long) image->columns; x++) -+ { -+ *q++=indexes[x]; -+ } -+ } -+ else -+ { -+ for (x=0; x < (long) image->columns; x++) -+ { -+ *q++=PixelIntensityRec601(&p[x]); -+ } - } - } - else - diff --git a/GraphicsMagick-CVE-2017-11638.patch b/GraphicsMagick-CVE-2017-11638.patch deleted file mode 100644 index 144ed78..0000000 --- a/GraphicsMagick-CVE-2017-11638.patch +++ /dev/null @@ -1,43 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1500758975 18000 -# Node ID 29550606d8b9bf74f9aea0637d11d19fe706871b -# Parent 30cd2b31f7e045de4861b102e3f8d83db579bc7a -MAP: Fix null pointer dereference or SEGV if input is not colormapped. - -diff -r 30cd2b31f7e0 -r 29550606d8b9 coders/map.c ---- a/coders/map.c Sat Jul 22 15:40:00 2017 -0500 -+++ b/coders/map.c Sat Jul 22 16:29:35 2017 -0500 -@@ -18,7 +18,7 @@ - % M M A A P % - % % - % % --% Read/Write Image Colormaps As An Image File % -+% Read/Write Image Colormaps And Image File % - % % - % % - % Software Design % -@@ -349,16 +349,17 @@ - /* - Allocate colormap. - */ -- if (!IsPaletteImage(image,&image->exception)) -- (void) SetImageType(image,PaletteType); -+ if (SetImageType(image,PaletteType) == MagickFail) -+ ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); - packet_size=image->depth > 8 ? 2 : 1; -- pixels=MagickAllocateMemory(unsigned char *,image->columns*packet_size); -+ pixels=MagickAllocateArray(unsigned char *,image->columns,packet_size); - if (pixels == (unsigned char *) NULL) - ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); - packet_size=image->colors > 256 ? 6 : 3; -- colormap=MagickAllocateMemory(unsigned char *,packet_size*image->colors); -+ colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors); - if (colormap == (unsigned char *) NULL) - ThrowMAPWriterException(ResourceLimitError,MemoryAllocationFailed,image); -+ - /* - Write colormap to file. - */ - diff --git a/GraphicsMagick-CVE-2017-11641.patch b/GraphicsMagick-CVE-2017-11641.patch deleted file mode 100644 index 44f4db5..0000000 --- a/GraphicsMagick-CVE-2017-11641.patch +++ /dev/null @@ -1,42 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1500764187 18000 -# Node ID db732abd9318246cca5b07b56b58a22f39d342e0 -# Parent 29550606d8b9bf74f9aea0637d11d19fe706871b -MPC: Fix memory leak while writing Magick Persistent Cache format. - -diff -r 29550606d8b9 -r db732abd9318 magick/pixel_cache.c ---- a/magick/pixel_cache.c Sat Jul 22 16:29:35 2017 -0500 -+++ b/magick/pixel_cache.c Sat Jul 22 17:56:27 2017 -0500 -@@ -3458,7 +3458,10 @@ - cache_info->type=DiskCache; - cache_info->offset=(*offset); - if (!OpenCache(clone_image,IOMode,exception)) -- return(MagickFail); -+ { -+ DestroyImage(clone_image); -+ return(MagickFail); -+ } - y=0; - { - ViewInfo -@@ -3495,11 +3498,13 @@ - CloseCacheView(image_view); - CloseCacheView(clone_view); - } -- cache_info=(CacheInfo*) ReferenceCache(cache_info); -+ if (y < (long) image->rows) -+ { -+ DestroyImage(clone_image); -+ return(MagickFail); -+ } -+ *offset+=cache_info->length+pagesize-(cache_info->length % pagesize); - DestroyImage(clone_image); -- if (y < (long) image->rows) -- return(MagickFail); -- *offset+=cache_info->length+pagesize-(cache_info->length % pagesize); - (void) LogMagickEvent(CacheEvent,GetMagickModule(),"Clone persistent cache"); - return(MagickPass); - } - diff --git a/GraphicsMagick-CVE-2017-11643.patch b/GraphicsMagick-CVE-2017-11643.patch deleted file mode 100644 index 4fdc947..0000000 --- a/GraphicsMagick-CVE-2017-11643.patch +++ /dev/null @@ -1,187 +0,0 @@ - -# HG changeset patch -# User Bob Friesenhahn -# Date 1500755954 18000 -# Node ID d00b74315a716a62386de06732afdd2822b9f1fd -# Parent 4089bde04d744cbe15842284568b2ed086dd3832 -CMYK: Fixed heap overflow with multiple frames with varying widths. - -diff -r 4089bde04d74 -r d00b74315a71 coders/cmyk.c ---- a/coders/cmyk.c Sat Jul 22 13:08:14 2017 -0500 -+++ b/coders/cmyk.c Sat Jul 22 15:39:14 2017 -0500 -@@ -1,5 +1,5 @@ - /* --% Copyright (C) 2003 - 2015 GraphicsMagick Group -+% Copyright (C) 2003 - 2017 GraphicsMagick Group - % Copyright (C) 2002 ImageMagick Studio - % Copyright 1991-1999 E. I. du Pont de Nemours and Company - % -@@ -92,8 +92,8 @@ - y; - - register long -- i, -- x; -+ x, -+ i; - - register PixelPacket - *q; -@@ -608,16 +608,17 @@ - */ - static unsigned int WriteCMYKImage(const ImageInfo *image_info,Image *image) - { -- int -+ long - y; - - register const PixelPacket - *p; - - unsigned char -- *pixels; -+ *pixels = (unsigned char *) NULL; - - unsigned int -+ depth, - packet_size, - quantum_size, - scene, -@@ -629,27 +630,11 @@ - ExportPixelAreaInfo - export_info; - -- if (image->depth <= 8) -- quantum_size=8; -- else if (image->depth <= 16) -- quantum_size=16; -- else -- quantum_size=32; -- -- -- /* -- Allocate memory for pixels. -- */ - assert(image_info != (const ImageInfo *) NULL); - assert(image_info->signature == MagickSignature); - assert(image != (Image *) NULL); - assert(image->signature == MagickSignature); -- packet_size=(quantum_size*4)/8; -- if (LocaleCompare(image_info->magick,"CMYKA") == 0) -- packet_size=(quantum_size*5)/8; -- pixels=MagickAllocateArray(unsigned char *,packet_size,image->columns); -- if (pixels == (unsigned char *) NULL) -- ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); -+ - if (image_info->interlace != PartitionInterlace) - { - /* -@@ -659,16 +644,39 @@ - if (status == False) - ThrowWriterException(FileOpenError,UnableToOpenFile,image); - } -+ -+ /* -+ Support depth in multiples of 8 bits. -+ */ -+ if (image->depth > 16) -+ depth=32; -+ else if (image->depth > 8) -+ depth=16; -+ else -+ depth=8; -+ -+ if (depth <= 8) -+ quantum_size=8; -+ else if (depth <= 16) -+ quantum_size=16; -+ else -+ quantum_size=32; -+ -+ packet_size=(quantum_size*4)/8; -+ if (LocaleCompare(image_info->magick,"CMYKA") == 0) -+ packet_size=(quantum_size*5)/8; -+ - scene=0; - do - { - /* -- Convert MIFF to CMYK raster pixels. -+ Allocate memory for pixels. - */ -- (void) TransformColorspace(image,CMYKColorspace); -- if (LocaleCompare(image_info->magick,"CMYKA") == 0) -- if (!image->matte) -- SetImageOpacity(image,OpaqueOpacity); -+ MagickReallocMemory(unsigned char *,pixels, -+ MagickArraySize(packet_size,image->columns)); -+ if (pixels == (unsigned char *) NULL) -+ ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); -+ - /* - Initialize export options. - */ -@@ -677,10 +685,28 @@ - export_options.endian=image->endian; - else if (image_info->endian != UndefinedEndian) - export_options.endian=image_info->endian; -- if (image->logging) -- (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- "Image depth %u bits, Endian %s",quantum_size, -- EndianTypeToString(export_options.endian)); -+ -+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), -+ "%lu: " -+ "Geometry %lux%lu, " -+ "Depth %u bits, " -+ "Endian %s, Packet Size %u, " -+ "Row bytes %" MAGICK_SIZE_T_F "u", -+ image->scene, -+ image->columns,image->rows, -+ quantum_size, -+ EndianTypeToString(export_options.endian), -+ packet_size, -+ (MAGICK_SIZE_T) MagickArraySize(packet_size,image->columns)); -+ -+ /* -+ Convert MIFF to CMYK raster pixels. -+ */ -+ (void) TransformColorspace(image,CMYKColorspace); -+ if (LocaleCompare(image_info->magick,"CMYKA") == 0) -+ if (!image->matte) -+ SetImageOpacity(image,OpaqueOpacity); -+ - switch (image_info->interlace) - { - case NoInterlace: -@@ -689,23 +715,17 @@ - /* - No interlacing: CMYKCMYKCMYKCMYKCMYKCMYK... - */ -+ const QuantumType quantum_type = -+ (LocaleCompare(image_info->magick,"CMYKA") == 0) ? CMYKAQuantum : -+ CMYKQuantum; - for (y=0; y < (long) image->rows; y++) - { - p=AcquireImagePixels(image,0,y,image->columns,1,&image->exception); - if (p == (const PixelPacket *) NULL) - break; -- if (LocaleCompare(image_info->magick,"CMYKA") != 0) -- { -- (void) ExportImagePixelArea(image,CMYKQuantum,quantum_size,pixels, -- &export_options,&export_info); -- (void) WriteBlob(image,export_info.bytes_exported,pixels); -- } -- else -- { -- (void) ExportImagePixelArea(image,CMYKAQuantum,quantum_size,pixels, -- &export_options,&export_info); -- (void) WriteBlob(image,export_info.bytes_exported,pixels); -- } -+ (void) ExportImagePixelArea(image,quantum_type,quantum_size,pixels, -+ &export_options,&export_info); -+ (void) WriteBlob(image,export_info.bytes_exported,pixels); - if (image->previous == (Image *) NULL) - if (QuantumTick(y,image->rows)) - if (!MagickMonitorFormatted(y,image->rows,&image->exception, - diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec index 4cb3a06..4aa5316 100644 --- a/GraphicsMagick.spec +++ b/GraphicsMagick.spec @@ -27,8 +27,8 @@ Summary: An ImageMagick fork, offering faster image generation and better quality Name: GraphicsMagick -Version: 1.3.26 -Release: 10%{?dist} +Version: 1.3.27 +Release: 1%{?dist} License: MIT Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz @@ -42,16 +42,6 @@ Patch100: GraphicsMagick-1.3.16-multilib.patch Patch50: GraphicsMagick-1.3.14-perl_linkage.patch ## upstream patches -Patch1: GraphicsMagick-CVE-2017-11403.patch -Patch2: GraphicsMagick-CVE-2017-11102-1.patch -Patch3: GraphicsMagick-CVE-2017-11102-2.patch -Patch4: GraphicsMagick-CVE-2017-11139.patch -Patch5: GraphicsMagick-CVE-2017-11140.patch -Patch6: GraphicsMagick-CVE-2017-11636.patch -Patch7: GraphicsMagick-CVE-2017-11637.patch -Patch8: GraphicsMagick-CVE-2017-11638.patch -Patch9: GraphicsMagick-CVE-2017-11641.patch -Patch10: GraphicsMagick-CVE-2017-11643.patch BuildRequires: bzip2-devel BuildRequires: freetype-devel @@ -86,7 +76,7 @@ BuildRequires: libwebp-devel Obsoletes: GraphicsMagick < 1.3.19-4 # depend on stuff referenced below -# --with-gs-font-dir=%{_datadir}/fonts/default/Type1 +# --with-gs-font-dir=%%{_datadir}/fonts/default/Type1 Requires: urw-fonts %description @@ -165,17 +155,6 @@ however. %prep %setup -q -%patch1 -p1 -b .CVE-2017-11403 -%patch2 -p1 -b .CVE-2017-11102-1 -%patch3 -p1 -b .CVE-2017-11102-2 -%patch4 -p1 -b .CVE-2017-11139 -%patch5 -p1 -b .CVE-2017-11140 -%patch6 -p1 -b .CVE-2017-11636 -%patch7 -p1 -b .CVE-2017-11637 -%patch8 -p1 -b .CVE-2017-11638 -%patch9 -p1 -b .CVE-2017-11641 -%patch10 -p1 -b .CVE-2017-11643 - %patch50 -p1 -b .perl_linkage %patch100 -p1 -b .multilib @@ -330,6 +309,9 @@ exit 1 %changelog +* Mon Dec 11 2017 Rex Dieter - 1.3.27-1 +- 1.3.27 + * Sat Aug 12 2017 Ville Skyttä - 1.3.26-10 - Own doc dir diff --git a/sources b/sources index 3e2832b..131ea6a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (GraphicsMagick-1.3.26.tar.xz) = b33ca0f1c858428693aee27a9089acff9e63d1110f85fa036894cfefe6274e7b2422758ea39852f94fdb4823c9c3f3c44b0d8906627503301f5928096f739f22 +SHA512 (GraphicsMagick-1.3.27.tar.xz) = 27c2fccebe1ae079040986979405f9840ad39f773e2e0399712695146ec1b0f92a53533e6052df124f5db38aacc95bbd4b2e8692e81c92dade4e169ddfcc9b8c