From e17fc1dda9665320aa484b2998d82e5f03b861f8 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Thu, 2 Mar 2017 09:10:45 -0600
Subject: [PATCH] CVE-2016-7800 (#1381148) CVE-2016-7996, CVE-2016-7997
 (#1383223) CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583)

---
 GraphicsMagick-CVE-2016-7800.patch | 58 +++++++++++++++++++
 GraphicsMagick-CVE-2016-7996.patch | 47 +++++++++++++++
 GraphicsMagick-CVE-2016-7997.patch | 63 ++++++++++++++++++++
 GraphicsMagick-CVE-2016-8682.patch | 24 ++++++++
 GraphicsMagick-CVE-2016-8683.patch | 71 +++++++++++++++++++++++
 GraphicsMagick-CVE-2016-8684.patch | 93 ++++++++++++++++++++++++++++++
 GraphicsMagick.spec                | 26 ++++++++-
 7 files changed, 379 insertions(+), 3 deletions(-)
 create mode 100644 GraphicsMagick-CVE-2016-7800.patch
 create mode 100644 GraphicsMagick-CVE-2016-7996.patch
 create mode 100644 GraphicsMagick-CVE-2016-7997.patch
 create mode 100644 GraphicsMagick-CVE-2016-8682.patch
 create mode 100644 GraphicsMagick-CVE-2016-8683.patch
 create mode 100644 GraphicsMagick-CVE-2016-8684.patch

diff --git a/GraphicsMagick-CVE-2016-7800.patch b/GraphicsMagick-CVE-2016-7800.patch
new file mode 100644
index 0000000..f26da32
--- /dev/null
+++ b/GraphicsMagick-CVE-2016-7800.patch
@@ -0,0 +1,58 @@
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1475336055 18000
+#      Sat Oct 01 10:34:15 2016 -0500
+# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
+# Parent  623b741873230aaf0aaa767f14f4241f9d56a0f6
+Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.
+
+diff --git a/coders/meta.c b/coders/meta.c
+--- a/coders/meta.c
++++ b/coders/meta.c
+@@ -396,10 +396,17 @@
+             {
+               if (brkused && next > 0)
+                 {
++                  size_t
++                    codes_len;
++
+                   char
+                     *s = &token[next-1];
+ 
+-                  len -= convertHTMLcodes(s, strlen(s));
++                  codes_len = convertHTMLcodes(s, strlen(s));
++                  if (codes_len > len)
++                    len = 0;
++                  else
++                    len -= codes_len;
+                 }
+             }
+ 
+@@ -450,7 +457,7 @@
+                     next=0;
+                     outputlen += len;
+                     while (len--)
+-                      (void) WriteBlobByte(ofile,token[next++]); /* boom */
++                      (void) WriteBlobByte(ofile,token[next++]);
+ 
+                     if (outputlen & 1)
+                       {
+@@ -682,10 +689,17 @@
+             {
+               if (brkused && next > 0)
+                 {
++                  size_t
++                    codes_len;
++
+                   char
+                     *s = &token[next-1];
+ 
+-                  len -= convertHTMLcodes(s, strlen(s));
++                  codes_len = convertHTMLcodes(s, strlen(s));
++                  if (codes_len > len)
++                    len = 0;
++                  else
++                    len -= codes_len;
+                 }
+             }
+ 
diff --git a/GraphicsMagick-CVE-2016-7996.patch b/GraphicsMagick-CVE-2016-7996.patch
new file mode 100644
index 0000000..548a13a
--- /dev/null
+++ b/GraphicsMagick-CVE-2016-7996.patch
@@ -0,0 +1,47 @@
+# HG changeset patch
+# User fojtik
+# Date 1475404477 -7200
+#      Sun Oct 02 12:34:37 2016 +0200
+# Node ID 17e89d5d40c96f7cee22f1c661d47b016ea2579f
+# Parent  5c7b6d6094a25e99c57f8b18343914ebfd8213ef
+* coders/wpg.c Add sanity check for palette.
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -1210,7 +1210,7 @@
+ 
+           Header.DataOffset=TellBlob(image)+Rec2.RecordLength;
+ 
+-          if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
++          if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
+             "Parsing object: %X", Rec2.RecType);
+ 
+           switch(Rec2.RecType)
+@@ -1224,18 +1224,20 @@
+               WPG_Palette.StartIndex=ReadBlobLSBShort(image);
+               WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
+ 
++			/* Sanity check for amount of palette entries. */
++              if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3)
++                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);                 
++ 
+               image->colors=WPG_Palette.NumOfEntries;
+               if (!AllocateImageColormap(image,image->colors))
+                 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
++
+               for (i=WPG_Palette.StartIndex;
+                    i < (int)WPG_Palette.NumOfEntries; i++)
+                 {
+-                  image->colormap[i].red=
+-                    ScaleCharToQuantum(ReadBlobByte(image));
+-                  image->colormap[i].green=
+-                    ScaleCharToQuantum(ReadBlobByte(image));
+-                  image->colormap[i].blue=
+-                    ScaleCharToQuantum(ReadBlobByte(image));
++                  image->colormap[i].red=ScaleCharToQuantum(ReadBlobByte(image));
++                  image->colormap[i].green=ScaleCharToQuantum(ReadBlobByte(image));
++                  image->colormap[i].blue=ScaleCharToQuantum(ReadBlobByte(image));
+                   (void) ReadBlobByte(image);   /*Opacity??*/
+                 }
+               break;
diff --git a/GraphicsMagick-CVE-2016-7997.patch b/GraphicsMagick-CVE-2016-7997.patch
new file mode 100644
index 0000000..69c86d8
--- /dev/null
+++ b/GraphicsMagick-CVE-2016-7997.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User fojtik
+# Date 1475430071 -7200
+#      Sun Oct 02 19:41:11 2016 +0200
+# Node ID 1cf5808339d9e7e6f10840311e82dc40b0cd8ec6
+# Parent  2db735de2bea758981ea130abffc85aaf7893d73
+* coders/wpg.c Correctly flip image->blob and rotated_image->blob.
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -935,6 +935,7 @@
+ 
+   unsigned char
+     *BImgBuff;
++  BlobInfo *TmpBlob;
+ 
+   tCTM CTM;         /*current transform matrix*/
+ 
+@@ -1133,8 +1134,9 @@
+                       rotated_image = FlopImage(image, exception);
+                       if (rotated_image != (Image *) NULL)
+                         {
++                          BlobInfo *TmpBlob = rotated_image->blob;
+                           rotated_image->blob = image->blob;
+-                          image->blob = NULL;
++                          image->blob = TmpBlob;
+                           (void) RemoveLastImageFromList(&image);
+                           AppendImageToList(&image,rotated_image);
+                         }
+@@ -1145,8 +1147,9 @@
+                       rotated_image = FlipImage(image, exception);
+                       if (rotated_image != (Image *) NULL)
+                         {
++                          BlobInfo *TmpBlob = rotated_image->blob;
+                           rotated_image->blob = image->blob;
+-                          image->blob = NULL;
++                          image->blob = TmpBlob;
+                           (void) RemoveLastImageFromList(&image);
+                           AppendImageToList(&image,rotated_image);		
+                         }
+@@ -1160,8 +1163,9 @@
+                                                   exception);
+                       if (rotated_image != (Image *) NULL)
+                         {
++                          BlobInfo *TmpBlob = rotated_image->blob;
+                           rotated_image->blob = image->blob;
+-                          image->blob = NULL;
++                          image->blob = TmpBlob;
+                           (void) RemoveLastImageFromList(&image);
+                           AppendImageToList(&image,rotated_image);
+                         }
+@@ -1316,8 +1320,9 @@
+ 		  rotated_image = FlopImage(image, exception);
+                   if (rotated_image != (Image *) NULL)
+                     {
++                      BlobInfo *TmpBlob = rotated_image->blob;
+                       rotated_image->blob = image->blob;
+-                      image->blob = NULL;
++                      image->blob = TmpBlob;
+                       (void) RemoveLastImageFromList(&image);
+                       AppendImageToList(&image,rotated_image);
+                     }
diff --git a/GraphicsMagick-CVE-2016-8682.patch b/GraphicsMagick-CVE-2016-8682.patch
new file mode 100644
index 0000000..f127470
--- /dev/null
+++ b/GraphicsMagick-CVE-2016-8682.patch
@@ -0,0 +1,24 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1473538865 18000
+# Node ID 0a0dfa81906d1317895de9374ef5132710c3831c
+# Parent  3161d55d0c2f73df109a6d184074f39aca78ae8f
+SCT: Fix stack-buffer read overflow while reading file header.
+
+diff -r 3161d55d0c2f -r 0a0dfa81906d coders/sct.c
+--- a/coders/sct.c	Sat Sep 10 13:17:49 2016 -0500
++++ b/coders/sct.c	Sat Sep 10 15:21:05 2016 -0500
+@@ -188,9 +188,11 @@
+         break;
+       if (ReadBlob(image,14,(char *) buffer) != 14)
+         break;
++      buffer[14]='\0';
+       image->rows=MagickAtoL(buffer) & 0x7FFFFFFF;
+       if (ReadBlob(image,14,(char *) buffer) != 14)
+         break;
++      buffer[14]='\0';
+       image->columns=MagickAtoL(buffer) & 0x7FFFFFFF;
+       if (ReadBlob(image,196,(char *) buffer) != 196)
+         break;
+
diff --git a/GraphicsMagick-CVE-2016-8683.patch b/GraphicsMagick-CVE-2016-8683.patch
new file mode 100644
index 0000000..000f822
--- /dev/null
+++ b/GraphicsMagick-CVE-2016-8683.patch
@@ -0,0 +1,71 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1473544878 18000
+# Node ID b9edafd479b9d2e0976f184a259747efb198dc46
+# Parent  c53725cb5449ac885536a6a98dc911d8b21a3c54
+PCX: Check that filesize is reasonable given header.
+
+--- a/coders/pcx.c	Sat Sep 10 16:48:12 2016 -0500
++++ b/coders/pcx.c	Sat Sep 10 17:01:18 2016 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003 - 2015 GraphicsMagick Group
++% Copyright (C) 2003 - 2016 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+@@ -251,6 +251,9 @@
+   size_t
+     pcx_packets;
+ 
++  magick_off_t
++    file_size;
++
+   /*
+     Open image file.
+   */
+@@ -292,6 +295,7 @@
+     if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
+         == -1)
+       ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image);
++  file_size=GetBlobSize(image);
+   count=ReadBlob(image,1,(char *) &pcx_info.identifier);
+   for (id=1; id < 1024; id++)
+   {
+@@ -455,6 +459,34 @@
+     if (CheckImagePixelLimits(image, exception) != MagickPass)
+       ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
+ 
++
++    /*
++      Check that filesize is reasonable given header
++    */
++    {
++      double
++        uncompressed_size;
++      
++      uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes);
++      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                            "Uncompressed size: %.0f", uncompressed_size);
++      if (pcx_info.encoding == 0)
++        {
++          /* Not compressed */
++          if (uncompressed_size > file_size)
++            ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
++                                   image);
++        }
++      else
++        {
++          /* RLE compressed */
++          if (uncompressed_size > file_size*254.0)
++            ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
++                                 image);
++        }
++    }
++
++
+     /*
+       Read image data.
+     */
+
diff --git a/GraphicsMagick-CVE-2016-8684.patch b/GraphicsMagick-CVE-2016-8684.patch
new file mode 100644
index 0000000..e327b0b
--- /dev/null
+++ b/GraphicsMagick-CVE-2016-8684.patch
@@ -0,0 +1,93 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1473544092 18000
+# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54
+# Parent  0a0dfa81906d1317895de9374ef5132710c3831c
+SGI: Check that filesize is reasonable given header.
+
+diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c
+--- a/coders/sct.c	Sat Sep 10 15:21:05 2016 -0500
++++ b/coders/sct.c	Sat Sep 10 16:48:12 2016 -0500
+@@ -1,5 +1,5 @@
+ /*
+-% Copyright (C) 2003-2015 GraphicsMagick Group
++% Copyright (C) 2003-2016 GraphicsMagick Group
+ % Copyright (C) 2002 ImageMagick Studio
+ % Copyright 1991-1999 E. I. du Pont de Nemours and Company
+ %
+diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c
+--- a/coders/sgi.c	Sat Sep 10 15:21:05 2016 -0500
++++ b/coders/sgi.c	Sat Sep 10 16:48:12 2016 -0500
+@@ -299,6 +299,9 @@
+   size_t
+     bytes_per_pixel;
+ 
++  magick_off_t
++    file_size;
++
+   /*
+     Open image file.
+   */
+@@ -314,6 +317,7 @@
+     Read SGI raster header.
+   */
+   iris_info.magic=ReadBlobMSBShort(image);
++  file_size=GetBlobSize(image);
+   do
+     {
+       /*
+@@ -342,7 +346,8 @@
+       (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ 			    "    Header: Storage=%u, BPC=%u, Dimension=%u, "
+                             "XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
+-                            "PixMax=%u, image_name=\"%.79s\", color_map=%u",
++                            "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
++                            "file_size=%" MAGICK_OFF_F "d",
+ 			    (unsigned int) iris_info.storage,
+ 			    (unsigned int) iris_info.bytes_per_pixel,
+ 			    (unsigned int) iris_info.dimension,
+@@ -352,7 +357,8 @@
+ 			    iris_info.pix_min,
+ 			    iris_info.pix_max,
+ 			    iris_info.image_name,
+-			    iris_info.color_map);
++			    iris_info.color_map,
++                            file_size);
+ 
+       /*
+ 	Validate image header and set image attributes.
+@@ -492,6 +498,33 @@
+         ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
+ 
+       /*
++        Check that filesize is reasonable given header
++      */
++      {
++        double
++          uncompressed_size;
++
++        uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
++                           image->columns*image->rows*iris_info.bytes_per_pixel);
++        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++                              "Uncompressed size: %.0f", uncompressed_size);
++        if (iris_info.storage != 0x01)
++          {
++            /* Not compressed */
++            if (uncompressed_size > file_size)
++              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
++                                   image);
++          }
++        else
++          {
++            /* RLE compressed */
++            if (uncompressed_size > file_size*254.0)
++              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
++                                   image);
++          }
++      }
++
++      /*
+ 	Allocate SGI pixels.
+       */
+       bytes_per_pixel=iris_info.bytes_per_pixel;
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index a76e182..90426a7 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -24,6 +24,7 @@
 # trim changelog included in binary rpms
 %global _changelog_trimtime %(date +%s -d "1 year ago")
 
+## FIXME/TODO: update to new style filtering
 %{?filter_setup:
 %filter_provides_in %{_libdir}/GraphicsMagick-%{version}
 %filter_setup
@@ -32,7 +33,7 @@
 Summary: An ImageMagick fork, offering faster image generation and better quality
 Name: GraphicsMagick
 Version: 1.3.25
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 License: MIT
 Group: Applications/Multimedia
@@ -40,13 +41,20 @@ Source0: http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMag
 Url: http://www.graphicsmagick.org/
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
+## downstream patches
 # workaround multilib conflicts with GraphicsMagick-config
-Patch1: GraphicsMagick-1.3.16-multilib.patch
+Patch100: GraphicsMagick-1.3.16-multilib.patch
 
 ## upstreamable patches
 Patch50: GraphicsMagick-1.3.14-perl_linkage.patch
 
 ## upstream patches
+Patch1: GraphicsMagick-CVE-2016-7800.patch
+Patch2: GraphicsMagick-CVE-2016-7996.patch
+Patch3: GraphicsMagick-CVE-2016-7997.patch
+Patch4: GraphicsMagick-CVE-2016-8682.patch
+Patch5: GraphicsMagick-CVE-2016-8683.patch
+Patch6: GraphicsMagick-CVE-2016-8684.patch
 
 BuildRequires: bzip2-devel
 BuildRequires: freetype-devel
@@ -160,8 +168,15 @@ however.
 %prep
 %setup -q
 
-%patch1 -p1 -b .multilib
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+
 %patch50 -p1 -b .perl_linkage
+%patch100 -p1 -b .multilib
 
 for f in ChangeLog.{2006,2008,2009,2012} NEWS.txt ; do
     iconv -f iso-8859-2 -t utf8 < $f > $f.utf8
@@ -320,6 +335,11 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Thu Mar 02 2017 Rex Dieter <rdieter@fedoraproject.org> - 1.3.25-5
+- CVE-2016-7800 (#1381148)
+- CVE-2016-7996, CVE-2016-7997 (#1383223)
+- CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583)
+
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.25-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild