From b65014a0f8500b0a64072953d3ff725967dfb451 Mon Sep 17 00:00:00 2001 From: Norman Murray Date: Thu, 5 Apr 2007 12:18:29 +0000 Subject: [PATCH] Resolves BZ235075 --- ImageMagick-6.2.8-CVE-2007-1797.patch | 37 +++++++++++++++++++++++++++ ImageMagick.spec | 10 ++++++-- 2 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 ImageMagick-6.2.8-CVE-2007-1797.patch diff --git a/ImageMagick-6.2.8-CVE-2007-1797.patch b/ImageMagick-6.2.8-CVE-2007-1797.patch new file mode 100644 index 0000000..69f7e0b --- /dev/null +++ b/ImageMagick-6.2.8-CVE-2007-1797.patch @@ -0,0 +1,37 @@ +--- ImageMagick/coders/dcm.c.orig 2007-04-03 18:27:57.000000000 +0200 ++++ ImageMagick/coders/dcm.c 2007-04-03 18:31:16.000000000 +0200 +@@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn + { + data=(unsigned char *) + AcquireMagickMemory((size_t) quantum*(length+1)); ++ if (length > ((~0UL)/quantum)) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (data == (unsigned char *) NULL) + ThrowReaderException(ResourceLimitError, + "MemoryAllocationFailed"); +--- ImageMagick/coders/xwd.c.orig 2007-04-03 19:21:18.000000000 +0200 ++++ ImageMagick/coders/xwd.c 2007-04-03 19:24:36.000000000 +0200 +@@ -236,7 +236,9 @@ static Image *ReadXWDImage(const ImageIn + if (header.header_size < sz_XWDheader) + ThrowReaderException(CorruptImageError,"CorruptImage"); + length=(size_t) header.header_size-sz_XWDheader; +- comment=(char *) AcquireMagickMemory(length+MaxTextExtent); ++ if (length > ((~0UL)/sizeof(*comment))) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment)); + if (comment == (char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + count=ReadBlob(image,length,(unsigned char *) comment); +@@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn + XWDColor + color; + +- colors=(XColor *) +- AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors)); ++ length=(size_t) header.ncolors; ++ if (length > ((~0UL)/sizeof(*colors))) ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors)); + if (colors == (XColor *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + for (i=0; i < (long) header.ncolors; i++) diff --git a/ImageMagick.spec b/ImageMagick.spec index 01b4902..b5dcd85 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -9,7 +9,7 @@ Version: %{VER}.%{Patchlevel} %else Version: %{VER} %endif -Release: 2%{?dist} +Release: 3%{?dist} License: freeware Group: Applications/Multimedia %if "%{Patchlevel}" != "" @@ -22,6 +22,9 @@ Patch1: ImageMagick-6.2.1-local_doc.patch Patch2: ImageMagick-6.2.8-multilib.patch Patch3: ImageMagick-6.3.2-perl-parallel-build.patch Patch4: ImageMagick-6.3.2-perl-liblink.patch +# 235075 +Patch5: ImageMagick-6.2.8-CVE-2007-1797.patch + Url: http://www.imagemagick.org/ Buildroot: %{_tmppath}/%{name}-%{version}-root @@ -122,7 +125,7 @@ however. %patch2 -p1 -b .multilib %patch3 -p1 -b .perl-build %patch4 -p1 -b .perl-link - +%patch5 -p1 -b .cve-2007-1797 %build %configure --enable-shared \ @@ -258,6 +261,9 @@ rm -rf $RPM_BUILD_ROOT %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt %changelog +* Thu Apr 5 2007 Norm Murray 6.3.2.9-3.fc7 +- heap overflows (#235075, CVE-2007-1797) + * Fri Mar 30 2007 Norm Murray 6.3.2.9-2.fc7 - perlmagick build fix (#231259)