rpms
/
ImageMagick
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix a format string vuln.

Browse Source
epel8
Matthias Clasen 19 years ago
parent d92ed7ef08
commit f981a6cc3d
2 changed files with 210 additions and 3 deletions
Show Stats Download Patch File Download Diff File

202
ImageMagick-6.2.5-format-string-again.patch
Unescape View File

@ -0,0 +1,202 @@
diff -r 8a3cbd342315 magick/animate.c
--- a/magick/animate.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/animate.c Tue Jan 10 16:55:22 2006 +0100
@@ -604,7 +604,7 @@
/*
Form filename for multi-part images.
*/
- (void) FormatMagickString(filename,MaxTextExtent,
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
image_info->filename,scene);
if (LocaleCompare(filename,image_info->filename) == 0)
(void) FormatMagickString(filename,MaxTextExtent,"%s[%lu]",
diff -r 8a3cbd342315 magick/blob.c
--- a/magick/blob.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/blob.c Tue Jan 10 16:55:22 2006 +0100
@@ -2120,25 +2120,8 @@
/*
Form filename for multi-part images.
*/
- (void) CopyMagickString(filename,image->filename,MaxTextExtent);
- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
- {
- char
- *q;
-
- q=p+1;
- if (*q == '0')
- (void) strtol(q,&q,10);
- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
- {
- char
- format[MaxTextExtent];
-
- (void) CopyMagickString(format,p,MaxTextExtent);
- (void) FormatMagickString(p,MaxTextExtent,format,image->scene);
- break;
- }
- }
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,image->filename,
+ image->scene);
if (image_info->adjoin == MagickFalse)
if ((image->previous != (Image *) NULL) ||
(GetNextImageInList(image) != (Image *) NULL))
diff -r 8a3cbd342315 magick/display.c
--- a/magick/display.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/display.c Tue Jan 10 16:55:22 2006 +0100
@@ -1984,7 +1984,7 @@
/*
Form filename for multi-part images.
*/
- (void) FormatMagickString(filename,MaxTextExtent,
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
image_info->filename,scene);
if (LocaleCompare(filename,image_info->filename) == 0)
(void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r 8a3cbd342315 magick/image.c
--- a/magick/image.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/image.c Tue Jan 10 16:55:22 2006 +0100
@@ -2869,25 +2869,8 @@
/*
Rectify multi-image file support.
*/
- (void) CopyMagickString(filename,image_info->filename,MaxTextExtent);
- for (p=strchr(filename,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
- {
- char
- *q;
-
- q=(char *) p+1;
- if (*q == '0')
- (void) strtol(q,&q,10);
- if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
- {
- char
- format[MaxTextExtent];
-
- (void) CopyMagickString(format,p,MaxTextExtent);
- (void) FormatMagickString(p,MaxTextExtent,format,image_info->scene);
- break;
- }
- }
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+ image_info->filename,image_info->scene);
if ((LocaleCompare(filename,image_info->filename) != 0) &&
(strchr(filename,'%') == (char *) NULL))
image_info->adjoin=MagickFalse;
diff -r 8a3cbd342315 magick/log.c
--- a/magick/log.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/log.c Tue Jan 10 16:55:22 2006 +0100
@@ -914,8 +914,8 @@
char
filename[MaxTextExtent];
- (void) FormatMagickString(filename,MaxTextExtent,log_info->filename,
- log_info->generation % log_info->generations);
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
+ log_info->filename,log_info->generation % log_info->generations);
log_info->file=fopen(filename,"w");
if (log_info->file == (FILE *) NULL)
{
diff -r 8a3cbd342315 magick/montage.c
--- a/magick/montage.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/montage.c Tue Jan 10 16:55:22 2006 +0100
@@ -530,7 +530,7 @@
/*
Form filename for multi-part images.
*/
- (void) FormatMagickString(filename,MaxTextExtent,
+ (void) FormatMagickStringNumeric(filename,MaxTextExtent,
image_info->filename,scene);
if (LocaleCompare(filename,image_info->filename) == 0)
(void) FormatMagickString(filename,MaxTextExtent,"%s.%lu",
diff -r 8a3cbd342315 magick/string.c
--- a/magick/string.c Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/string.c Tue Jan 10 16:55:22 2006 +0100
@@ -953,6 +953,75 @@
return((StringInfo *) NULL);
}
return(string_info);
+}
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% %
+% %
+% %
+% F o r m a t M a g i c k S t r i n g N u m e r i c %
+% %
+% %
+% %
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Method FormatMagickStringNumeric formats output for a single numeric
+% argument. It takes into account that the format string given might be
+% untrusted user input, and returns the length of the formatted string.
+%
+% The format of the FormatMagickStringNumeric method is:
+%
+% long FormatMagickStringNumeric(char *string,const size_t length,
+% const char *format,int value)
+%
+% A description of each parameter follows.
+%
+% o string: FormatMagickStringNumeric() returns the formatted string in this
+% character buffer.
+%
+% o length: The maximum length of the string.
+%
+% o format: A string describing the format to use to write the numeric
+% argument. Only the first numeric format identifier is replaced.
+%
+% o value: Numeric value to substitute into format string.
+%
+%
+*/
+MagickExport long FormatMagickStringNumeric(char *string,const size_t length,const char *format,int value)
+{
+ char
+ *p;
+
+ (void) CopyMagickString(string, format, length);
+
+ for (p=strchr(format,'%'); p != (char *) NULL; p=strchr(p+1,'%'))
+ {
+ char
+ *q;
+
+ q=(char *) p+1;
+ if (*q == '0')
+ (void) strtol(q,&q,10);
+ if ((*q == '%') || (*q == 'd') || (*q == 'o') || (*q == 'x'))
+ {
+ char
+ c;
+
+ q++;
+ c=*q;
+ *q='\0';
+ (void) snprintf(string+(p-format),length-(p-format),p,value);
+ *q=c;
+ (void) ConcatenateMagickString(string,q,length);
+ if (*(q-1) == '%')
+ p++;
+ else
+ break;
+ }
+ }
+ return (long)strlen(string);
}
/*
diff -r 8a3cbd342315 magick/string_.h
--- a/magick/string_.h Tue Jan 10 12:11:55 2006 +0100
+++ b/magick/string_.h Tue Jan 10 16:55:22 2006 +0100
@@ -60,6 +60,7 @@
magick_attribute((format (printf,3,4))),
FormatMagickStringList(char *,const size_t,const char *,va_list)
magick_attribute((format (printf,3,0))),
+ FormatMagickStringNumeric(char *,const size_t,const char *,int),
LocaleCompare(const char *,const char *),
LocaleNCompare(const char *,const char *,const size_t);

11
ImageMagick.spec
Unescape View File

@ -9,7 +9,7 @@ Version: %{VER}.%{Patchlevel}
%else
Version: %{VER}
%endif
Release: 1.1
Release: 2
License: freeware
Group: Applications/Multimedia
%if "%{Patchlevel}" != ""
@ -18,7 +18,8 @@ Source: ftp://ftp.ImageMagick.org/pub/ImageMagick/ImageMagick-%{VER}-%{Patchleve
Source: ftp://ftp.ImageMagick.org/pub/ImageMagick/ImageMagick-%{version}.tar.bz2
%endif
Source1: magick_small.png
Patch4: ImageMagick-6.2.1-local_doc.patch
Patch1: ImageMagick-6.2.1-local_doc.patch
Patch2: ImageMagick-6.2.5-format-string-again.patch
Url: http://www.imagemagick.org/
Buildroot: %{_tmppath}/%{name}-%{version}-root
@ -111,7 +112,8 @@ however.
%prep
%setup -q -n %{name}-%{VER}
%patch4 -p1 -b .local_doc
%patch1 -p1 -b .local_doc
%patch2 -p1 -b .format-string-again
%build
%configure --enable-shared \
@ -222,6 +224,9 @@ rm -rf $RPM_BUILD_ROOT
%doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
%changelog
* Mon Jan 9 2006 Matthias Clasen <mclasen@redhat.com> 6.2.5.4-2
- fix a format string vulnerability (CVE-2006-0082)
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt

Write Preview
Loading…
Cancel
Save