From 6379342fdbcfdf3d162e66b51364513326c09e1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 11 Apr 2012 11:13:00 +0200
Subject: [PATCH 2/3] Fix security holes JPEG/EXIF/TIFF
An out-of heap-based buffer read flaw was found in the way ImageMagick,
retrieved Exchangeable image file format (Exif) header tag information
from certain JPEG files.
A remote attacker could provide a JPEG image file, with EXIF header
containing specially-crafted tag values, which once opened in some ImageMagick
tool would lead to the crash of that tool (denial of service).
Fix:
* [CVE-2012-0259] JPEG EXIF tag crash.
* [CVE-2012-0260] Excessive memory use with JPEG restart markers.
* [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD.
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259
Applied-Upstream: 6.7.6-3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
coders/jpeg.c | 8 +++++++-
coders/tiff.c | 7 ++++---
magick/property.c | 4 ++++
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/coders/jpeg.c b/coders/jpeg.c
index d28d458..6a18e46 100644
--- a/coders/jpeg.c
+++ b/coders/jpeg.c
@@ -142,6 +142,9 @@ typedef struct _SourceManager
static MagickBooleanType
WriteJPEGImage(const ImageInfo *,Image *);
#endif
+static void
+ JPEGErrorHandler(j_common_ptr);
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -217,6 +220,8 @@ static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level)
Image
*image;
+ if (jpeg_info->err->num_warnings++ > 1000) /* 1000 = JPEGEcessiveWarnings */
+ JPEGErrorHandler(jpeg_info);
(jpeg_info->err->format_message)(jpeg_info,message);
error_manager=(ErrorManager *) jpeg_info->client_data;
image=error_manager->image;
@@ -226,7 +231,6 @@ static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level)
(jpeg_info->err->trace_level >= 3))
ThrowBinaryException(CorruptImageWarning,(char *) message,
image->filename);
- jpeg_info->err->num_warnings++;
}
else
if (jpeg_info->err->trace_level >= level)
@@ -305,6 +309,8 @@ static void JPEGErrorHandler(j_common_ptr jpeg_info)
static boolean ReadComment(j_decompress_ptr jpeg_info)
{
+ #define JPEGExcessiveWarnings 1000
+
char
*comment;
diff --git a/coders/tiff.c b/coders/tiff.c
index 807c127..8d8f2c8 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -589,10 +589,11 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image)
case TIFF_ASCII:
{
char
- *ascii;
+ *ascii= NULL;
- if (TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0)
- (void) CopyMagickMemory(value,ascii,MaxTextExtent);
+ if ((TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0) &&
+ (ascii != (char *) NULL) && (*ascii != '\0'))
+ (void) CopyMagickString(value,ascii,MaxTextExtent);
break;
}
case TIFF_SHORT:
diff --git a/magick/property.c b/magick/property.c
index 6c6d12f..9bde6f3 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1307,6 +1307,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
break;
components=(ssize_t) ((int) ReadPropertyLong(endian,q+4));
number_bytes=(size_t) components*tag_bytes[format];
+ if (number_bytes < components)
+ break; /* prevent overflow */
if (number_bytes <= 4)
p=q+8;
else
@@ -1330,6 +1332,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
buffer[MaxTextExtent],
*value;
+ value=(char *) NULL;
+ *buffer='\0';
switch (format)
{
case EXIF_FMT_BYTE:
--
1.7.9.1
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
b0202108aaa53fc5834cfeb063e09c6d
>
files
>
5
