From 6379342fdbcfdf3d162e66b51364513326c09e1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com> Date: Wed, 11 Apr 2012 11:13:00 +0200 Subject: [PATCH 2/3] Fix security holes JPEG/EXIF/TIFF An out-of heap-based buffer read flaw was found in the way ImageMagick, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service). Fix: * [CVE-2012-0259] JPEG EXIF tag crash. * [CVE-2012-0260] Excessive memory use with JPEG restart markers. * [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD. Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259 Applied-Upstream: 6.7.6-3 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635 --- coders/jpeg.c | 8 +++++++- coders/tiff.c | 7 ++++--- magick/property.c | 4 ++++ 3 files changed, 15 insertions(+), 4 deletions(-) diff --git a/coders/jpeg.c b/coders/jpeg.c index d28d458..6a18e46 100644 --- a/coders/jpeg.c +++ b/coders/jpeg.c @@ -142,6 +142,9 @@ typedef struct _SourceManager static MagickBooleanType WriteJPEGImage(const ImageInfo *,Image *); #endif +static void + JPEGErrorHandler(j_common_ptr); + /* %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -217,6 +220,8 @@ static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level) Image *image; + if (jpeg_info->err->num_warnings++ > 1000) /* 1000 = JPEGEcessiveWarnings */ + JPEGErrorHandler(jpeg_info); (jpeg_info->err->format_message)(jpeg_info,message); error_manager=(ErrorManager *) jpeg_info->client_data; image=error_manager->image; @@ -226,7 +231,6 @@ static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level) (jpeg_info->err->trace_level >= 3)) ThrowBinaryException(CorruptImageWarning,(char *) message, image->filename); - jpeg_info->err->num_warnings++; } else if (jpeg_info->err->trace_level >= level) @@ -305,6 +309,8 @@ static void JPEGErrorHandler(j_common_ptr jpeg_info) static boolean ReadComment(j_decompress_ptr jpeg_info) { + #define JPEGExcessiveWarnings 1000 + char *comment; diff --git a/coders/tiff.c b/coders/tiff.c index 807c127..8d8f2c8 100644 --- a/coders/tiff.c +++ b/coders/tiff.c @@ -589,10 +589,11 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image) case TIFF_ASCII: { char - *ascii; + *ascii= NULL; - if (TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0) - (void) CopyMagickMemory(value,ascii,MaxTextExtent); + if ((TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0) && + (ascii != (char *) NULL) && (*ascii != '\0')) + (void) CopyMagickString(value,ascii,MaxTextExtent); break; } case TIFF_SHORT: diff --git a/magick/property.c b/magick/property.c index 6c6d12f..9bde6f3 100644 --- a/magick/property.c +++ b/magick/property.c @@ -1307,6 +1307,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, break; components=(ssize_t) ((int) ReadPropertyLong(endian,q+4)); number_bytes=(size_t) components*tag_bytes[format]; + if (number_bytes < components) + break; /* prevent overflow */ if (number_bytes <= 4) p=q+8; else @@ -1330,6 +1332,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, buffer[MaxTextExtent], *value; + value=(char *) NULL; + *buffer='\0'; switch (format) { case EXIF_FMT_BYTE: -- 1.7.9.1