From 21ed68245a7687a87e5c9823c7905ef1db157fdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com> Date: Tue, 10 Apr 2012 16:59:48 +0200 Subject: [PATCH] Fix security holes JPEG/EXIF/TIFF An out-of heap-based buffer read flaw was found in the way ImageMagick, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service). Fix: * [CVE-2012-0259] JPEG EXIF tag crash. * [CVE-2012-0260] Excessive memory use with JPEG restart markers. * [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD. Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259 Applied-Upstream: 6.7.6-3 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635 --- coders/jpeg.c | 8 +++++++- coders/tiff.c | 2 +- magick/property.c | 4 ++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/coders/jpeg.c b/coders/jpeg.c index 75d2e71..2fdc763 100644 --- a/coders/jpeg.c +++ b/coders/jpeg.c @@ -149,6 +149,9 @@ typedef struct _SourceManager static MagickBooleanType WriteJPEGImage(const ImageInfo *,Image *); #endif +static void + JPEGErrorHandler(j_common_ptr); + /* %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -274,6 +277,8 @@ static MagickBooleanType IsITUFaxImage(const Image *image) static void JPEGErrorHandler(j_common_ptr jpeg_info) { + #define JPEGExcessiveWarnings 1000 + char message[JMSG_LENGTH_MAX]; @@ -318,12 +323,13 @@ static MagickBooleanType JPEGWarningHandler(j_common_ptr jpeg_info,int level) /* Process warning message. */ + if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings) + JPEGErrorHandler(jpeg_info); (jpeg_info->err->format_message)(jpeg_info,message); if ((jpeg_info->err->num_warnings == 0) || (jpeg_info->err->trace_level >= 3)) ThrowBinaryException(CorruptImageWarning,(char *) message, image->filename); - jpeg_info->err->num_warnings++; } else if ((image->debug != MagickFalse) && diff --git a/coders/tiff.c b/coders/tiff.c index 7dc8df4..c750f84 100644 --- a/coders/tiff.c +++ b/coders/tiff.c @@ -644,7 +644,7 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image) ascii=(char *) NULL; if ((TIFFGetField(tiff,exif_info[i].tag,&ascii,&sans,&sans) != 0) && (ascii != (char *) NULL) && (*ascii != '\0')) - (void) CopyMagickMemory(value,ascii,MaxTextExtent); + (void) CopyMagickString(value,ascii,MaxTextExtent); break; } case TIFF_SHORT: diff --git a/magick/property.c b/magick/property.c index cef4891..78debb0 100644 --- a/magick/property.c +++ b/magick/property.c @@ -1284,6 +1284,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, break; components=(ssize_t) ((int) ReadPropertyLong(endian,q+4)); number_bytes=(size_t) components*tag_bytes[format]; + if (number_bytes < components) + break; /* prevent overflow */ if (number_bytes <= 4) p=q+8; else @@ -1307,6 +1309,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image, buffer[MaxTextExtent], *value; + value=(char *) NULL; + *buffer='\0'; switch (format) { case EXIF_FMT_BYTE: -- 1.7.10