From 21ed68245a7687a87e5c9823c7905ef1db157fdc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 10 Apr 2012 16:59:48 +0200
Subject: [PATCH] Fix security holes JPEG/EXIF/TIFF
An out-of heap-based buffer read flaw was found in the way ImageMagick,
retrieved Exchangeable image file format (Exif) header tag information
from certain JPEG files.
A remote attacker could provide a JPEG image file, with EXIF header
containing specially-crafted tag values, which once opened in some ImageMagick
tool would lead to the crash of that tool (denial of service).
Fix:
* [CVE-2012-0259] JPEG EXIF tag crash.
* [CVE-2012-0260] Excessive memory use with JPEG restart markers.
* [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD.
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259
Applied-Upstream: 6.7.6-3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
coders/jpeg.c | 8 +++++++-
coders/tiff.c | 2 +-
magick/property.c | 4 ++++
3 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/coders/jpeg.c b/coders/jpeg.c
index 75d2e71..2fdc763 100644
--- a/coders/jpeg.c
+++ b/coders/jpeg.c
@@ -149,6 +149,9 @@ typedef struct _SourceManager
static MagickBooleanType
WriteJPEGImage(const ImageInfo *,Image *);
#endif
+static void
+ JPEGErrorHandler(j_common_ptr);
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -274,6 +277,8 @@ static MagickBooleanType IsITUFaxImage(const Image *image)
static void JPEGErrorHandler(j_common_ptr jpeg_info)
{
+ #define JPEGExcessiveWarnings 1000
+
char
message[JMSG_LENGTH_MAX];
@@ -318,12 +323,13 @@ static MagickBooleanType JPEGWarningHandler(j_common_ptr jpeg_info,int level)
/*
Process warning message.
*/
+ if (jpeg_info->err->num_warnings++ > JPEGExcessiveWarnings)
+ JPEGErrorHandler(jpeg_info);
(jpeg_info->err->format_message)(jpeg_info,message);
if ((jpeg_info->err->num_warnings == 0) ||
(jpeg_info->err->trace_level >= 3))
ThrowBinaryException(CorruptImageWarning,(char *) message,
image->filename);
- jpeg_info->err->num_warnings++;
}
else
if ((image->debug != MagickFalse) &&
diff --git a/coders/tiff.c b/coders/tiff.c
index 7dc8df4..c750f84 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -644,7 +644,7 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image)
ascii=(char *) NULL;
if ((TIFFGetField(tiff,exif_info[i].tag,&ascii,&sans,&sans) != 0) &&
(ascii != (char *) NULL) && (*ascii != '\0'))
- (void) CopyMagickMemory(value,ascii,MaxTextExtent);
+ (void) CopyMagickString(value,ascii,MaxTextExtent);
break;
}
case TIFF_SHORT:
diff --git a/magick/property.c b/magick/property.c
index cef4891..78debb0 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1284,6 +1284,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
break;
components=(ssize_t) ((int) ReadPropertyLong(endian,q+4));
number_bytes=(size_t) components*tag_bytes[format];
+ if (number_bytes < components)
+ break; /* prevent overflow */
if (number_bytes <= 4)
p=q+8;
else
@@ -1307,6 +1309,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
buffer[MaxTextExtent],
*value;
+ value=(char *) NULL;
+ *buffer='\0';
switch (format)
{
case EXIF_FMT_BYTE:
--
1.7.10
distrib
>
Mageia
>
2
>
i586
>
media
>
core-release-src
>
by-pkgid
>
5c220b30904e43615ec48a8b6ecec3ec
>
files
>
4
