Fix for CVE-2007-1797 (possible heap overflows in ImageMagick
DCM and XWD coders) backported from SVN. -- lkundrak@redhat.com
Applies against:
FC6 (6.2.8.0-3.fc6.1)
FC5 (6.2.5.4-4.2.1.fc5.7)
RHEL5 (6.2.8.0-3.el5.4)
RHEL4 (6.0.7.1-17)
--- coders/dcm.c.orig 2007-04-03 18:27:57.000000000 +0200
+++ coders/dcm.c 2007-04-03 18:31:16.000000000 +0200
@@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn
{
data=(unsigned char *)
AcquireMagickMemory((size_t) quantum*(length+1));
+ if (length > ((~0UL)/quantum))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,
"MemoryAllocationFailed");
--- coders/xwd.c.orig 2007-04-03 19:21:18.000000000 +0200
+++ coders/xwd.c 2007-04-03 19:24:36.000000000 +0200
@@ -236,6 +236,9 @@ static Image *ReadXWDImage(const ImageIn
ThrowReaderException(CorruptImageError,"CorruptImage");
length=(size_t) header.header_size-sz_XWDheader;
comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+ if (length > ((~0UL)/sizeof(*comment)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn
XWDColor
color;
- colors=(XColor *)
- AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+ length=(size_t) header.ncolors;
+ if (length > ((~0UL)/sizeof(*colors)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) header.ncolors; i++)
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
74bdc23aeb29a62bae00d025b2b6f2cf
>
files
>
7
