Re: Bug#773834: Preparing a release for stable and lts
Dear Holger,
On Tue, May 12, 2015 at 9:48 PM, Vincent Fourmond <fourmond@debian.org> wrote:
>> once you have build it, you should *test* that package. once that has been
>> done, we can think about uploading ;-)
>
> Argh, unfortunately, I'm nowhere near that yet. Looks like some of
> the patches are harder to backport than anticipated, as it FTBS for
> now...
>
> In any case, the build comprises a heavy test suite that should
> catch most of the problems, but probably not the security-related
> ones.
Attached is a diff from squeeze5 to the proposed squeeze6. It builds
fine now (including upstream test suite), but at the moment, I am
unable to check whether the security bugs supposedly fixed in the
release are fixed, if only because there are no publicly available
badly form input that would trigger the bug. I'll try to see what I
can do about that.
You'll find that some of the patches currently in LTS have been
renamed and slightly tweaked, but nothing has changed besides patch
name and meta-data:
-0006-CVE-2014-1947-Fix-buffer-overflow-when-handling-PSD-images.patch
-0007-Prevent-buffer-overflow-in-messaging-system.patch
-0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch
+0006-CVE-2014-1947-Fix-buffer-overrun.patch
+0007-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch
+0008-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
The rest is just huge, because there are a lot of fixes...
Cheers,
Vincent
diff -Nru imagemagick-6.6.0.4/debian/changelog imagemagick-6.6.0.4/debian/changelog
--- imagemagick-6.6.0.4/debian/changelog 2014-11-22 19:23:49.000000000 +0100
+++ imagemagick-6.6.0.4/debian/changelog 2014-11-23 14:35:11.000000000 +0100
@@ -1,6 +1,23 @@
+imagemagick (8:6.6.0.4-3+squeeze6) squeeze-lts; urgency=high
+
+ * Acknowledge NMUs (Closes: #768494).
+ * Fixed three security bugs (Closes: #767240):
+ - a buffer overflow in PCX reader (CVE-2014-8355).
+ - a buffer overflow in dcm reader (CVE-2014-8562).
+ - out-of-bounds memory access in resize
+ code (CVE-2014-8354).
+ * Bug fix: "CVE-2012-3437", ImageMagick: Magick_png_malloc() size
+ argument thanks to Moritz Muehlenhoff (Closes: #683285).
+ * Fix three security bug (Closes: #692367):
+ - Fix a memory leak: after setjmp used variable need to be volatile.
+ Fix jpeg and png coder.
+ - Fix a memory leak in magick++, do not leak an exception object.
+
+ -- Bastien Roucariès <roucaries.bastien+debian@gmail.com> Sun, 23 Nov 2014 12:13:17 +0100
+
imagemagick (8:6.6.0.4-3+squeeze5) squeeze-lts; urgency=high
- * Non-maintainer upload by the Squeeze LTS Team.
+ * Non-maintainer upload by the Squeeze LTS Team.
* Add 0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch
to fix CVE-2014-8716 (Closes: #768494)
diff -Nru imagemagick-6.6.0.4/debian/patches/0001-Description-Do-not-read-configure-files-in-the-curre.patch imagemagick-6.6.0.4/debian/patches/0001-Description-Do-not-read-configure-files-in-the-curre.patch
--- imagemagick-6.6.0.4/debian/patches/0001-Description-Do-not-read-configure-files-in-the-curre.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0001-Description-Do-not-read-configure-files-in-the-curre.patch 2015-05-16 02:00:33.000000000 +0200
@@ -2,15 +2,13 @@
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 25 Apr 2012 14:47:16 +0200
Subject: [PATCH] Description: Do not read configure files in the current
- directory for the "installed" version of ImageMagick.
- Patch pulled from upstream svn
- https://www.imagemagick.org/subversion/ImageMagick/trunk
- revision 3022. Author: Cristy <quetzlzacatenango@image...>
- Bug-Debian: http://bugs.debian.org/601824 Origin: upstream
- Last-Update: 2010-11-06
+ directory for the "installed" version of ImageMagick. Patch pulled from
+ upstream svn https://www.imagemagick.org/subversion/ImageMagick/trunk
+ revision 3022. Author: Cristy <quetzlzacatenango@image...> Bug-Debian:
+ http://bugs.debian.org/601824 Origin: upstream Last-Update: 2010-11-06
---
- magick/configure.c | 8 ++++----
+ magick/configure.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/magick/configure.c b/magick/configure.c
@@ -40,5 +38,5 @@
}
�
--
-1.7.10
+2.1.4
diff -Nru imagemagick-6.6.0.4/debian/patches/0002-ImageMagick-Invalid-Validation-and-Denial-of-Service.patch imagemagick-6.6.0.4/debian/patches/0002-ImageMagick-Invalid-Validation-and-Denial-of-Service.patch
--- imagemagick-6.6.0.4/debian/patches/0002-ImageMagick-Invalid-Validation-and-Denial-of-Service.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0002-ImageMagick-Invalid-Validation-and-Denial-of-Service.patch 2015-05-16 02:00:33.000000000 +0200
@@ -17,7 +17,7 @@
Forwarded: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659339
---
- magick/property.c | 116 ++++++++++++++++++++++++++++++++---------------------
+ magick/property.c | 116 +++++++++++++++++++++++++++++++++---------------------
1 file changed, 71 insertions(+), 45 deletions(-)
diff --git a/magick/property.c b/magick/property.c
@@ -392,5 +392,5 @@
}
}
--
-1.7.10
+2.1.4
diff -Nru imagemagick-6.6.0.4/debian/patches/0003-Fix-CVE-2012-1185-CVE-2012-1186-assignment-notificat.patch imagemagick-6.6.0.4/debian/patches/0003-Fix-CVE-2012-1185-CVE-2012-1186-assignment-notificat.patch
--- imagemagick-6.6.0.4/debian/patches/0003-Fix-CVE-2012-1185-CVE-2012-1186-assignment-notificat.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0003-Fix-CVE-2012-1185-CVE-2012-1186-assignment-notificat.patch 2015-05-16 02:00:33.000000000 +0200
@@ -19,8 +19,8 @@
Applied-Upstream: 6.7.5-9
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665007
---
- magick/profile.c | 15 +++++++++++++--
- magick/property.c | 2 ++
+ magick/profile.c | 15 +++++++++++++--
+ magick/property.c | 2 ++
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/magick/profile.c b/magick/profile.c
@@ -95,5 +95,5 @@
continue;
p=(unsigned char *) (exif+offset);
--
-1.7.10
+2.1.4
diff -Nru imagemagick-6.6.0.4/debian/patches/0004-Fix-security-holes-JPEG-EXIF-TIFF.patch imagemagick-6.6.0.4/debian/patches/0004-Fix-security-holes-JPEG-EXIF-TIFF.patch
--- imagemagick-6.6.0.4/debian/patches/0004-Fix-security-holes-JPEG-EXIF-TIFF.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0004-Fix-security-holes-JPEG-EXIF-TIFF.patch 2015-05-16 02:00:33.000000000 +0200
@@ -20,9 +20,9 @@
Applied-Upstream: 6.7.6-3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
- coders/jpeg.c | 8 +++++++-
- coders/tiff.c | 7 ++++---
- magick/property.c | 4 ++++
+ coders/jpeg.c | 8 +++++++-
+ coders/tiff.c | 7 ++++---
+ magick/property.c | 4 ++++
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/coders/jpeg.c b/coders/jpeg.c
@@ -104,5 +104,5 @@
{
case EXIF_FMT_BYTE:
--
-1.7.10
+2.1.4
diff -Nru imagemagick-6.6.0.4/debian/patches/0005-Fix-security-bug-for-special-crafted-EXIF-properties.patch imagemagick-6.6.0.4/debian/patches/0005-Fix-security-bug-for-special-crafted-EXIF-properties.patch
--- imagemagick-6.6.0.4/debian/patches/0005-Fix-security-bug-for-special-crafted-EXIF-properties.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0005-Fix-security-bug-for-special-crafted-EXIF-properties.patch 2015-05-16 02:00:33.000000000 +0200
@@ -28,8 +28,8 @@
Applied-Upstream: 6.7.6-4
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
- magick/profile.c | 7 +++++--
- magick/property.c | 4 ++--
+ magick/profile.c | 7 +++++--
+ magick/property.c | 4 ++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/magick/profile.c b/magick/profile.c
@@ -82,5 +82,5 @@
if (number_bytes < components)
break; /* prevent overflow */
--
-1.7.10
+2.1.4
diff -Nru imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overflow-when-handling-PSD-images.patch imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overflow-when-handling-PSD-images.patch
--- imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overflow-when-handling-PSD-images.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overflow-when-handling-PSD-images.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,33 +0,0 @@
-Description: CVE-2014-1947: Fix buffer overrun
-Origin: backport, http://trac.imagemagick.org/changeset/13736
-Bug-Debian: http://bugs.debian.org/740250
-Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1064098
-Forwarded: not-needed
-Author: Salvatore Bonaccorso <carnil@debian.org>
-Last-Update: 2014-03-15
-
---- a/coders/psd.c
-+++ b/coders/psd.c
-@@ -2005,8 +2005,8 @@
- num_channels,
- packet_size;
-
-- unsigned char
-- layer_name[4];
-+ char
-+ layer_name[MaxTextExtent];
-
- unsigned long
- channel_size,
-@@ -2239,9 +2239,9 @@
- (void) WriteBlob(image, 3, &layer_name[1]);
- */
- } else {
-- (void) FormatMagickString((char *) layer_name,MaxTextExtent,"L%02ld",
-+ (void) FormatMagickString(layer_name,MaxTextExtent,"L%02ld",
- layer_count++ );
-- WritePascalString( image, (char*)layer_name, 4 );
-+ WritePascalString( image, layer_name, 4 );
- }
- tmp_image = GetNextImageInList(tmp_image);
- };
diff -Nru imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overrun.patch imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overrun.patch
--- imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overrun.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0006-CVE-2014-1947-Fix-buffer-overrun.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,44 @@
+From be9543deae7bcdad5fa34532cffc0858a1b7514f Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Sun, 23 Nov 2014 13:55:19 +0100
+Subject: [PATCH] CVE-2014-1947: Fix buffer overrun
+
+Origin: backport, http://trac.imagemagick.org/changeset/13736
+Bug-Debian: http://bugs.debian.org/740250
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1064098
+Forwarded: not-needed
+Last-Update: 2014-03-15
+---
+ coders/psd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/coders/psd.c b/coders/psd.c
+index 46b4578..a2ff5d9 100644
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -2005,8 +2005,8 @@ static MagickBooleanType WritePSDImage(const ImageInfo *image_info,Image *image)
+ num_channels,
+ packet_size;
+
+- unsigned char
+- layer_name[4];
++ char
++ layer_name[MaxTextExtent];
+
+ unsigned long
+ channel_size,
+@@ -2239,9 +2239,9 @@ compute_layer_info:
+ (void) WriteBlob(image, 3, &layer_name[1]);
+ */
+ } else {
+- (void) FormatMagickString((char *) layer_name,MaxTextExtent,"L%02ld",
++ (void) FormatMagickString(layer_name,MaxTextExtent,"L%02ld",
+ layer_count++ );
+- WritePascalString( image, (char*)layer_name, 4 );
++ WritePascalString( image, layer_name, 4 );
+ }
+ tmp_image = GetNextImageInList(tmp_image);
+ };
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch
--- imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,49 @@
+From 7f07d9a269c3c875dc0587614441b2d40a96bf78 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 16 Feb 2014 21:48:05 +0000
+Subject: [PATCH] Prevent buffer overflow in messaging system (CVE: 2014-1947)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1067276
+Bug-debian: http://bugs.debian.org/740250
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@14900 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+Signed-off-by: Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
+---
+ magick/locale.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/magick/locale.c b/magick/locale.c
+index 799e412..670f28b 100644
+--- a/magick/locale.c
++++ b/magick/locale.c
+@@ -738,6 +738,13 @@ static void LocaleFatalErrorHandler(
+ exit(1);
+ }
+
++static inline size_t MagickMin(const unsigned int x,
++ const unsigned int y)
++{
++ if (x < y)
++ return(x);
++ return(y);
++}
+
+ static MagickBooleanType LoadLocaleList(const char *xml,const char *filename,
+ const char *locale,const unsigned long depth,ExceptionInfo *exception)
+@@ -917,8 +924,9 @@ static MagickBooleanType LoadLocaleList(const char *xml,const char *filename,
+ q--;
+ while ((isspace((int) ((unsigned char) *q)) != 0) && (q > p))
+ q--;
+- (void) CopyMagickString(message,p,(size_t) (q-p+2));
+- locale_info=(LocaleInfo *) AcquireAlignedMemory(1,sizeof(*locale_info));
++ (void) CopyMagickString(message,p,MagickMin(q-p+2,sizeof(message)-
++ strlen(message)));
++ locale_info=(LocaleInfo *) AcquireMagickMemory(sizeof(*locale_info));
+ if (locale_info == (LocaleInfo *) NULL)
+ ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
+ (void) ResetMagickMemory(locale_info,0,sizeof(*locale_info));
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system.patch imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system.patch
--- imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system.patch 2014-04-04 17:02:24.000000000 +0200
+++ imagemagick-6.6.0.4/debian/patches/0007-Prevent-buffer-overflow-in-messaging-system.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,35 +0,0 @@
-Subject: [PATCH] Prevent buffer overflow in messaging system
-
-NOTE: Upstream commit references this as CVE-2014-1947. But CVE-2014-1947 is
-the CVE assigned for the issue fixed by
-http://trac.imagemagick.org/changeset/13736
----
- magick/locale.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
---- a/magick/locale.c
-+++ b/magick/locale.c
-@@ -738,6 +738,13 @@
- exit(1);
- }
-
-+static inline size_t MagickMin(const unsigned int x,
-+ const unsigned int y)
-+{
-+ if (x < y)
-+ return(x);
-+ return(y);
-+}
-
- static MagickBooleanType LoadLocaleList(const char *xml,const char *filename,
- const char *locale,const unsigned long depth,ExceptionInfo *exception)
-@@ -917,7 +924,8 @@
- q--;
- while ((isspace((int) ((unsigned char) *q)) != 0) && (q > p))
- q--;
-- (void) CopyMagickString(message,p,(size_t) (q-p+2));
-+ (void) CopyMagickString(message,p,MagickMin(q-p+2,sizeof(message)-
-+ strlen(message)));
- locale_info=(LocaleInfo *) AcquireAlignedMemory(1,sizeof(*locale_info));
- if (locale_info == (LocaleInfo *) NULL)
- ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
diff -Nru imagemagick-6.6.0.4/debian/patches/0008-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch imagemagick-6.6.0.4/debian/patches/0008-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
--- imagemagick-6.6.0.4/debian/patches/0008-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0008-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,33 @@
+From 5161a2fbc2fa164299d7199af6065da4059517ab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Fri, 7 Nov 2014 21:05:07 +0100
+Subject: [PATCH] Avoid crash and DOS with special crafted jpeg file
+
+Some special crafted JPEG file could lead to dos due to missing check in
+embeded EXIF properties (EXIF directory offsets must be greater than 0).
+
+Fix CVE-2014-8716.
+
+Forwarded: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
+Bug-debian: http://bugs.debian.org/768494
+Applied-Upstream: 6.9.9.10
+---
+ magick/property.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/magick/property.c b/magick/property.c
+index cd3d153..07fbcd0 100644
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -1320,6 +1320,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
+ The directory entry contains an offset.
+ */
+ offset=(ssize_t) ReadPropertyLong(endian,q+8);
++ if ((offset < 0) || (size_t) offset >= length)
++ continue;
+ if ((offset+number_bytes) < offset)
+ continue; /* prevent overflow */
+ if ((size_t) (offset+number_bytes) > length)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch imagemagick-6.6.0.4/debian/patches/0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch
--- imagemagick-6.6.0.4/debian/patches/0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch 2014-11-22 19:26:03.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,27 +0,0 @@
-From b61b7f4f0e705b6a9a9ba8b8af898a406b0fc87e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
-Date: Fri, 7 Nov 2014 21:05:07 +0100
-Subject: [PATCH] Avoid crash and DOS with special crafted jpeg file
-
-Some special crafted JPEG file could lead to dos due to missing check in
-embeded EXIF properties (EXIF directory offsets must be greater than 0).
-
-Fix CVE-2014-8716.
-
-Forwarded: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
-Bug-debian: http://bugs.debian.org/768494
-Applied-Upstream: 6.9.9.10
-
-Index: imagemagick-6.6.0.4/magick/property.c
-===================================================================
---- imagemagick-6.6.0.4.orig/magick/property.c 2014-11-22 19:11:28.000000000 +0100
-+++ imagemagick-6.6.0.4/magick/property.c 2014-11-22 19:21:12.000000000 +0100
-@@ -1320,6 +1320,8 @@
- The directory entry contains an offset.
- */
- offset=(ssize_t) ReadPropertyLong(endian,q+8);
-+ if ((offset < 0) || (size_t) offset >= length)
-+ continue;
- if ((offset+number_bytes) < offset)
- continue; /* prevent overflow */
- if ((size_t) (offset+number_bytes) > length)
diff -Nru imagemagick-6.6.0.4/debian/patches/0009-Fix-CVE-2012-3437-ImageMagick-Magick_png_malloc-size.patch imagemagick-6.6.0.4/debian/patches/0009-Fix-CVE-2012-3437-ImageMagick-Magick_png_malloc-size.patch
--- imagemagick-6.6.0.4/debian/patches/0009-Fix-CVE-2012-3437-ImageMagick-Magick_png_malloc-size.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0009-Fix-CVE-2012-3437-ImageMagick-Magick_png_malloc-size.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,133 @@
+From aa4a952080e25117c59b70b71c67d7d59bbae234 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Thu, 2 Aug 2012 20:19:25 +0200
+Subject: [PATCH] Fix CVE-2012-3437 ImageMagick: Magick_png_malloc() size
+ argument
+
+Tom Lane (tgl@redhat.com) found an issue in ImageMagick. Basically
+CVE-2011-3026 deals with libpng memory allocation, limitations have been
+added so that a bad PNG can't cause the system to allocate a lot of
+memory causing a denial of service. However on further investigation of
+ImageMagick Tom Lane found that PNG malloc function (Magick_png_malloc)
+in turn calls AcquireMagickMemory with an improper size argument:
+
+static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size)
+{
+ (void) png_ptr;
+ return((png_voidp) AcquireMagickMemory((size_t) size));
+}
+
+This is incorrect, the size argument should be declared png_alloc_size_t
+according to 1.5, or png_size_t according to 1.2.
+
+"As this function stands, it invisibly does the wrong thing for any request
+over 4GB. On big-endian architectures it very possibly will do the wrong
+thing even for requests less than that. So the reason why the hard-wired 4GB
+limit prevents a core dump is that it masks the ABI mismatch here."
+
+So basically we have memory allocations problems that can probably lead to a
+denial of service.
+
+Backported from 81157cd61667708831e489dd90aa64847c94735a
+
+Origin: upstream, http://trac.imagemagick.org/changeset/8733
+Author: John Cristy
+Bug-Debian: http://bugs.debian.org/683285
+Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=844101
+Applied-Upstream: commit: r8733
+Last-Update: 2012-07-30
+---
+ coders/png.c | 44 ++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 36 insertions(+), 8 deletions(-)
+
+diff --git a/coders/png.c b/coders/png.c
+index bbf9f19..556c673 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -41,6 +41,9 @@
+ /*
+ Include declarations.
+ */
++
++#include <stdint.h>
++
+ #include "magick/studio.h"
+ #include "magick/attribute.h"
+ #include "magick/blob.h"
+@@ -1474,7 +1477,11 @@ static void PNGWarningHandler(png_struct *ping,png_const_charp message)
+ }
+
+ #ifdef PNG_USER_MEM_SUPPORTED
+-static png_voidp png_IM_malloc(png_structp png_ptr,png_uint_32 size)
++#if PNG_LIBPNG_VER >= 14000
++static png_voidp png_IM_malloc(png_structp png_ptr,png_alloc_size_t size)
++#else
++static png_voidp png_IM_malloc(png_structp png_ptr,png_size_t size)
++#endif
+ {
+ #if (PNG_LIBPNG_VER < 10011)
+ png_voidp
+@@ -6128,11 +6135,19 @@ static void
+ png_set_compression_buffer_size(png_structp png_ptr, png_uint_32 size)
+ {
+ if (png_ptr->zbuf)
+- png_free(png_ptr, png_ptr->zbuf); png_ptr->zbuf=NULL;
++ png_free(png_ptr, png_ptr->zbuf);
++ png_ptr->zbuf=NULL;
++ if((uintmax_t) size > (uintmax_t) PNG_SIZE_MAX)
++ goto error_size;
+ png_ptr->zbuf_size=(png_size_t) size;
+- png_ptr->zbuf=(png_bytep) png_malloc(png_ptr, size);
++ png_ptr->zbuf=(png_bytep) png_malloc(png_ptr, (png_size_t) size);
+ if (png_ptr->zbuf == 0)
+- png_error(png_ptr,"Unable to allocate zbuf");
++ goto error_malloc;
++ return;
++ error_size:
++ png_ptr->zbuf_size = 0;
++ error_malloc:
++ png_error(png_ptr,"Unable to allocate zbuf");
+ }
+ #endif
+
+@@ -6182,12 +6197,21 @@ png_write_raw_profile(const ImageInfo *image_info,png_struct *ping,
+ (char *) profile_type, length);
+ }
+ #if (PNG_LIBPNG_VER > 10005)
+- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
++#if PNG_LIBPNG_VER >= 14000
++ text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
++#else
++ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
++#endif
+ description_length=(png_uint_32) strlen((const char *) profile_description);
+ allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
+ + description_length);
+- text[0].text=(png_charp) png_malloc(ping,allocated_length);
+- text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
++#if PNG_LIBPNG_VER >= 14000
++ text[0].text=(png_charp) png_malloc(ping,(png_alloc_size_t)allocated_length);
++ text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
++#else
++ text[0].text=(png_charp) png_malloc(ping,(png_size_t)allocated_length);
++ text[0].key=(png_charp) png_malloc(ping, (png_size_t)80);
++#endif
+ text[0].key[0]='\0';
+ (void) ConcatenateMagickString(text[0].key,
+ "Raw profile type ",MaxTextExtent);
+@@ -7712,7 +7736,11 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng_info,
+ if (value != (const char *) NULL)
+ {
+ #if (PNG_LIBPNG_VER > 10005)
+- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
++#if PNG_LIBPNG_VER >= 14000
++ text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
++#else
++ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
++#endif
+ text[0].key=(char *) property;
+ text[0].text=(char *) value;
+ text[0].text_length=strlen(value);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0010-Memory-leak-after-setjmp-used-variable-need-to-be-vo.patch imagemagick-6.6.0.4/debian/patches/0010-Memory-leak-after-setjmp-used-variable-need-to-be-vo.patch
--- imagemagick-6.6.0.4/debian/patches/0010-Memory-leak-after-setjmp-used-variable-need-to-be-vo.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0010-Memory-leak-after-setjmp-used-variable-need-to-be-vo.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,118 @@
+From a3a9172555a3f8a6c4e66fc5f425c01c2edb33b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Mon, 15 Oct 2012 14:11:02 +0200
+Subject: [PATCH] Memory leak: after setjmp used variable need to be volatile
+
+According to POSIX setjmp manpage:
+ All accessible objects have values as of the time longjmp() was called,
+ except that the values of objects of automatic storage duration which are
+ local to the function containing the invocation of the corresponding
+ setjmp() which do not have volatile-qualified type and
+ which are changed between the setjmp() invocation and longjmp() call are indeterminate.
+
+Previous code was not safe according to this specification and could lead to memory
+leak.
+
+If the setjmp handler is called after reading a corrupted png, ping_pixels may
+be null and thus lead to a memory leak.
+
+Mark this kind of variable as volatile.
+
+git-svn-id: https://www.imagemagick.org/subversion/ImageMagick/trunk@9558 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+
+Cherry picked rom svn revision 9558
+
+Origin: upstream, http://trac.imagemagick.org/changeset/9558
+Bug: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=22024
+---
+ coders/jpeg.c | 16 ++++++++--------
+ coders/png.c | 4 ++--
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/coders/jpeg.c b/coders/jpeg.c
+index 1803e92..34928b3 100644
+--- a/coders/jpeg.c
++++ b/coders/jpeg.c
+@@ -883,7 +883,7 @@ static Image *ReadJPEGImage(const ImageInfo *image_info,
+ y;
+
+ JSAMPLE
+- *jpeg_pixels;
++ *volatile jpeg_pixels;
+
+ JSAMPROW
+ scanline[1];
+@@ -1149,8 +1149,8 @@ static Image *ReadJPEGImage(const ImageInfo *image_info,
+ */
+ if (setjmp(error_manager.error_recovery) != 0)
+ {
+- if (jpeg_pixels != (unsigned char *) NULL)
+- jpeg_pixels=(unsigned char *) RelinquishMagickMemory(jpeg_pixels);
++ if (jpeg_pixels != (JSAMPLE *) NULL)
++ jpeg_pixels=(JSAMPLE *) RelinquishMagickMemory(jpeg_pixels);
+ jpeg_destroy_decompress(&jpeg_info);
+ (void) CloseBlob(image);
+ number_pixels=(MagickSizeType) image->columns*image->rows;
+@@ -1289,7 +1289,7 @@ static Image *ReadJPEGImage(const ImageInfo *image_info,
+ */
+ (void) jpeg_finish_decompress(&jpeg_info);
+ jpeg_destroy_decompress(&jpeg_info);
+- jpeg_pixels=(unsigned char *) RelinquishMagickMemory(jpeg_pixels);
++ jpeg_pixels=(JSAMPLE *) RelinquishMagickMemory(jpeg_pixels);
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
+@@ -1676,7 +1676,7 @@ static MagickBooleanType WriteJPEGImage(const ImageInfo *image_info,
+ error_manager;
+
+ JSAMPLE
+- *jpeg_pixels;
++ *volatile jpeg_pixels;
+
+ JSAMPROW
+ scanline[1];
+@@ -2157,8 +2157,8 @@ static MagickBooleanType WriteJPEGImage(const ImageInfo *image_info,
+ if (setjmp(error_manager.error_recovery) != 0)
+ {
+ jpeg_destroy_compress(&jpeg_info);
+- if (jpeg_pixels != (unsigned char *) NULL)
+- jpeg_pixels=(unsigned char *) RelinquishMagickMemory(jpeg_pixels);
++ if (jpeg_pixels != (JSAMPLE *) NULL)
++ jpeg_pixels=(JSAMPLE *) RelinquishMagickMemory(jpeg_pixels);
+ (void) CloseBlob(image);
+ return(MagickFalse);
+ }
+@@ -2340,7 +2340,7 @@ static MagickBooleanType WriteJPEGImage(const ImageInfo *image_info,
+ Relinquish resources.
+ */
+ jpeg_destroy_compress(&jpeg_info);
+- jpeg_pixels=(unsigned char *) RelinquishMagickMemory(jpeg_pixels);
++ jpeg_pixels=(JSAMPLE *) RelinquishMagickMemory(jpeg_pixels);
+ (void) CloseBlob(image);
+ return(MagickTrue);
+ }
+diff --git a/coders/png.c b/coders/png.c
+index 556c673..dd2f3e4 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -1706,7 +1706,7 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
+ *quantum_info;
+
+ unsigned char
+- *png_pixels;
++ * volatile png_pixels;
+
+ long
+ y;
+@@ -6339,7 +6339,7 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng_info,
+ x;
+
+ unsigned char
+- *png_pixels;
++ *volatile png_pixels;
+
+ unsigned int
+ logging,
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0011-Magick-fix-a-memory-leak.patch imagemagick-6.6.0.4/debian/patches/0011-Magick-fix-a-memory-leak.patch
--- imagemagick-6.6.0.4/debian/patches/0011-Magick-fix-a-memory-leak.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0011-Magick-fix-a-memory-leak.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,42 @@
+From d9ba07b1af228aecaa2289657543fa1961f7f6ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Wed, 24 Oct 2012 12:07:59 +0200
+Subject: [PATCH] Magick++ fix a memory leak
+
+Original code leak memory in case of corrupted image. When image->exception is thrown, the following DestroyExceptionInfo will not be executed, thus lead to a leak.
+
+Fix it by adding (void) DestroyExceptionInfo( &exceptionInfo ) before throwing.
+
+Origin: upstream, http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=21948
+Bug: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=21948
+Author: John Cristy <quetzlzacatenango@imagemagick.org>
+Applied-Upstream: 6.8.0.1
+---
+ Magick++/lib/Image.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Magick++/lib/Image.cpp b/Magick++/lib/Image.cpp
+index 4677bb2..a898abe 100644
+--- a/Magick++/lib/Image.cpp
++++ b/Magick++/lib/Image.cpp
+@@ -1595,11 +1595,14 @@ void Magick::Image::read ( const std::string &imageSpec_ )
+ DestroyImageList( next );
+
+ }
+- replaceImage( image );
+- throwException( exceptionInfo );
+ if ( image )
+- throwException( image->exception );
++ {
++ (void) DestroyExceptionInfo( &exceptionInfo );
++ throwException( image->exception );
++ }
++ throwException( exceptionInfo );
+ (void) DestroyExceptionInfo( &exceptionInfo );
++ replaceImage( image );
+ }
+
+ // Read image of specified size into current object
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0012-Fix-last-value-in-dicom_info-and-added-missing-NULL-.patch imagemagick-6.6.0.4/debian/patches/0012-Fix-last-value-in-dicom_info-and-added-missing-NULL-.patch
--- imagemagick-6.6.0.4/debian/patches/0012-Fix-last-value-in-dicom_info-and-added-missing-NULL-.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0012-Fix-last-value-in-dicom_info-and-added-missing-NULL-.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,64 @@
+From 5c704a1944cb0ce9d8ef563d6c0b37ebf02fab0b Mon Sep 17 00:00:00 2001
+From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sat, 25 Oct 2014 12:30:45 +0000
+Subject: [PATCH] Fix last value in dicom_info and added missing != NULL check.
+
+Fix a buffer overflow in dcm reader by checking the dcm file.
+This problem was discovered by fuzzing some dcm file.
+
+This is fix for the dcm format for TEMP-0000000-77B6EF aka CVE-2014-8562.
+
+forwarded: yes
+Bug-debian: http://bugs.debian.org/767240
+Applied-Upstream: 6.8.9.9
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16794 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+---
+ coders/dcm.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 450cdbe..5c1cde7 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -2608,7 +2608,7 @@ static const DicomInfo
+ { 0xfffe, 0xe000, "!!", "Item" },
+ { 0xfffe, 0xe00d, "!!", "Item Delimitation Item" },
+ { 0xfffe, 0xe0dd, "!!", "Sequence Delimitation Item" },
+- { 0xffff, 0xffff, "xs", "" }
++ { 0xffff, 0xffff, "xs", (char *) NULL }
+ };
+ �
+ /*
+@@ -3342,17 +3342,20 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if ((group == (long) dicom_info[i].group) &&
+ (element == (long) dicom_info[i].element))
+ break;
+- attribute=AcquireString("dcm:");
+- (void) ConcatenateString(&attribute,dicom_info[i].description);
+- for (i=0; i < (long) MagickMax(length,4); i++)
+- if (isprint((int) data[i]) == MagickFalse)
+- break;
+- if ((i == (long) length) || (length > 4))
++ if (dicom_info[i].description != (char *) NULL)
+ {
+- (void) SubstituteString(&attribute," ","");
+- (void) SetImageProperty(image,attribute,(char *) data);
++ attribute=AcquireString("dcm:");
++ (void) ConcatenateString(&attribute,dicom_info[i].description);
++ for (i=0; i < (ssize_t) MagickMax(length,4); i++)
++ if (isprint((int) data[i]) == MagickFalse)
++ break;
++ if ((i == (ssize_t) length) || (length > 4))
++ {
++ (void) SubstituteString(&attribute," ","");
++ (void) SetImageProperty(image,attribute,(char *) data);
++ }
++ attribute=DestroyString(attribute);
+ }
+- attribute=DestroyString(attribute);
+ data=(unsigned char *) RelinquishMagickMemory(data);
+ }
+ if (image_info->verbose != MagickFalse)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0013-Fixed-buffer-overflow-in-PCX-reader.patch imagemagick-6.6.0.4/debian/patches/0013-Fixed-buffer-overflow-in-PCX-reader.patch
--- imagemagick-6.6.0.4/debian/patches/0013-Fixed-buffer-overflow-in-PCX-reader.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0013-Fixed-buffer-overflow-in-PCX-reader.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,130 @@
+From 9650b08507b883f76258f5a8bac886ada65dd622 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Thu, 23 Oct 2014 21:54:08 +0000
+Subject: [PATCH] Fixed buffer overflow in PCX reader.
+
+Fix a buffer overflow in pcx reader by checking the pcx file.
+This problem was discovered by fuzzing some pcx file.
+
+This is fix for the pcx format for TEMP-0000000-77B6EF aka CVE-2014-8355
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16774 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+forwarded: yes
+Bug-debian: http://bugs.debian.org/767240
+Applied-Upstream: 6.8.9.9
+---
+ coders/pcx.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/coders/pcx.c b/coders/pcx.c
+index 88a26bb..75c4c54 100644
+--- a/coders/pcx.c
++++ b/coders/pcx.c
+@@ -219,6 +219,13 @@ static inline size_t MagickMin(const size_t x,const size_t y)
+
+ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
++#define ThrowPCXException(severity,tag) \
++ { \
++ scanline=(unsigned char *) RelinquishMagickMemory(scanline); \
++ pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels); \
++ ThrowReaderException(severity,tag); \
++ }
++
+ Image
+ *image;
+
+@@ -261,7 +268,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+
+ unsigned char
+ packet,
+- *pcx_colormap,
++ pcx_colormap[768],
+ *pcx_pixels,
+ *scanline;
+
+@@ -317,7 +324,6 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (offset < 0)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+- pcx_colormap=(unsigned char *) NULL;
+ count=ReadBlob(image,1,&pcx_info.identifier);
+ for (id=1; id < 1024; id++)
+ {
+@@ -350,10 +356,6 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ image->x_resolution=(double) pcx_info.horizontal_resolution;
+ image->y_resolution=(double) pcx_info.vertical_resolution;
+ image->colors=16;
+- pcx_colormap=(unsigned char *) AcquireQuantumMemory(256UL,
+- 3*sizeof(*pcx_colormap));
+- if (pcx_colormap == (unsigned char *) NULL)
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=ReadBlob(image,3*image->colors,pcx_colormap);
+ pcx_info.reserved=(unsigned char) ReadBlobByte(image);
+ pcx_info.planes=(unsigned char) ReadBlobByte(image);
+@@ -385,6 +387,9 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ */
+ pcx_packets=(unsigned long) image->rows*pcx_info.bytes_per_line*
+ pcx_info.planes;
++ if ((size_t) (pcx_info.bits_per_pixel*pcx_info.planes*image->columns) >
++ (pcx_packets*8U))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ pcx_pixels=(unsigned char *) AcquireQuantumMemory(pcx_packets,
+ sizeof(*pcx_pixels));
+ scanline=(unsigned char *) AcquireQuantumMemory(MagickMax(image->columns,
+@@ -401,7 +406,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+- break;
++ ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ *p++=packet;
+ pcx_packets--;
+ }
+@@ -410,7 +415,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+- break;
++ ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ if ((packet & 0xc0) != 0xc0)
+ {
+ *p++=packet;
+@@ -420,7 +425,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ count=(ssize_t) (packet & 0x3f);
+ packet=(unsigned char) ReadBlobByte(image);
+ if (EOFBlob(image) != MagickFalse)
+- break;
++ ThrowPCXException(CorruptImageError,"UnexpectedEndOfFile");
+ for ( ; count != 0; count--)
+ {
+ *p++=packet;
+@@ -439,7 +444,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ Initialize image colormap.
+ */
+ if (image->colors > 256)
+- ThrowReaderException(CorruptImageError,"ColormapExceeds256Colors");
++ ThrowPCXException(CorruptImageError,"ColormapExceeds256Colors");
+ if ((pcx_info.bits_per_pixel*pcx_info.planes) == 1)
+ {
+ /*
+@@ -468,7 +473,6 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ image->colormap[i].blue=ScaleCharToQuantum(*p++);
+ }
+ }
+- pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
+ }
+ /*
+ Convert PCX raster image to pixel packets.
+@@ -624,8 +628,6 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (image->storage_class == PseudoClass)
+ (void) SyncImage(image);
+ scanline=(unsigned char *) RelinquishMagickMemory(scanline);
+- if (pcx_colormap != (unsigned char *) NULL)
+- pcx_colormap=(unsigned char *) RelinquishMagickMemory(pcx_colormap);
+ pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels);
+ if (EOFBlob(image) != MagickFalse)
+ {
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0014-Don-t-clone-a-0x0-image.patch imagemagick-6.6.0.4/debian/patches/0014-Don-t-clone-a-0x0-image.patch
--- imagemagick-6.6.0.4/debian/patches/0014-Don-t-clone-a-0x0-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0014-Don-t-clone-a-0x0-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,64 @@
+From e94938873522cbb3d3240123616414ebf48e57c5 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Tue, 21 Oct 2014 13:58:29 +0000
+Subject: [PATCH] Don't clone a 0x0 image
+
+Passing 0x0 image to imagemagick will lead to divide by zero and other kind of error.
+Usually entry point of imagemagick does not allow this kind of error.
+
+However cloning 0x0 image was allowed and thus could trigger this kind of error.
+This bug may be remotly exploitable and could lead to controlable buffer overflow.
+
+Moreover fix the same kind of error in resize.
+
+This is fix for TEMP-0000000-1800A5 aka CVE-2014-8354
+
+forwarded: yes
+Bug-debian: http://bugs.debian.org/767240
+Applied-Upstream: 6.8.9.9
+---
+ magick/image.c | 5 +++++
+ magick/resize.c | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/magick/image.c b/magick/image.c
+index 8759d63..787030b 100644
+--- a/magick/image.c
++++ b/magick/image.c
+@@ -821,6 +821,11 @@ MagickExport Image *CloneImage(const Image *image,const unsigned long columns,
+ (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
+ assert(exception != (ExceptionInfo *) NULL);
+ assert(exception->signature == MagickSignature);
++ if ((image->columns == 0) || (image->rows == 0))
++ {
++ ThrowBinaryException(ImageError,"NegativeOrZeroImageSize",image->filename);
++ return((Image *) NULL);
++ }
+ clone_image=(Image *) AcquireAlignedMemory(1,sizeof(*clone_image));
+ if (clone_image == (Image *) NULL)
+ ThrowImageException(ResourceLimitError,"MemoryAllocationFailed");
+diff --git a/magick/resize.c b/magick/resize.c
+index 96168ef..9ef64b8 100644
+--- a/magick/resize.c
++++ b/magick/resize.c
+@@ -1822,6 +1822,8 @@ static MagickBooleanType HorizontalFilter(const ResizeFilter *resize_filter,
+ ((MagickRealType) (start+n)-center+0.5));
+ density+=contribution[n].weight;
+ }
++ if (n == 0)
++ continue;
+ if ((density != 0.0) && (density != 1.0))
+ {
+ register long
+@@ -2064,6 +2066,8 @@ static MagickBooleanType VerticalFilter(const ResizeFilter *resize_filter,
+ ((MagickRealType) (start+n)-center+0.5));
+ density+=contribution[n].weight;
+ }
++ if (n == 0)
++ continue;
+ if ((density != 0.0) && (density != 1.0))
+ {
+ register long
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0015-Quit-earlier-in-case-of-corrupted-pnm-image.patch imagemagick-6.6.0.4/debian/patches/0015-Quit-earlier-in-case-of-corrupted-pnm-image.patch
--- imagemagick-6.6.0.4/debian/patches/0015-Quit-earlier-in-case-of-corrupted-pnm-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0015-Quit-earlier-in-case-of-corrupted-pnm-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,31 @@
+From ccecf6f47a8cbea6716662b5e88443bc2ab2b974 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Tue, 28 Oct 2014 13:11:48 +0000
+Subject: [PATCH] Quit earlier in case of corrupted pnm image
+
+Do not try to read a corrupted pnm file. Bail early.
+
+Fix a segv and thus a DOS
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16867 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/16867
+---
+ coders/pnm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/pnm.c b/coders/pnm.c
+index 0898415..cd83c2f 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -410,7 +410,7 @@ static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ }
+ if ((image->columns == 0) || (image->rows == 0))
+ ThrowReaderException(CorruptImageError,"NegativeOrZeroImageSize");
+- if (max_value >= 65536)
++ if ((max_value == 0) || (max_value >= 65536))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ for (depth=1; GetQuantumRange(depth) < max_value; depth++) ;
+ image->depth=depth;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0016-Prepare-next-patch-by-using-inline-function-instead-.patch imagemagick-6.6.0.4/debian/patches/0016-Prepare-next-patch-by-using-inline-function-instead-.patch
--- imagemagick-6.6.0.4/debian/patches/0016-Prepare-next-patch-by-using-inline-function-instead-.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0016-Prepare-next-patch-by-using-inline-function-instead-.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,123 @@
+From 2ecd156d4c0c835078448d31a7756e5a6c60d3ea Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 12 May 2014 00:15:53 +0000
+Subject: [PATCH] Prepare next patch by using inline function instead of macro
+
+This patch fix a crash in case of malformed pict file and prepare next patch.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@15704 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/15704
+---
+ coders/pict.c | 47 +++++++++++++++++++++++++++++------------------
+ 1 file changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/coders/pict.c b/coders/pict.c
+index 60dda99..f7038ee 100644
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -92,17 +92,6 @@
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); \
+ }
+
+-#define ReadRectangle(image,rectangle) \
+-{ \
+- rectangle.top=(short) ReadBlobMSBShort(image); \
+- rectangle.left=(short) ReadBlobMSBShort(image); \
+- rectangle.bottom=(short) ReadBlobMSBShort(image); \
+- rectangle.right=(short) ReadBlobMSBShort(image); \
+- if ((rectangle.left > rectangle.right) || \
+- (rectangle.top > rectangle.bottom)) \
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); \
+-}
+-
+ typedef struct _PICTCode
+ {
+ const char
+@@ -788,6 +777,18 @@ static inline unsigned long MagickMax(const unsigned long x,
+ return(y);
+ }
+
++static MagickBooleanType ReadRectangle(Image *image,PICTRectangle *rectangle)
++{
++ rectangle->top=(short) ReadBlobMSBShort(image);
++ rectangle->left=(short) ReadBlobMSBShort(image);
++ rectangle->bottom=(short) ReadBlobMSBShort(image);
++ rectangle->right=(short) ReadBlobMSBShort(image);
++ if ((rectangle->left > rectangle->right) ||
++ (rectangle->top > rectangle->bottom))
++ return(MagickFalse);
++ return(MagickTrue);
++}
++
+ static Image *ReadPICTImage(const ImageInfo *image_info,
+ ExceptionInfo *exception)
+ {
+@@ -868,7 +869,8 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ for (i=0; i < 512; i++)
+ (void) ReadBlobByte(image); /* skip header */
+ (void) ReadBlobMSBShort(image); /* skip picture size */
+- ReadRectangle(image,frame);
++ if (ReadRectangle(image,&frame) == MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ while ((c=ReadBlobByte(image)) == 0) ;
+ if (c != 0x11)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+@@ -932,7 +934,8 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ (void) ReadBlobByte(image);
+ break;
+ }
+- ReadRectangle(image,frame);
++ if (ReadRectangle(image,&frame) == MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if (((frame.left & 0x8000) != 0) || ((frame.top & 0x8000) != 0))
+ break;
+ image->columns=1UL*(frame.right-frame.left);
+@@ -966,7 +969,8 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ if (pattern != 1)
+ ThrowReaderException(CorruptImageError,"UnknownPatternType");
+ length=ReadBlobMSBShort(image);
+- ReadRectangle(image,frame);
++ if (ReadRectangle(image,&frame) == MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ ReadPixmap(pixmap);
+ image->depth=1UL*pixmap.component_size;
+ image->x_resolution=1.0*pixmap.horizontal_resolution;
+@@ -1068,7 +1072,8 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ (void) ReadBlobMSBShort(image);
+ (void) ReadBlobMSBShort(image);
+ }
+- ReadRectangle(image,frame);
++ if (ReadRectangle(image,&frame) == MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ /*
+ Initialize tile image.
+ */
+@@ -1136,8 +1141,10 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ }
+ }
+ }
+- ReadRectangle(image,source);
+- ReadRectangle(image,destination);
++ if (ReadRectangle(image,&source) == MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ if (ReadRectangle(image,&destination) == MagickFalse)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ (void) ReadBlobMSBShort(image);
+ if ((code == 0x91) || (code == 0x99) || (code == 0x9b))
+ {
+@@ -1365,7 +1372,11 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ length=ReadBlobMSBLong(image);
+ for (i=0; i < 6; i++)
+ (void) ReadBlobMSBLong(image);
+- ReadRectangle(image,frame);
++ if (ReadRectangle(image,&frame) == MagickFalse)
++ {
++ (void) fclose(file);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ for (i=0; i < 122; i++)
+ (void) ReadBlobByte(image);
+ for (i=0; i < (long) (length-154); i++)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0017-Do-not-crash-in-case-of-corrupted-pict-image.patch imagemagick-6.6.0.4/debian/patches/0017-Do-not-crash-in-case-of-corrupted-pict-image.patch
--- imagemagick-6.6.0.4/debian/patches/0017-Do-not-crash-in-case-of-corrupted-pict-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0017-Do-not-crash-in-case-of-corrupted-pict-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,27 @@
+From e6f80026e5638eb4815ca848086c6b4da748611f Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 18 May 2014 12:46:09 +0000
+Subject: [PATCH] Do not crash in case of corrupted pict image
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@15769 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/15769
+---
+ coders/pict.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/pict.c b/coders/pict.c
+index f7038ee..f1985e0 100644
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -910,6 +910,8 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ code=ReadBlobByte(image);
+ if (version == 2)
+ code=(int) ReadBlobMSBShort(image);
++ if (code < 0)
++ break;
+ if (code > 0xa1)
+ {
+ if (image->debug != MagickFalse)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0018-Added-missing-calls-to-RelinquishUniqueFileResource.patch imagemagick-6.6.0.4/debian/patches/0018-Added-missing-calls-to-RelinquishUniqueFileResource.patch
--- imagemagick-6.6.0.4/debian/patches/0018-Added-missing-calls-to-RelinquishUniqueFileResource.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0018-Added-missing-calls-to-RelinquishUniqueFileResource.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,171 @@
+From a99cadfda0665f3586a1f873172dec80e67b32df Mon Sep 17 00:00:00 2001
+From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Thu, 6 Nov 2014 21:09:54 +0000
+Subject: [PATCH] Added missing calls to RelinquishUniqueFileResource.
+
+Avoid to leak fd in case of error.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16971 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/16971
+---
+ coders/dcm.c | 22 +++++++++++++---------
+ coders/dot.c | 5 ++++-
+ coders/exr.c | 10 +++++++++-
+ coders/pict.c | 4 ++++
+ coders/pwp.c | 6 +++++-
+ 5 files changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/coders/dcm.c b/coders/dcm.c
+index 5c1cde7..d826a96 100644
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3469,28 +3469,32 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ unsigned int
+ tag;
+
++ tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
++ length=(size_t) ReadBlobLSBLong(image);
++ if (tag == 0xFFFEE0DD)
++ break; /* sequence delimiter tag */
++ if (tag != 0xFFFEE000)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ file=(FILE *) NULL;
+ unique_file=AcquireUniqueFileResource(filename);
+ if (unique_file != -1)
+ file=fdopen(unique_file,"wb");
+- if ((unique_file == -1) || (file == (FILE *) NULL))
++ if (file == (FILE *) NULL)
+ {
++ (void) RelinquishUniqueFileResource(filename);
+ ThrowFileException(exception,FileOpenError,
+ "UnableToCreateTemporaryFile",filename);
+ break;
+ }
+- tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
+- length=(size_t) ReadBlobLSBLong(image);
+- if (tag == 0xFFFEE0DD)
+- break; /* sequence delimiter tag */
+- if (tag != 0xFFFEE000)
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ for ( ; length != 0; length--)
+ {
+ c=ReadBlobByte(image);
+ if (c == EOF)
+- ThrowFileException(exception,CorruptImageError,
+- "UnexpectedEndOfFile",image->filename);
++ {
++ ThrowFileException(exception,CorruptImageError,
++ "UnexpectedEndOfFile",image->filename);
++ break;
++ }
+ (void) fputc(c,file);
+ }
+ (void) fclose(file);
+diff --git a/coders/dot.c b/coders/dot.c
+index c92d7c1..844ffc8 100644
+--- a/coders/dot.c
++++ b/coders/dot.c
+@@ -136,7 +136,10 @@ static Image *ReadDOTImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ read_info->filename,image_info->filename);
+ graph=agread(GetBlobFileHandle(image));
+ if (graph == (graph_t *) NULL)
+- return ((Image *) NULL);
++ {
++ (void) RelinquishUniqueFileResource(read_info->filename);
++ return ((Image *) NULL);
++ }
+ option=GetImageOption(image_info,"dot:layout-engine");
+ if (option == (const char *) NULL)
+ gvLayout(graphic_context,graph,(char *) "dot");
+diff --git a/coders/exr.c b/coders/exr.c
+index 0726020..f9b6470 100644
+--- a/coders/exr.c
++++ b/coders/exr.c
+@@ -191,6 +191,8 @@ static Image *ReadEXRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ ThrowFileException(exception,BlobError,"UnableToOpenBlob",
+ ImfErrorMessage());
++ if (LocaleCompare(image_info->filename,read_info->filename) != 0)
++ (void) RelinquishUniqueFileResource(read_info->filename);
+ read_info=DestroyImageInfo(read_info);
+ return((Image *) NULL);
+ }
+@@ -212,6 +214,9 @@ static Image *ReadEXRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (scanline == (ImfRgba *) NULL)
+ {
+ (void) ImfCloseInputFile(file);
++ if (LocaleCompare(image_info->filename,read_info->filename) != 0)
++ (void) RelinquishUniqueFileResource(read_info->filename);
++ read_info=DestroyImageInfo(read_info);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+ for (y=0; y < (long) image->rows; y++)
+@@ -413,15 +418,18 @@ static MagickBooleanType WriteEXRImage(const ImageInfo *image_info,Image *image)
+ ImfDeleteHeader(hdr_info);
+ if (file == (ImfOutputFile *) NULL)
+ {
++ (void) RelinquishUniqueFileResource(write_info->filename);
++ write_info=DestroyImageInfo(write_info);
+ ThrowFileException(&image->exception,BlobError,"UnableToOpenBlob",
+ ImfErrorMessage());
+- write_info=DestroyImageInfo(write_info);
+ return(MagickFalse);
+ }
+ scanline=(ImfRgba *) AcquireQuantumMemory(image->columns,sizeof(*scanline));
+ if (scanline == (ImfRgba *) NULL)
+ {
+ (void) ImfCloseOutputFile(file);
++ (void) RelinquishUniqueFileResource(write_info->filename);
++ write_info=DestroyImageInfo(write_info);
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+ for (y=0; y < (long) image->rows; y++)
+diff --git a/coders/pict.c b/coders/pict.c
+index f1985e0..fa47b06 100644
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -1364,6 +1364,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ file=fdopen(unique_file,"wb");
+ if ((unique_file == -1) || (file == (FILE *) NULL))
+ {
++ if (file != (FILE *) NULL)
++ (void) fclose(file);
++ (void) RelinquishUniqueFileResource(read_info->filename);
+ (void) CopyMagickString(image->filename,read_info->filename,
+ MaxTextExtent);
+ ThrowFileException(exception,FileOpenError,
+@@ -1377,6 +1380,7 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
+ if (ReadRectangle(image,&frame) == MagickFalse)
+ {
+ (void) fclose(file);
++ (void) RelinquishUniqueFileResource(read_info->filename);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+ for (i=0; i < 122; i++)
+diff --git a/coders/pwp.c b/coders/pwp.c
+index 0fe9d3e..fd21b45 100644
+--- a/coders/pwp.c
++++ b/coders/pwp.c
+@@ -193,7 +193,10 @@ static Image *ReadPWPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (c == EOF)
+ break;
+ if (LocaleNCompare((char *) (magick+12),"SFW94A",6) != 0)
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ {
++ (void) RelinquishUniqueFileResource(read_info->filename);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ /*
+ Dump SFW image to a temporary file.
+ */
+@@ -202,6 +205,7 @@ static Image *ReadPWPImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ file=fdopen(unique_file,"wb");
+ if ((unique_file == -1) || (file == (FILE *) NULL))
+ {
++ (void) RelinquishUniqueFileResource(read_info->filename);
+ ThrowFileException(exception,FileOpenError,"UnableToWriteFile",
+ image->filename);
+ image=DestroyImageList(image);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0019-Fix-a-double-free-in-pdb-coder.patch imagemagick-6.6.0.4/debian/patches/0019-Fix-a-double-free-in-pdb-coder.patch
--- imagemagick-6.6.0.4/debian/patches/0019-Fix-a-double-free-in-pdb-coder.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0019-Fix-a-double-free-in-pdb-coder.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,97 @@
+From f95f67226e86c19c8ac740fd8064fa3468efc061 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Thu, 20 Nov 2014 23:41:24 +0000
+Subject: [PATCH] Fix a double free in pdb coder
+
+Fix a double free and thus a DOS in pdb coder
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17080 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17080
+---
+ coders/pdb.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/coders/pdb.c b/coders/pdb.c
+index b02a28a..1ef9d6b 100644
+--- a/coders/pdb.c
++++ b/coders/pdb.c
+@@ -34,13 +34,13 @@
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %
+ %
+- 20071202 TS * rewrote RLE decoder - old version could cause buffer overflows
+- * failure of RLE decoding now thows error RLEDecoderError
+- * fixed bug in RLE decoding - now all rows are decoded, not just
+- the first one
+- * fixed bug in reader - record offsets now handled correctly
+- * fixed bug in reader - only bits 0..2 indicate compression type
+- * in writer: now using image color count instead of depth
++% 20071202 TS * rewrote RLE decoder - old version could cause buffer overflows
++% * failure of RLE decoding now thows error RLEDecoderError
++% * fixed bug in RLE decoding - now all rows are decoded, not just
++% the first one
++% * fixed bug in reader - record offsets now handled correctly
++% * fixed bug in reader - only bits 0..2 indicate compression type
++% * in writer: now using image color count instead of depth
+ */
+ �
+ /*
+@@ -261,7 +261,7 @@ static MagickBooleanType IsPDB(const unsigned char *magick,const size_t length)
+ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ unsigned char
+- attributes, /* TS */
++ attributes,
+ tag[3];
+
+ Image
+@@ -371,7 +371,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ */
+ count=ReadBlob(image,32,(unsigned char *) pdb_image.name);
+ pdb_image.version=ReadBlobByte(image);
+- pdb_image.type=ReadBlobByte(image);
++ pdb_image.type=(unsigned char) ReadBlobByte(image);
+ pdb_image.reserved_1=ReadBlobMSBLong(image);
+ pdb_image.note=ReadBlobMSBLong(image);
+ pdb_image.x_last=(short) ReadBlobMSBShort(image);
+@@ -528,7 +528,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (EOFBlob(image) != MagickFalse)
+ ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
+ image->filename);
+- if (pdb_info.number_records > 1) /* TS */
++ if (pdb_info.number_records > 1)
+ {
+ char
+ *comment;
+@@ -748,9 +748,8 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
+ } else if (image -> colors <= 8) {
+ bits_per_pixel = 3;
+ } else {
+- bits_per_pixel = 4;
++ bits_per_pixel=4;
+ }
+-
+ (void) ResetMagickMemory(pdb_info.name,0,32);
+ (void) CopyMagickString(pdb_info.name,image_info->filename,32);
+ pdb_info.attributes=0;
+@@ -800,7 +799,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
+ if (image->columns % 16)
+ pdb_image.width=(short) (16*(image->columns/16+1));
+ pdb_image.height=(short) image->rows;
+- packets=(bits_per_pixel*image->columns/8)*image->rows;
++ packets=(bits_per_pixel*image->columns/8+4)*image->rows;
+ runlength=(unsigned char *) AcquireQuantumMemory(2UL*packets,
+ sizeof(*runlength));
+ if (runlength == (unsigned char *) NULL)
+@@ -833,7 +832,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
+ break;
+ (void) ExportQuantumPixels(image,(const CacheView *) NULL,quantum_info,
+ GrayQuantum,scanline,&image->exception);
+- for (x=0; x < pdb_image.width; x++)
++ for (x=0; x < (ssize_t) pdb_image.width; x++)
+ {
+ if (x < (long) image->columns)
+ buffer[literal+repeat]|=(0xff-scanline[x*packet_size]) >>
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0020-Fix-handling-of-corrupted-dpc-and-xwd-image.patch imagemagick-6.6.0.4/debian/patches/0020-Fix-handling-of-corrupted-dpc-and-xwd-image.patch
--- imagemagick-6.6.0.4/debian/patches/0020-Fix-handling-of-corrupted-dpc-and-xwd-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0020-Fix-handling-of-corrupted-dpc-and-xwd-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,63 @@
+From c0fd0d83164e4b1cda1aa330f19d5e0c77f6d27b Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 23 Nov 2014 16:36:18 +0000
+Subject: [PATCH] Fix handling of corrupted dpc and xwd image
+
+Avoid a segv thus a DOS.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17092 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17092
+---
+ coders/dpx.c | 2 ++
+ coders/xwd.c | 11 ++++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/coders/dpx.c b/coders/dpx.c
+index 8d22f63..90a1cba 100644
+--- a/coders/dpx.c
++++ b/coders/dpx.c
+@@ -694,6 +694,8 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ case 7: image->orientation=RightBottomOrientation; break;
+ }
+ dpx.image.number_elements=ReadBlobShort(image);
++ if (dpx.image.number_elements > 8)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ offset+=2;
+ dpx.image.pixels_per_line=ReadBlobLong(image);
+ offset+=4;
+diff --git a/coders/xwd.c b/coders/xwd.c
+index cc93064..968ba5c 100644
+--- a/coders/xwd.c
++++ b/coders/xwd.c
+@@ -276,6 +276,8 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if ((ximage->depth < 0) || (ximage->width < 0) || (ximage->height < 0) ||
+ (ximage->bitmap_pad < 0) || (ximage->bytes_per_line < 0))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ if ((ximage->width > 65535) || (ximage->height > 65535))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((ximage->bits_per_pixel > 32) || (ximage->bitmap_unit > 32))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ x_status=XInitImage(ximage);
+@@ -431,13 +433,16 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ pixel=XGetPixel(ximage,(int) x,(int) y);
+ color=(pixel >> red_shift) & red_mask;
+- color=(color*65535UL)/red_mask;
++ if (red_mask != 0)
++ color=(color*65535UL)/red_mask;
+ q->red=ScaleShortToQuantum((unsigned short) color);
+ color=(pixel >> green_shift) & green_mask;
+- color=(color*65535UL)/green_mask;
++ if (green_mask != 0)
++ color=(color*65535UL)/green_mask;
+ q->green=ScaleShortToQuantum((unsigned short) color);
+ color=(pixel >> blue_shift) & blue_mask;
+- color=(color*65535UL)/blue_mask;
++ if (blue_mask != 0)
++ color=(color*65535UL)/blue_mask;
+ q->blue=ScaleShortToQuantum((unsigned short) color);
+ q++;
+ }
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0021-Bail-out-early-in-case-of-malformed-dpx-file.patch imagemagick-6.6.0.4/debian/patches/0021-Bail-out-early-in-case-of-malformed-dpx-file.patch
--- imagemagick-6.6.0.4/debian/patches/0021-Bail-out-early-in-case-of-malformed-dpx-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0021-Bail-out-early-in-case-of-malformed-dpx-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,59 @@
+From 2710b53adc9805486e167689b1d9683d5bb41398 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 28 Nov 2014 14:26:06 +0000
+Subject: [PATCH] Bail out early in case of malformed dpx file
+
+Avoid a SEGV.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17112 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17112
+---
+ coders/dpx.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/coders/dpx.c b/coders/dpx.c
+index 90a1cba..9c08683 100644
+--- a/coders/dpx.c
++++ b/coders/dpx.c
+@@ -64,6 +64,11 @@
+ #include "magick/string-private.h"
+ �
+ /*
++ Define declaration.
++*/
++#define MaxNumberImageElements 8
++�
++/*
+ Typedef declaration.
+ */
+ typedef enum
+@@ -210,7 +215,7 @@ typedef struct _DPXImageInfo
+ lines_per_element;
+
+ DPXImageElement
+- image_element[8];
++ image_element[MaxNumberImageElements];
+
+ unsigned char
+ reserve[52];
+@@ -677,6 +682,8 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ Read DPX image header.
+ */
+ dpx.image.orientation=ReadBlobShort(image);
++ if (dpx.image.orientation > 7)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ offset+=2;
+ if (dpx.image.orientation != (unsigned short) (~0U))
+ (void) FormatImageProperty(image,"dpx:image.orientation","%d",
+@@ -694,7 +701,7 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ case 7: image->orientation=RightBottomOrientation; break;
+ }
+ dpx.image.number_elements=ReadBlobShort(image);
+- if (dpx.image.number_elements > 8)
++ if (dpx.image.number_elements > MaxNumberImageElements)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ offset+=2;
+ dpx.image.pixels_per_line=ReadBlobLong(image);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0022-Avoid-SEGV-in-malformed-xwd-file.patch imagemagick-6.6.0.4/debian/patches/0022-Avoid-SEGV-in-malformed-xwd-file.patch
--- imagemagick-6.6.0.4/debian/patches/0022-Avoid-SEGV-in-malformed-xwd-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0022-Avoid-SEGV-in-malformed-xwd-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,170 @@
+From 94818b756b9f4672c15b6abd0a0bc452f60cdbcc Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 28 Nov 2014 15:01:26 +0000
+Subject: [PATCH] Avoid SEGV in malformed xwd file
+
+Check the malformed xwd file.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17114 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17114
+---
+ coders/xwd.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 70 insertions(+), 17 deletions(-)
+
+diff --git a/coders/xwd.c b/coders/xwd.c
+index 968ba5c..f5831e8 100644
+--- a/coders/xwd.c
++++ b/coders/xwd.c
+@@ -224,11 +224,8 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ Read in header information.
+ */
+ count=ReadBlob(image,sz_XWDheader,(unsigned char *) &header);
+- if (count == 0)
++ if (count != sz_XWDheader)
+ ThrowReaderException(CorruptImageError,"UnableToReadImageHeader");
+- image->columns=header.pixmap_width;
+- image->rows=header.pixmap_height;
+- image->depth=8;
+ /*
+ Ensure the header byte-order is most-significant byte first.
+ */
+@@ -242,6 +239,25 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ ThrowReaderException(CorruptImageError,"FileFormatVersionMismatch");
+ if (header.header_size < sz_XWDheader)
+ ThrowReaderException(CorruptImageError,"CorruptImage");
++ switch (header.visual_class) {
++ case StaticGray:
++ case GrayScale:
++ case StaticColor:
++ case PseudoColor:
++ case TrueColor:
++ case DirectColor:
++ break;
++ default:
++ ThrowReaderException(CorruptImageError,"CorruptImage");
++ }
++ switch (header.pixmap_format) {
++ case XYBitmap:
++ case XYPixmap:
++ case ZPixmap:
++ break;
++ default:
++ ThrowReaderException(CorruptImageError,"CorruptImage");
++ }
+ length=(size_t) header.header_size-sz_XWDheader;
+ comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
+ if (comment == (char *) NULL)
+@@ -273,16 +289,30 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ ximage->red_mask=header.red_mask;
+ ximage->green_mask=header.green_mask;
+ ximage->blue_mask=header.blue_mask;
+- if ((ximage->depth < 0) || (ximage->width < 0) || (ximage->height < 0) ||
+- (ximage->bitmap_pad < 0) || (ximage->bytes_per_line < 0))
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ if ((ximage->width < 0) || (ximage->height < 0) || (ximage->depth < 0) ||
++ (ximage->format < 0) || (ximage->byte_order < 0) ||
++ (ximage->bitmap_bit_order < 0) || (ximage->bitmap_pad < 0) ||
++ (ximage->bytes_per_line < 0))
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ if ((ximage->width > 65535) || (ximage->height > 65535))
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ if ((ximage->bits_per_pixel > 32) || (ximage->bitmap_unit > 32))
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ x_status=XInitImage(ximage);
+ if (x_status == 0)
+- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ }
+ /*
+ Read colormap.
+ */
+@@ -296,12 +326,18 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ length=(size_t) header.ncolors;
+ colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
+ if (colors == (XColor *) NULL)
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
+ for (i=0; i < (long) header.ncolors; i++)
+ {
+ count=ReadBlob(image,sz_XWDColor,(unsigned char *) &color);
+ if (count == 0)
+- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ }
+ colors[i].pixel=color.pixel;
+ colors[i].red=color.red;
+ colors[i].green=color.green;
+@@ -328,7 +364,10 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ */
+ length=(size_t) ximage->bytes_per_line*ximage->height;
+ if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height))
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ if (ximage->format != ZPixmap)
+ {
+ size_t
+@@ -337,14 +376,24 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ extent=length;
+ length*=ximage->depth;
+ if (CheckOverflowException(length,extent,ximage->depth))
+- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ }
+ }
+ ximage->data=(char *) AcquireQuantumMemory(length,sizeof(*ximage->data));
+ if (ximage->data == (char *) NULL)
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ {
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
+ count=ReadBlob(image,length,(unsigned char *) ximage->data);
+ if (count == 0)
+- ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ {
++ ximage->data=DestroyString(ximage->data);
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
++ }
+ /*
+ Convert image to MIFF format.
+ */
+@@ -460,7 +509,11 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ Convert X image to PseudoClass packets.
+ */
+ if (AcquireImageColormap(image,image->colors) == MagickFalse)
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ {
++ ximage->data=DestroyString(ximage->data);
++ ximage=(XImage *) RelinquishMagickMemory(ximage);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
+ for (i=0; i < (long) image->colors; i++)
+ {
+ image->colormap[i].red=ScaleShortToQuantum(colors[i].red);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0023-Avoid-a-NULL-dereference-in-ps-handling.patch imagemagick-6.6.0.4/debian/patches/0023-Avoid-a-NULL-dereference-in-ps-handling.patch
--- imagemagick-6.6.0.4/debian/patches/0023-Avoid-a-NULL-dereference-in-ps-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0023-Avoid-a-NULL-dereference-in-ps-handling.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,40 @@
+From da74f731c2b666d87f5fc0f99d74853d23d617c7 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 28 Nov 2014 17:13:45 +0000
+Subject: [PATCH] Avoid a NULL dereference in ps handling
+
+GetStringInfoDatum(NULL) will likely crash. Avoid it.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17117 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17117
+---
+ coders/ps.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/coders/ps.c b/coders/ps.c
+index cc6c747..30fc3bb 100644
+--- a/coders/ps.c
++++ b/coders/ps.c
+@@ -555,11 +555,14 @@ static Image *ReadPSImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ continue;
+ length=extent;
+ profile=AcquireStringInfo(length);
+- p=GetStringInfoDatum(profile);
+- for (i=0; i < (long) length; i++)
+- *p++=(unsigned char) ProfileInteger(image,hex_digits);
+- (void) SetImageProfile(image,"8bim",profile);
+- profile=DestroyStringInfo(profile);
++ if (profile != (StringInfo *) NULL)
++ {
++ p=GetStringInfoDatum(profile);
++ for (i=0; i < (long) length; i++)
++ *p++=(unsigned char) ProfileInteger(image,hex_digits);
++ (void) SetImageProfile(image,"8bim",profile);
++ profile=DestroyStringInfo(profile);
++ }
+ continue;
+ }
+ if (LocaleNCompare(BeginXMPPacket,command,strlen(BeginXMPPacket)) == 0)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0024-Avoid-out-of-bound-access-in-xwd-file-handling.patch imagemagick-6.6.0.4/debian/patches/0024-Avoid-out-of-bound-access-in-xwd-file-handling.patch
--- imagemagick-6.6.0.4/debian/patches/0024-Avoid-out-of-bound-access-in-xwd-file-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0024-Avoid-out-of-bound-access-in-xwd-file-handling.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,36 @@
+From 59218b9086f5736cbfa66fb4afb2ae4b4f92c292 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 28 Nov 2014 17:21:53 +0000
+Subject: [PATCH] Avoid out of bound access in xwd file handling
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17119 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17119
+---
+ coders/xwd.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/coders/xwd.c b/coders/xwd.c
+index f5831e8..097e979 100644
+--- a/coders/xwd.c
++++ b/coders/xwd.c
+@@ -459,11 +459,14 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ pixel=XGetPixel(ximage,(int) x,(int) y);
+ index=(IndexPacket) ((pixel >> red_shift) & red_mask);
+- q->red=ScaleShortToQuantum(colors[(long) index].red);
++ if (index < header.ncolors)
++ q->red=ScaleShortToQuantum(colors[(long) index].red);
+ index=(IndexPacket) ((pixel >> green_shift) & green_mask);
+- q->green=ScaleShortToQuantum(colors[(long) index].green);
++ if (index < header.ncolors)
++ q->green=ScaleShortToQuantum(colors[(long) index].green);
+ index=(IndexPacket) ((pixel >> blue_shift) & blue_mask);
+- q->blue=ScaleShortToQuantum(colors[(long) index].blue);
++ if (index < header.ncolors)
++ q->blue=ScaleShortToQuantum(colors[(long) index].blue);
+ q++;
+ }
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0025-Fix-a-SEGV-with-corrupted-viff-image.patch imagemagick-6.6.0.4/debian/patches/0025-Fix-a-SEGV-with-corrupted-viff-image.patch
--- imagemagick-6.6.0.4/debian/patches/0025-Fix-a-SEGV-with-corrupted-viff-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0025-Fix-a-SEGV-with-corrupted-viff-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,89 @@
+From 77a6c395e24d1a6670b0002a1c8dab272237eeae Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 28 Nov 2014 14:15:53 +0000
+Subject: [PATCH] Fix a SEGV with corrupted viff image
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17110 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17110
+---
+ coders/viff.c | 36 +++++++++++++++++++-----------------
+ 1 file changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/coders/viff.c b/coders/viff.c
+index a0db6d9..c797928 100644
+--- a/coders/viff.c
++++ b/coders/viff.c
+@@ -241,7 +241,6 @@ static Image *ReadVIFFImage(const ImageInfo *image_info,
+ count;
+
+ unsigned char
+- buffer[7],
+ *viff_pixels;
+
+ unsigned long
+@@ -284,11 +283,12 @@ static Image *ReadVIFFImage(const ImageInfo *image_info,
+ /*
+ Initialize VIFF image.
+ */
+- count=ReadBlob(image,7,buffer);
+- viff_info.file_type=buffer[0];
+- viff_info.release=buffer[1];
+- viff_info.version=buffer[2];
+- viff_info.machine_dependency=buffer[3];
++ (void) ReadBlob(image,sizeof(viff_info.file_type),&viff_info.file_type);
++ (void) ReadBlob(image,sizeof(viff_info.release),&viff_info.release);
++ (void) ReadBlob(image,sizeof(viff_info.version),&viff_info.version);
++ (void) ReadBlob(image,sizeof(viff_info.machine_dependency),
++ &viff_info.machine_dependency);
++ (void) ReadBlob(image,sizeof(viff_info.reserve),viff_info.reserve);
+ count=ReadBlob(image,512,(unsigned char *) viff_info.comment);
+ viff_info.comment[511]='\0';
+ if (strlen(viff_info.comment) > 4)
+@@ -940,7 +940,6 @@ static MagickBooleanType WriteVIFFImage(const ImageInfo *image_info,
+ *q;
+
+ unsigned char
+- buffer[8],
+ *viff_pixels;
+
+ ViffInfo
+@@ -1002,7 +1001,7 @@ static MagickBooleanType WriteVIFFImage(const ImageInfo *image_info,
+ /*
+ Full color VIFF raster.
+ */
+- viff_info.number_data_bands=image->matte ? 4UL : 3UL;
++ viff_info.number_data_bands=image->matte ? 4U : 3U;
+ viff_info.color_space_model=VFF_CM_genericRGB;
+ viff_info.data_storage_type=VFF_TYP_1_BYTE;
+ packets=viff_info.number_data_bands*number_pixels;
+@@ -1036,15 +1035,18 @@ static MagickBooleanType WriteVIFFImage(const ImageInfo *image_info,
+ /*
+ Write VIFF image header (pad to 1024 bytes).
+ */
+- buffer[0]=(unsigned char) viff_info.identifier;
+- buffer[1]=(unsigned char) viff_info.file_type;
+- buffer[2]=(unsigned char) viff_info.release;
+- buffer[3]=(unsigned char) viff_info.version;
+- buffer[4]=(unsigned char) viff_info.machine_dependency;
+- buffer[5]=(unsigned char) viff_info.reserve[0];
+- buffer[6]=(unsigned char) viff_info.reserve[1];
+- buffer[7]=(unsigned char) viff_info.reserve[2];
+- (void) WriteBlob(image,8,buffer);
++ (void) WriteBlob(image,sizeof(viff_info.identifier),(unsigned char *)
++ &viff_info.identifier);
++ (void) WriteBlob(image,sizeof(viff_info.file_type),(unsigned char *)
++ &viff_info.file_type);
++ (void) WriteBlob(image,sizeof(viff_info.release),(unsigned char *)
++ &viff_info.release);
++ (void) WriteBlob(image,sizeof(viff_info.version),(unsigned char *)
++ &viff_info.version);
++ (void) WriteBlob(image,sizeof(viff_info.machine_dependency),
++ (unsigned char *) &viff_info.machine_dependency);
++ (void) WriteBlob(image,sizeof(viff_info.reserve),(unsigned char *)
++ viff_info.reserve);
+ (void) WriteBlob(image,512,(unsigned char *) viff_info.comment);
+ (void) WriteBlobMSBLong(image,viff_info.rows);
+ (void) WriteBlobMSBLong(image,viff_info.columns);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0026-Fix-a-null-pointer-dereference-in-wpg-file-handling.patch imagemagick-6.6.0.4/debian/patches/0026-Fix-a-null-pointer-dereference-in-wpg-file-handling.patch
--- imagemagick-6.6.0.4/debian/patches/0026-Fix-a-null-pointer-dereference-in-wpg-file-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0026-Fix-a-null-pointer-dereference-in-wpg-file-handling.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,151 @@
+From e8e2c2945ca74c51827196d4d647d9baca2cf89c Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 28 Nov 2014 23:49:14 +0000
+Subject: [PATCH] Fix a null pointer dereference in wpg file handling
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17126 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17126
+---
+ coders/wpg.c | 92 ++++++++++++++++++++++++++++++++++++++----------------------
+ 1 file changed, 58 insertions(+), 34 deletions(-)
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+index f98ddb0..cf09a44 100644
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -899,8 +899,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ } WPGPSl1Record;
+
+ Image
+- *image,
+- *rotated_image;
++ *image;
+
+ unsigned int
+ status;
+@@ -1126,31 +1125,47 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ /* flop command */
+ if(BitmapHeader2.RotAngle & 0x8000)
+ {
+- rotated_image = FlopImage(image, exception);
+- rotated_image->blob = image->blob;
+- DuplicateBlob(rotated_image,image);
+- (void) RemoveLastImageFromList(&image);
+- AppendImageToList(&image,rotated_image);
++ Image
++ *flop_image;
++
++ flop_image = FlopImage(image, exception);
++ if (flop_image != (Image *) NULL) {
++ flop_image->blob = image->blob;
++ DuplicateBlob(flop_image,image);
++ (void) RemoveLastImageFromList(&image);
++ AppendImageToList(&image,flop_image);
++ }
+ }
+ /* flip command */
+ if(BitmapHeader2.RotAngle & 0x2000)
+ {
+- rotated_image = FlipImage(image, exception);
+- rotated_image->blob = image->blob;
+- DuplicateBlob(rotated_image,image);
+- (void) RemoveLastImageFromList(&image);
+- AppendImageToList(&image,rotated_image);
++ Image
++ *flip_image;
++
++ flip_image = FlipImage(image, exception);
++ if (flip_image != (Image *) NULL) {
++ flip_image->blob = image->blob;
++ DuplicateBlob(flip_image,image);
++ (void) RemoveLastImageFromList(&image);
++ AppendImageToList(&image,flip_image);
++ }
+ }
+
+ /* rotate command */
+ if(BitmapHeader2.RotAngle & 0x0FFF)
+ {
+- rotated_image = RotateImage(image, (BitmapHeader2.RotAngle & 0x0FFF), exception);
+- rotated_image->blob = image->blob;
+- DuplicateBlob(rotated_image,image);
+- (void) RemoveLastImageFromList(&image);
+- AppendImageToList(&image,rotated_image);
+- }
++ Image
++ *rotate_image;
++
++ rotate_image=RotateImage(image,(BitmapHeader2.RotAngle &
++ 0x0FFF), exception);
++ if (rotate_image != (Image *) NULL) {
++ rotate_image->blob = image->blob;
++ DuplicateBlob(rotate_image,image);
++ (void) RemoveLastImageFromList(&image);
++ AppendImageToList(&image,rotate_image);
++ }
++ }
+ }
+
+ /* Allocate next image structure. */
+@@ -1298,33 +1313,42 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ }
+
+ if(CTM[0][0]<0 && !image_info->ping)
+- { /*?? RotAngle=360-RotAngle;*/
+- rotated_image = FlopImage(image, exception);
+- rotated_image->blob = image->blob;
+- DuplicateBlob(rotated_image,image);
+- (void) RemoveLastImageFromList(&image);
+- AppendImageToList(&image,rotated_image);
+- /* Try to change CTM according to Flip - I am not sure, must be checked.
++ { /*?? RotAngle=360-RotAngle;*/
++ Image
++ *flop_image;
++
++ flop_image = FlopImage(image, exception);
++ if (flop_image != (Image *) NULL) {
++ flop_image->blob = image->blob;
++ DuplicateBlob(flop_image,image);
++ (void) RemoveLastImageFromList(&image);
++ AppendImageToList(&image,flop_image);
++ }
++ /* Try to change CTM according to Flip - I am not sure, must be checked.
+ Tx(0,0)=-1; Tx(1,0)=0; Tx(2,0)=0;
+ Tx(0,1)= 0; Tx(1,1)=1; Tx(2,1)=0;
+ Tx(0,2)=(WPG._2Rect.X_ur+WPG._2Rect.X_ll);
+ Tx(1,2)=0; Tx(2,2)=1; */
+ }
+ if(CTM[1][1]<0 && !image_info->ping)
+- { /*?? RotAngle=360-RotAngle;*/
+- rotated_image = FlipImage(image, exception);
+- rotated_image->blob = image->blob;
+- DuplicateBlob(rotated_image,image);
+- (void) RemoveLastImageFromList(&image);
+- AppendImageToList(&image,rotated_image);
++ { /*?? RotAngle=360-RotAngle;*/
++ Image
++ *flip_image;
++
++ flip_image = FlipImage(image, exception);
++ if (flip_image != (Image *) NULL) {
++ flip_image->blob = image->blob;
++ DuplicateBlob(flip_image,image);
++ (void) RemoveLastImageFromList(&image);
++ AppendImageToList(&image,flip_image);
++ }
+ /* Try to change CTM according to Flip - I am not sure, must be checked.
+ float_matrix Tx(3,3);
+ Tx(0,0)= 1; Tx(1,0)= 0; Tx(2,0)=0;
+ Tx(0,1)= 0; Tx(1,1)=-1; Tx(2,1)=0;
+ Tx(0,2)= 0; Tx(1,2)=(WPG._2Rect.Y_ur+WPG._2Rect.Y_ll);
+- Tx(2,2)=1; */
+- }
+-
++ Tx(2,2)=1; */
++ }
+
+ /* Allocate next image structure. */
+ AcquireNextImage(image_info,image);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0027-Do-not-continue-on-corrupted-wpg-file.patch imagemagick-6.6.0.4/debian/patches/0027-Do-not-continue-on-corrupted-wpg-file.patch
--- imagemagick-6.6.0.4/debian/patches/0027-Do-not-continue-on-corrupted-wpg-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0027-Do-not-continue-on-corrupted-wpg-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,145 @@
+From 758abf4a59cdc9b5f9e735a5f4b866b05403b67b Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sat, 29 Nov 2014 00:47:19 +0000
+Subject: [PATCH] Do not continue on corrupted wpg file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17127 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17127
+---
+ coders/wpg.c | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/coders/wpg.c b/coders/wpg.c
+index cf09a44..37cb2a1 100644
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -858,7 +858,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ typedef struct
+ {
+ unsigned int Width;
+- unsigned int Heigth;
++ unsigned int Height;
+ unsigned int Depth;
+ unsigned int HorzRes;
+ unsigned int VertRes;
+@@ -867,7 +867,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ typedef struct
+ {
+ unsigned int Width;
+- unsigned int Heigth;
++ unsigned int Height;
+ unsigned char Depth;
+ unsigned char Compression;
+ } WPG2BitmapType1;
+@@ -880,7 +880,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ unsigned int UpRightX;
+ unsigned int UpRightY;
+ unsigned int Width;
+- unsigned int Heigth;
++ unsigned int Height;
+ unsigned int Depth;
+ unsigned int HorzRes;
+ unsigned int VertRes;
+@@ -1000,7 +1000,9 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ {
+ case 0x0B: /* bitmap type 1 */
+ BitmapHeader1.Width=ReadBlobLSBShort(image);
+- BitmapHeader1.Heigth=ReadBlobLSBShort(image);
++ BitmapHeader1.Height=ReadBlobLSBShort(image);
++ if ((BitmapHeader1.Width == 0) || (BitmapHeader1.Height == 0))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ BitmapHeader1.Depth=ReadBlobLSBShort(image);
+ BitmapHeader1.HorzRes=ReadBlobLSBShort(image);
+ BitmapHeader1.VertRes=ReadBlobLSBShort(image);
+@@ -1012,7 +1014,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ image->y_resolution=BitmapHeader1.VertRes/470.0;
+ }
+ image->columns=BitmapHeader1.Width;
+- image->rows=BitmapHeader1.Heigth;
++ image->rows=BitmapHeader1.Height;
+ bpp=BitmapHeader1.Depth;
+
+ goto UnpackRaster;
+@@ -1050,7 +1052,9 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ BitmapHeader2.UpRightX=ReadBlobLSBShort(image);
+ BitmapHeader2.UpRightY=ReadBlobLSBShort(image);
+ BitmapHeader2.Width=ReadBlobLSBShort(image);
+- BitmapHeader2.Heigth=ReadBlobLSBShort(image);
++ BitmapHeader2.Height=ReadBlobLSBShort(image);
++ if ((BitmapHeader2.Width == 0) || (BitmapHeader2.Height == 0))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ BitmapHeader2.Depth=ReadBlobLSBShort(image);
+ BitmapHeader2.HorzRes=ReadBlobLSBShort(image);
+ BitmapHeader2.VertRes=ReadBlobLSBShort(image);
+@@ -1068,7 +1072,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ image->y_resolution=BitmapHeader2.VertRes/470.0;
+ }
+ image->columns=BitmapHeader2.Width;
+- image->rows=BitmapHeader2.Heigth;
++ image->rows=BitmapHeader2.Height;
+ bpp=BitmapHeader2.Depth;
+
+ UnpackRaster:
+@@ -1130,7 +1134,6 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+
+ flop_image = FlopImage(image, exception);
+ if (flop_image != (Image *) NULL) {
+- flop_image->blob = image->blob;
+ DuplicateBlob(flop_image,image);
+ (void) RemoveLastImageFromList(&image);
+ AppendImageToList(&image,flop_image);
+@@ -1144,7 +1147,6 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+
+ flip_image = FlipImage(image, exception);
+ if (flip_image != (Image *) NULL) {
+- flip_image->blob = image->blob;
+ DuplicateBlob(flip_image,image);
+ (void) RemoveLastImageFromList(&image);
+ AppendImageToList(&image,flip_image);
+@@ -1160,7 +1162,6 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ rotate_image=RotateImage(image,(BitmapHeader2.RotAngle &
+ 0x0FFF), exception);
+ if (rotate_image != (Image *) NULL) {
+- rotate_image->blob = image->blob;
+ DuplicateBlob(rotate_image,image);
+ (void) RemoveLastImageFromList(&image);
+ AppendImageToList(&image,rotate_image);
+@@ -1239,7 +1240,9 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ break;
+ case 0x0E:
+ Bitmap2Header1.Width=ReadBlobLSBShort(image);
+- Bitmap2Header1.Heigth=ReadBlobLSBShort(image);
++ Bitmap2Header1.Height=ReadBlobLSBShort(image);
++ if ((Bitmap2Header1.Width == 0) || (Bitmap2Header1.Height == 0))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ Bitmap2Header1.Depth=ReadBlobByte(image);
+ Bitmap2Header1.Compression=ReadBlobByte(image);
+
+@@ -1266,7 +1269,7 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+ continue; /*Ignore raster with unknown depth*/
+ }
+ image->columns=Bitmap2Header1.Width;
+- image->rows=Bitmap2Header1.Heigth;
++ image->rows=Bitmap2Header1.Height;
+
+ if ((image->colors == 0) && (bpp != 24))
+ {
+@@ -1319,7 +1322,6 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+
+ flop_image = FlopImage(image, exception);
+ if (flop_image != (Image *) NULL) {
+- flop_image->blob = image->blob;
+ DuplicateBlob(flop_image,image);
+ (void) RemoveLastImageFromList(&image);
+ AppendImageToList(&image,flop_image);
+@@ -1337,7 +1339,6 @@ static Image *ReadWPGImage(const ImageInfo *image_info,
+
+ flip_image = FlipImage(image, exception);
+ if (flip_image != (Image *) NULL) {
+- flip_image->blob = image->blob;
+ DuplicateBlob(flip_image,image);
+ (void) RemoveLastImageFromList(&image);
+ AppendImageToList(&image,flip_image);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0028-Avoid-a-out-of-bound-acess-in-viff-image.patch imagemagick-6.6.0.4/debian/patches/0028-Avoid-a-out-of-bound-acess-in-viff-image.patch
--- imagemagick-6.6.0.4/debian/patches/0028-Avoid-a-out-of-bound-acess-in-viff-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0028-Avoid-a-out-of-bound-acess-in-viff-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,74 @@
+From 135cefc6b386a746c3063aa8369592e5161fb086 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sat, 29 Nov 2014 15:28:37 +0000
+Subject: [PATCH] Avoid a out of bound acess in viff image
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17131 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17131
+---
+ coders/viff.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/coders/viff.c b/coders/viff.c
+index c797928..cf53e9e 100644
+--- a/coders/viff.c
++++ b/coders/viff.c
+@@ -45,6 +45,9 @@
+ #include "magick/cache.h"
+ #include "magick/color.h"
+ #include "magick/color-private.h"
++
++#include "magick/colormap.h"
++#include "magick/colormap-private.h"
+ #include "magick/colorspace.h"
+ #include "magick/exception.h"
+ #include "magick/exception-private.h"
+@@ -464,18 +467,18 @@ static Image *ReadVIFFImage(const ImageInfo *image_info,
+ if (i < (long) image->colors)
+ {
+ image->colormap[i].red=ScaleCharToQuantum((unsigned char) value);
+- image->colormap[i].green=
+- ScaleCharToQuantum((unsigned char) value);
++ image->colormap[i].green=ScaleCharToQuantum((unsigned char)
++ value);
+ image->colormap[i].blue=ScaleCharToQuantum((unsigned char) value);
+ }
+ else
+- if (i < (long) (2*image->colors))
+- image->colormap[i % image->colors].green=
+- ScaleCharToQuantum((unsigned char) value);
++ if (i < (ssize_t) (2*image->colors))
++ image->colormap[i % image->colors].green=ScaleCharToQuantum(
++ (unsigned char) value);
+ else
+- if (i < (long) (3*image->colors))
+- image->colormap[i % image->colors].blue=
+- ScaleCharToQuantum((unsigned char) value);
++ if (i < (ssize_t) (3*image->colors))
++ image->colormap[i % image->colors].blue=ScaleCharToQuantum(
++ (unsigned char) value);
+ }
+ viff_colormap=(unsigned char *) RelinquishMagickMemory(viff_colormap);
+ break;
+@@ -693,11 +696,14 @@ static Image *ReadVIFFImage(const ImageInfo *image_info,
+ q->blue=ScaleCharToQuantum(*(p+2*number_pixels));
+ if (image->colors != 0)
+ {
+- q->red=image->colormap[(long) q->red].red;
+- q->green=image->colormap[(long) q->green].green;
+- q->blue=image->colormap[(long) q->blue].blue;
++ q->red=image->colormap[
++ ConstrainColormapIndex(image,q->red)].red;
++ q->green=image->colormap[
++ ConstrainColormapIndex(image,q->green)].green;
++ q->blue=image->colormap[
++ ConstrainColormapIndex(image,q->blue)].blue;
+ }
+- q->opacity=(Quantum) (image->matte ? QuantumRange-
++ q->opacity=(Quantum) (image->matte ? QuantumRange-
+ ScaleCharToQuantum(*(p+number_pixels*3)) : OpaqueOpacity);
+ p++;
+ q++;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0029-Avoid-a-heap-buffer-overflow-in-pdb-file-handling.patch imagemagick-6.6.0.4/debian/patches/0029-Avoid-a-heap-buffer-overflow-in-pdb-file-handling.patch
--- imagemagick-6.6.0.4/debian/patches/0029-Avoid-a-heap-buffer-overflow-in-pdb-file-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0029-Avoid-a-heap-buffer-overflow-in-pdb-file-handling.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,51 @@
+From c0909ea745d7bf296bf6d3ffa12e1b9b0bcac577 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sat, 29 Nov 2014 17:16:15 +0000
+Subject: [PATCH] Avoid a heap buffer overflow in pdb file handling
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17132 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17132
+---
+ coders/pdb.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/coders/pdb.c b/coders/pdb.c
+index 1ef9d6b..19e63bb 100644
+--- a/coders/pdb.c
++++ b/coders/pdb.c
+@@ -396,13 +396,12 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
+- packets=bits_per_pixel*image->columns/8;
++ packets=(bits_per_pixel*image->columns+7)/8;
+ pixels=(unsigned char *) AcquireQuantumMemory(packets+256UL,image->rows*
+ sizeof(*pixels));
+ if (pixels == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-
+- switch (pdb_image.version & 7) /* TS */
++ switch (pdb_image.version & 0x07)
+ {
+ case 0:
+ {
+@@ -523,7 +522,6 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ default:
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+-
+ pixels=(unsigned char *) RelinquishMagickMemory(pixels);
+ if (EOFBlob(image) != MagickFalse)
+ ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
+@@ -799,7 +797,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
+ if (image->columns % 16)
+ pdb_image.width=(short) (16*(image->columns/16+1));
+ pdb_image.height=(short) image->rows;
+- packets=(bits_per_pixel*image->columns/8+4)*image->rows;
++ packets=((bits_per_pixel*image->columns+7)/8)*image->rows;
+ runlength=(unsigned char *) AcquireQuantumMemory(2UL*packets,
+ sizeof(*runlength));
+ if (runlength == (unsigned char *) NULL)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0030-Avoid-an-out-of-bound-acess-on-malformed-sun-file.patch imagemagick-6.6.0.4/debian/patches/0030-Avoid-an-out-of-bound-acess-on-malformed-sun-file.patch
--- imagemagick-6.6.0.4/debian/patches/0030-Avoid-an-out-of-bound-acess-on-malformed-sun-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0030-Avoid-an-out-of-bound-acess-on-malformed-sun-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,93 @@
+From 6940c6c265e0f359e2a961ad3bc4fbb6084fabea Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 30 Nov 2014 15:59:47 +0000
+Subject: [PATCH] Avoid an out of bound acess on malformed sun file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17137 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17137
+---
+ coders/sun.c | 28 ++++++++++++++++++++++------
+ 1 file changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/coders/sun.c b/coders/sun.c
+index 086141d..8be4af8 100644
+--- a/coders/sun.c
++++ b/coders/sun.c
+@@ -307,10 +307,18 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ sun_info.type=ReadBlobMSBLong(image);
+ sun_info.maptype=ReadBlobMSBLong(image);
+ sun_info.maplength=ReadBlobMSBLong(image);
+- image->columns=sun_info.width;
+- image->rows=sun_info.height;
++ if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
++ (sun_info.type != RT_FORMAT_RGB))
++ ThrowReaderException(CoderError,"ImproperImageHeader");
++ if ((sun_info.maptype == RMT_NONE) && (sun_info.maplength != 0))
++ ThrowReaderException(CoderError,"ImproperImageHeader");
+ if ((sun_info.depth == 0) || (sun_info.depth > 32))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ if ((sun_info.maptype != RMT_NONE) && (sun_info.maptype != RMT_EQUAL_RGB) &&
++ (sun_info.maptype != RMT_RAW))
++ ThrowReaderException(CoderError,"ColormapTypeNotSupported");
++ image->columns=sun_info.width;
++ image->rows=sun_info.height;
+ image->depth=sun_info.depth <= 8 ? sun_info.depth :
+ MAGICKCORE_QUANTUM_DEPTH;
+ if (sun_info.depth < 24)
+@@ -351,12 +359,18 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (sun_colormap == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=ReadBlob(image,image->colors,sun_colormap);
++ if (count != (ssize_t) image->colors)
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ for (i=0; i < (long) image->colors; i++)
+ image->colormap[i].red=ScaleCharToQuantum(sun_colormap[i]);
+ count=ReadBlob(image,image->colors,sun_colormap);
++ if (count != (ssize_t) image->colors)
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ for (i=0; i < (long) image->colors; i++)
+ image->colormap[i].green=ScaleCharToQuantum(sun_colormap[i]);
+ count=ReadBlob(image,image->colors,sun_colormap);
++ if (count != (ssize_t) image->colors)
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ for (i=0; i < (long) image->colors; i++)
+ image->colormap[i].blue=ScaleCharToQuantum(sun_colormap[i]);
+ sun_colormap=(unsigned char *) RelinquishMagickMemory(sun_colormap);
+@@ -375,11 +389,13 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (sun_colormap == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=ReadBlob(image,sun_info.maplength,sun_colormap);
++ if (count != (ssize_t) sun_info.maplength)
++ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
+ sun_colormap=(unsigned char *) RelinquishMagickMemory(sun_colormap);
+ break;
+ }
+ default:
+- ThrowReaderException(CoderError,"ColormapTypeNotSupported");
++ break;
+ }
+ image->matte=sun_info.depth == 32 ? MagickTrue : MagickFalse;
+ image->columns=sun_info.width;
+@@ -401,7 +417,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (sun_data == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=(ssize_t) ReadBlob(image,sun_info.length,sun_data);
+- if ((count == 0) && (sun_info.type != RT_ENCODED))
++ if (count != (ssize_t) sun_info.length)
+ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+ sun_pixels=sun_data;
+ bytes_per_line=0;
+@@ -427,8 +443,8 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ bytes_per_line*sizeof(*sun_pixels));
+ if (sun_pixels == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+- (void) DecodeImage(sun_data,sun_info.length,sun_pixels,
+- bytes_per_line*height);
++ (void) DecodeImage(sun_data,sun_info.length,sun_pixels,bytes_per_line*
++ height);
+ sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+ }
+ /*
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0031-Prepare-security-fix.patch imagemagick-6.6.0.4/debian/patches/0031-Prepare-security-fix.patch
--- imagemagick-6.6.0.4/debian/patches/0031-Prepare-security-fix.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0031-Prepare-security-fix.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,169 @@
+From aa7d807fbd2a376c006888288183e843aee306c6 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 24 May 2013 15:52:52 +0000
+Subject: [PATCH] Prepare security fix
+
+This is a least concern bug from a security point of view. It avoid to loop over comment in pnm file.
+
+However next patch need it in order to apply and it is safer to get it.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@12347 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/12347
+---
+ coders/pnm.c | 97 ++++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 55 insertions(+), 42 deletions(-)
+
+diff --git a/coders/pnm.c b/coders/pnm.c
+index cd83c2f..2289cdc 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -146,67 +146,70 @@ static inline long ConstrainPixel(Image *image,const long offset,
+ return(offset);
+ }
+
+-static unsigned long PNMInteger(Image *image,const unsigned int base)
+-{
+- char
+- *comment;
+
++static void PNMComment(Image *image)
++{
+ int
+ c;
+
++ char
++ *comment;
++
+ register char
+ *p;
+
+ size_t
+ extent;
+
+- unsigned long
++ /*
++ Read comment.
++ */
++ comment=AcquireString(GetImageProperty(image,"comment"));
++ extent=strlen(comment);
++ p=comment+strlen(comment);
++ for (c='#'; (c != EOF) && (c != (int) '\n'); p++)
++ {
++ if ((size_t) (p-comment+1) >= extent)
++ {
++ extent<<=1;
++ comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent,
++ sizeof(*comment));
++ if (comment == (char *) NULL)
++ break;
++ p=comment+strlen(comment);
++ }
++ c=ReadBlobByte(image);
++ if (c != EOF)
++ {
++ *p=(char) c;
++ *(p+1)='\0';
++ }
++ }
++ if (comment == (char *) NULL)
++ return;
++ (void) SetImageProperty(image,"comment",comment);
++ comment=DestroyString(comment);
++}
++
++static size_t PNMInteger(Image *image,const unsigned int base)
++{
++ int
++ c;
++
++ size_t
+ value;
+
+ /*
+ Skip any leading whitespace.
+ */
+- extent=MaxTextExtent;
+- comment=(char *) NULL;
+- p=comment;
+ do
+ {
+ c=ReadBlobByte(image);
+ if (c == EOF)
+ return(0);
+ if (c == (int) '#')
+- {
+- /*
+- Read comment.
+- */
+- if (comment == (char *) NULL)
+- comment=AcquireString((char *) NULL);
+- p=comment+strlen(comment);
+- for ( ; (c != EOF) && (c != (int) '\n'); p++)
+- {
+- if ((size_t) (p-comment+1) >= extent)
+- {
+- extent<<=1;
+- comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent,
+- sizeof(*comment));
+- if (comment == (char *) NULL)
+- break;
+- p=comment+strlen(comment);
+- }
+- c=ReadBlobByte(image);
+- *p=(char) c;
+- *(p+1)='\0';
+- }
+- if (comment == (char *) NULL)
+- return(0);
+- continue;
+- }
++ PNMComment(image);
+ } while (isdigit(c) == MagickFalse);
+- if (comment != (char *) NULL)
+- {
+- (void) SetImageProperty(image,"comment",comment);
+- comment=DestroyString(comment);
+- }
+ if (base == 2)
+ return((unsigned long) (c-(int) '0'));
+ /*
+@@ -342,6 +345,16 @@ static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ while (isspace((int) ((unsigned char) c)) != 0)
+ c=ReadBlobByte(image);
++ if (c == '#')
++ {
++ /*
++ Comment.
++ */
++ PNMComment(image);
++ c=ReadBlobByte(image);
++ while (isspace((int) ((unsigned char) c)) != 0)
++ c=ReadBlobByte(image);
++ }
+ p=keyword;
+ do
+ {
+@@ -1195,6 +1208,8 @@ static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ /*
+ Convert PFM raster image to pixel packets.
+ */
++ if (format == 'f')
++ (void) SetImageColorspace(image,GRAYColorspace);
+ quantum_type=format == 'f' ? GrayQuantum : RGBQuantum;
+ image->endian=quantum_scale < 0.0 ? LSBEndian : MSBEndian;
+ image->depth=32;
+@@ -1584,9 +1599,7 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image)
+ for (p=value; *p != '\0'; p++)
+ {
+ (void) WriteBlobByte(image,(unsigned char) *p);
+- if ((*p == '\r') && (*(p+1) != '\0'))
+- (void) WriteBlobByte(image,'#');
+- if ((*p == '\n') && (*(p+1) != '\0'))
++ if ((*p == '\n') || (*p == '\r'))
+ (void) WriteBlobByte(image,'#');
+ }
+ (void) WriteBlobByte(image,'\n');
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0032-Avoid-heap-overflow-in-palm-pnm-and-xpm-files.patch imagemagick-6.6.0.4/debian/patches/0032-Avoid-heap-overflow-in-palm-pnm-and-xpm-files.patch
--- imagemagick-6.6.0.4/debian/patches/0032-Avoid-heap-overflow-in-palm-pnm-and-xpm-files.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0032-Avoid-heap-overflow-in-palm-pnm-and-xpm-files.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,223 @@
+From 6c18fa71bc004235219f6f8d6ef28f0abf924546 Mon Sep 17 00:00:00 2001
+From: Vincent <vincent.fourmond@9online.fr>
+Date: Sat, 16 May 2015 01:37:59 +0200
+Subject: [PATCH] Avoid heap overflow in palm, pnm and xpm files
+
+Commit backported from christy's commit
+---
+ coders/palm.c | 48 ++++++++++++++++++++++++------------------------
+ coders/pnm.c | 2 +-
+ coders/xpm.c | 49 +++++++++++++++++++++++++++----------------------
+ 3 files changed, 52 insertions(+), 47 deletions(-)
+
+diff --git a/coders/palm.c b/coders/palm.c
+index b77af07..f006bd6 100644
+--- a/coders/palm.c
++++ b/coders/palm.c
+@@ -186,7 +186,7 @@ static MagickBooleanType
+ % o pixel: a pointer to the PixelPacket to be matched.
+ %
+ */
+-static int FindColor(PixelPacket *pixel)
++static ssize_t FindColor(PixelPacket *pixel)
+ {
+ register long
+ i;
+@@ -369,26 +369,26 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
+ for (i=0; i < (long) count; i++)
+ {
+ ReadBlobByte(image);
+- index=ConstrainColormapIndex(image,255-i);
+- image->colormap[(int) index].red=
+- ScaleCharToQuantum((unsigned char) ReadBlobByte(image));
+- image->colormap[(int) index].green=
+- ScaleCharToQuantum((unsigned char) ReadBlobByte(image));
+- image->colormap[(int) index].blue=
+- ScaleCharToQuantum((unsigned char) ReadBlobByte(image));
++ index=ConstrainColormapIndex(image,(size_t) (255-i));
++ image->colormap[(int) index].red=ScaleCharToQuantum(
++ (unsigned char) ReadBlobByte(image));
++ image->colormap[(int) index].green=ScaleCharToQuantum(
++ (unsigned char) ReadBlobByte(image));
++ image->colormap[(int) index].blue=ScaleCharToQuantum(
++ (unsigned char) ReadBlobByte(image));
+ }
+ }
+ else
+ {
+ for (i=0; i < (long) (1L << bits_per_pixel); i++)
+ {
+- index=ConstrainColormapIndex(image,255-i);
+- image->colormap[(int) index].red=
+- ScaleCharToQuantum(PalmPalette[i][0]);
+- image->colormap[(int) index].green=
+- ScaleCharToQuantum(PalmPalette[i][1]);
+- image->colormap[(int) index].blue=
+- ScaleCharToQuantum(PalmPalette[i][2]);
++ index=ConstrainColormapIndex(image,(size_t) (255-i));
++ image->colormap[(int) index].red=ScaleCharToQuantum(
++ PalmPalette[i][0]);
++ image->colormap[(int) index].green=ScaleCharToQuantum(
++ PalmPalette[i][1]);
++ image->colormap[(int) index].blue=ScaleCharToQuantum(
++ PalmPalette[i][2]);
+ }
+ }
+ }
+@@ -400,14 +400,14 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
+ image->storage_class=PseudoClass;
+ image->depth=8;
+ }
+- one_row=(unsigned char *) AcquireQuantumMemory(bytes_per_row,
+- sizeof(*one_row));
++ one_row=(unsigned char *) AcquireQuantumMemory(MagickMax(bytes_per_row,
++ 2*image->columns),sizeof(*one_row));
+ if (one_row == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ lastrow=(unsigned char *) NULL;
+ if (compressionType == PALM_COMPRESSION_SCANLINE) {
+- lastrow=(unsigned char *) AcquireQuantumMemory(bytes_per_row,
+- sizeof(*lastrow));
++ lastrow=(unsigned char *) AcquireQuantumMemory(MagickMax(bytes_per_row,
++ 2*image->columns),sizeof(*lastrow));
+ if (lastrow == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+@@ -443,7 +443,7 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
+ for (i=0; i < (long) bytes_per_row; i+=8)
+ {
+ count=(ssize_t) ReadBlobByte(image);
+- byte=1UL*MagickMin((ssize_t) bytes_per_row-i,8);
++ byte=(size_t) MagickMin((ssize_t) bytes_per_row-i,8);
+ for (bit=0; bit < byte; bit++)
+ {
+ if ((y == 0) || (count & (1 << (7 - bit))))
+@@ -645,7 +645,7 @@ ModuleExport void UnregisterPALMImage(void)
+ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
+ Image *image)
+ {
+- int
++ unsigned long
+ y;
+
+ ExceptionInfo
+@@ -832,7 +832,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
+ sizeof(*one_row));
+ if (one_row == (unsigned char *) NULL)
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+- for (y=0; y < (int) image->rows; y++)
++ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+ ptr=one_row;
+ (void) ResetMagickMemory(ptr,0,bytes_per_row);
+@@ -842,7 +842,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
+ indexes=GetAuthenticIndexQueue(image);
+ if (bits_per_pixel == 16)
+ {
+- for (x=0; x < (int) image->columns; x++)
++ for (x=0; x < (ssize_t) image->columns; x++)
+ {
+ color16=(unsigned short) ((((31*(unsigned long) GetRedPixelComponent(p))/
+ (unsigned long) QuantumRange) << 11) |
+@@ -865,7 +865,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info,
+ {
+ byte=0x00;
+ bit=(unsigned char) (8-bits_per_pixel);
+- for (x=0; x < (int) image->columns; x++)
++ for (x=0; x < (ssize_t) image->columns; x++)
+ {
+ if (bits_per_pixel >= 8)
+ color=(unsigned char) indexes[x];
+diff --git a/coders/pnm.c b/coders/pnm.c
+index 2289cdc..76f94e9 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -165,7 +165,7 @@ static void PNMComment(Image *image)
+ Read comment.
+ */
+ comment=AcquireString(GetImageProperty(image,"comment"));
+- extent=strlen(comment);
++ extent=MaxTextExtent;
+ p=comment+strlen(comment);
+ for (c='#'; (c != EOF) && (c != (int) '\n'); p++)
+ {
+diff --git a/coders/xpm.c b/coders/xpm.c
+index 97ee9c8..7b1af9a 100644
+--- a/coders/xpm.c
++++ b/coders/xpm.c
+@@ -148,12 +148,16 @@ static int CompareXPMColor(const void *target,const void *source)
+ return(strcmp(p,q));
+ }
+
+-static char *CopyXPMColor(char *destination,const char *source,size_t length)
++static size_t CopyXPMColor(char *destination,const char *source,size_t length)
+ {
+- while (length-- && (*source != '\0'))
+- *destination++=(*source++);
++ register const char
++ *p;
++
++ p=source;
++ while (length-- && (*p != '\0'))
++ *destination++=(*p++);
+ *destination='\0';
+- return(destination-length);
++ return((size_t) (p-source));
+ }
+
+ static char *NextXPMLine(char *p)
+@@ -281,24 +285,26 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ */
+ length=MaxTextExtent;
+ xpm_buffer=(char *) AcquireQuantumMemory((size_t) length,sizeof(*xpm_buffer));
++ if (xpm_buffer == (char *) NULL)
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ *xpm_buffer='\0';
+ p=xpm_buffer;
+- if (xpm_buffer != (char *) NULL)
+- while (ReadBlobString(image,p) != (char *) NULL)
+- {
+- if ((*p == '#') && ((p == xpm_buffer) || (*(p-1) == '\n')))
+- continue;
+- if ((*p == '}') && (*(p+1) == ';'))
+- break;
+- p+=strlen(p);
+- if ((size_t) (p-xpm_buffer+MaxTextExtent) < length)
+- continue;
+- length<<=1;
+- xpm_buffer=(char *) ResizeQuantumMemory(xpm_buffer,length+MaxTextExtent,
+- sizeof(*xpm_buffer));
+- if (xpm_buffer == (char *) NULL)
+- break;
+- p=xpm_buffer+strlen(xpm_buffer);
+- }
++ while (ReadBlobString(image,p) != (char *) NULL)
++ {
++ if ((*p == '#') && ((p == xpm_buffer) || (*(p-1) == '\n')))
++ continue;
++ if ((*p == '}') && (*(p+1) == ';'))
++ break;
++ p+=strlen(p);
++ if ((size_t) (p-xpm_buffer+MaxTextExtent) < length)
++ continue;
++ length<<=1;
++ xpm_buffer=(char *) ResizeQuantumMemory(xpm_buffer,length+MaxTextExtent,
++ sizeof(*xpm_buffer));
++ if (xpm_buffer == (char *) NULL)
++ break;
++ p=xpm_buffer+strlen(xpm_buffer);
++ }
+ if (xpm_buffer == (char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ /*
+@@ -406,7 +412,6 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ indexes[x]=(IndexPacket) j;
+ *r=image->colormap[j];
+ r++;
+- p+=width;
+ }
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+ break;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0033-Fix-heap-overflow-in-quantum.c-palm-image-handling-a.patch imagemagick-6.6.0.4/debian/patches/0033-Fix-heap-overflow-in-quantum.c-palm-image-handling-a.patch
--- imagemagick-6.6.0.4/debian/patches/0033-Fix-heap-overflow-in-quantum.c-palm-image-handling-a.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0033-Fix-heap-overflow-in-quantum.c-palm-image-handling-a.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,74 @@
+From 857ee656d167d8f8b7934e520f07f9ace9e34517 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 1 Dec 2014 01:13:14 +0000
+Subject: [PATCH] Fix heap overflow in quantum.c, palm image handling and psd
+ image handling.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17142 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+Origin: http://trac.imagemagick.org/changeset/17142
+---
+ coders/palm.c | 2 +-
+ coders/psd.c | 2 +-
+ magick/quantum.c | 13 ++++++++-----
+ 3 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/coders/palm.c b/coders/palm.c
+index f006bd6..9d5f7a5 100644
+--- a/coders/palm.c
++++ b/coders/palm.c
+@@ -333,7 +333,7 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
+ bytes_per_row=ReadBlobMSBShort(image);
+ flags=ReadBlobMSBShort(image);
+ bits_per_pixel=(unsigned long) ReadBlobByte(image);
+- if (bits_per_pixel > 16)
++ if ((bits_per_pixel == 0) || (bits_per_pixel > 16))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ version=(unsigned long) ReadBlobByte(image);
+ nextDepthOffset=(unsigned long) ReadBlobMSBShort(image);
+diff --git a/coders/psd.c b/coders/psd.c
+index a2ff5d9..fe9678b 100644
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -783,7 +783,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (image->debug != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " reading image resource blocks - %ld bytes",(long) length);
+- blocks=(unsigned char *) AcquireQuantumMemory(length,sizeof(*blocks));
++ blocks=(unsigned char *) AcquireQuantumMemory(length+16,sizeof(*blocks));
+ if (blocks == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ count=ReadBlob(image,length,blocks);
+diff --git a/magick/quantum.c b/magick/quantum.c
+index 746e6a6..a282a0e 100644
+--- a/magick/quantum.c
++++ b/magick/quantum.c
+@@ -540,8 +540,9 @@ MagickExport void SetQuantumAlphaType(QuantumInfo *quantum_info,
+ MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
+ QuantumInfo *quantum_info,const unsigned long depth)
+ {
+- MagickBooleanType
+- status;
++ size_t
++ extent,
++ quantum;
+
+ /*
+ Allocate the quantum pixel buffer.
+@@ -565,9 +566,11 @@ MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
+ }
+ if (quantum_info->pixels != (unsigned char **) NULL)
+ DestroyQuantumPixels(quantum_info);
+- status=AcquireQuantumPixels(quantum_info,(quantum_info->pad+5)*image->columns*
+- ((quantum_info->depth+7)/8));
+- return(status);
++ quantum=(quantum_info->pad+6)*(quantum_info->depth+7)/8;
++ extent=image->columns*quantum;
++ if (quantum != (extent/image->columns))
++ return(MagickFalse);
++ return(AcquireQuantumPixels(quantum_info,extent));
+ }
+ �
+ /*
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0034-Do-not-try-to-read-corrupted-sun-image.patch imagemagick-6.6.0.4/debian/patches/0034-Do-not-try-to-read-corrupted-sun-image.patch
--- imagemagick-6.6.0.4/debian/patches/0034-Do-not-try-to-read-corrupted-sun-image.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0034-Do-not-try-to-read-corrupted-sun-image.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,69 @@
+From 7ac687af4fce2b194a101697a31907669b6631ca Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 1 Dec 2014 23:10:02 +0000
+Subject: [PATCH] Do not try to read corrupted sun image
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17146 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17146
+---
+ coders/sun.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/coders/sun.c b/coders/sun.c
+index 8be4af8..02712d7 100644
+--- a/coders/sun.c
++++ b/coders/sun.c
+@@ -256,6 +256,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ *p;
+
+ size_t
++ bytes_per_line,
+ length;
+
+ ssize_t
+@@ -268,9 +269,6 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ *sun_data,
+ *sun_pixels;
+
+- unsigned int
+- bytes_per_line;
+-
+ /*
+ Open image file.
+ */
+@@ -485,11 +483,13 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ else
+ if (image->storage_class == PseudoClass)
+ {
++ if (bytes_per_line == 0)
++ bytes_per_line=image->columns;
+ length=image->rows*(image->columns+image->columns % 2);
+ if (((sun_info.type == RT_ENCODED) &&
+ (length > (bytes_per_line*image->rows))) ||
+ ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+ for (y=0; y < (long) image->rows; y++)
+ {
+ q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
+@@ -518,12 +518,14 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ bytes_per_pixel=3;
+ if (image->matte != MagickFalse)
+ bytes_per_pixel++;
+- length=image->rows*((bytes_per_line*image->columns)+
+- image->columns % 2);
++ if (bytes_per_line == 0)
++ bytes_per_line=bytes_per_pixel*image->columns;
++ length=image->rows*((bytes_per_line*image->columns)+image->columns %
++ 2);
+ if (((sun_info.type == RT_ENCODED) &&
+ (length > (bytes_per_line*image->rows))) ||
+ ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+ for (y=0; y < (long) image->rows; y++)
+ {
+ q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0035-Fix-corrupted-too-many-colors-psd-file.patch imagemagick-6.6.0.4/debian/patches/0035-Fix-corrupted-too-many-colors-psd-file.patch
--- imagemagick-6.6.0.4/debian/patches/0035-Fix-corrupted-too-many-colors-psd-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0035-Fix-corrupted-too-many-colors-psd-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,36 @@
+From 47df4740eb51a7a84347def02b91f4f3dfb21234 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Tue, 2 Dec 2014 23:44:17 +0000
+Subject: [PATCH] Fix corrupted (too many colors) psd file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17151 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17151
+---
+ coders/psd.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/coders/psd.c b/coders/psd.c
+index fe9678b..530cdb5 100644
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -754,10 +754,16 @@ static Image *ReadPSDImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ }
+ else
+ {
++ size_t
++ number_colors;
++
+ /*
+ Read PSD raster colormap.
+ */
+- if (AcquireImageColormap(image,(unsigned long) (length/3)) == MagickFalse)
++ number_colors=length/3;
++ if (number_colors > 65536)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++ if (AcquireImageColormap(image,number_colors) == MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ for (i=0; i < (long) image->colors; i++)
+ image->colormap[i].red=ScaleCharToQuantum((unsigned char)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0036-Fix-out-of-bound-access-in-sun-image-handling.patch imagemagick-6.6.0.4/debian/patches/0036-Fix-out-of-bound-access-in-sun-image-handling.patch
--- imagemagick-6.6.0.4/debian/patches/0036-Fix-out-of-bound-access-in-sun-image-handling.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0036-Fix-out-of-bound-access-in-sun-image-handling.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,29 @@
+From 28b18aa7ff93cecbe7617797ad0713e570a2c81f Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Thu, 4 Dec 2014 00:19:57 +0000
+Subject: [PATCH] Fix out of bound access in sun image handling
+
+It the merge of rev 17153 and rev 17155
+
+Origin: http://trac.imagemagick.org/changeset/17153 and http://trac.imagemagick.org/changeset/17155
+---
+ coders/sun.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/coders/sun.c b/coders/sun.c
+index 02712d7..ac8aba5 100644
+--- a/coders/sun.c
++++ b/coders/sun.c
+@@ -520,8 +520,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ bytes_per_pixel++;
+ if (bytes_per_line == 0)
+ bytes_per_line=bytes_per_pixel*image->columns;
+- length=image->rows*((bytes_per_line*image->columns)+image->columns %
+- 2);
++ length=image->rows*(bytes_per_line+image->columns % 2);
+ if (((sun_info.type == RT_ENCODED) &&
+ (length > (bytes_per_line*image->rows))) ||
+ ((sun_info.type != RT_ENCODED) && (length > sun_info.length)))
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0037-Fix-handling-of-corrupted-sun-and-wpg-file.patch imagemagick-6.6.0.4/debian/patches/0037-Fix-handling-of-corrupted-sun-and-wpg-file.patch
--- imagemagick-6.6.0.4/debian/patches/0037-Fix-handling-of-corrupted-sun-and-wpg-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0037-Fix-handling-of-corrupted-sun-and-wpg-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,41 @@
+From b6a2b1e6c2c3b387eefa24ccf7c9469b51080d17 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 7 Dec 2014 12:52:08 +0000
+Subject: [PATCH] Fix handling of corrupted sun and wpg file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17165 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17165
+---
+ coders/sun.c | 2 ++
+ coders/wpg.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/coders/sun.c b/coders/sun.c
+index ac8aba5..98631c9 100644
+--- a/coders/sun.c
++++ b/coders/sun.c
+@@ -305,6 +305,8 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ sun_info.type=ReadBlobMSBLong(image);
+ sun_info.maptype=ReadBlobMSBLong(image);
+ sun_info.maplength=ReadBlobMSBLong(image);
++ if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
+ (sun_info.type != RT_FORMAT_RGB))
+ ThrowReaderException(CoderError,"ImproperImageHeader");
+diff --git a/coders/wpg.c b/coders/wpg.c
+index 37cb2a1..8c1b900 100644
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -458,7 +458,7 @@ static int UnpackWPGRaster(Image *image,int bpp)
+
+ ldblk=(long) ((bpp*image->columns+7)/8);
+ BImgBuff=(unsigned char *) AcquireQuantumMemory((size_t) ldblk,
+- sizeof(*BImgBuff));
++ 4*sizeof(*BImgBuff));
+ if(BImgBuff==NULL) return(-2);
+
+ while(y<(long) image->rows)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0038-Fix-heap-overflow-in-pcx-file-psd-pict-and-wpf-files.patch imagemagick-6.6.0.4/debian/patches/0038-Fix-heap-overflow-in-pcx-file-psd-pict-and-wpf-files.patch
--- imagemagick-6.6.0.4/debian/patches/0038-Fix-heap-overflow-in-pcx-file-psd-pict-and-wpf-files.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0038-Fix-heap-overflow-in-pcx-file-psd-pict-and-wpf-files.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,102 @@
+From 7ada2be8c8653ddbd27928b77f0ba86424a10e3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Tue, 23 Dec 2014 14:53:08 +0100
+Subject: [PATCH] Fix heap overflow in pcx file, psd, pict and wpf files and
+ DOS in xpm file
+
+The rest of the upstream patch is only whitespace change. Do not commit it.
+
+Psd change file is ignored due to huge rewrite
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17166 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17166
+---
+ coders/pcx.c | 8 +++++++-
+ coders/pict.c | 3 ++-
+ coders/sun.c | 2 ++
+ coders/wpg.c | 2 +-
+ coders/xpm.c | 2 ++
+ 5 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/coders/pcx.c b/coders/pcx.c
+index 75c4c54..a64ae04 100644
+--- a/coders/pcx.c
++++ b/coders/pcx.c
+@@ -396,7 +396,13 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline));
+ if ((pcx_pixels == (unsigned char *) NULL) ||
+ (scanline == (unsigned char *) NULL))
+- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ {
++ if (scanline != (unsigned char *) NULL)
++ scanline=(unsigned char *) RelinquishMagickMemory(scanline);
++ if (pcx_pixels != (unsigned char *) NULL)
++ pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
+ /*
+ Uncompress image data.
+ */
+diff --git a/coders/pict.c b/coders/pict.c
+index fa47b06..bf270fd 100644
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -474,7 +474,8 @@ static unsigned char *DecodeImage(Image *blob,Image *image,
+ return((unsigned char *) NULL);
+ *extent=row_bytes*image->rows*sizeof(*pixels);
+ (void) ResetMagickMemory(pixels,0,*extent);
+- scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,sizeof(*scanline));
++ scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,2*
++ sizeof(*scanline));
+ if (scanline == (unsigned char *) NULL)
+ return((unsigned char *) NULL);
+ if (bytes_per_line < 8)
+diff --git a/coders/sun.c b/coders/sun.c
+index 98631c9..42028c5 100644
+--- a/coders/sun.c
++++ b/coders/sun.c
+@@ -257,6 +257,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+
+ size_t
+ bytes_per_line,
++ extent,
+ length;
+
+ ssize_t
+@@ -305,6 +306,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ sun_info.type=ReadBlobMSBLong(image);
+ sun_info.maptype=ReadBlobMSBLong(image);
+ sun_info.maplength=ReadBlobMSBLong(image);
++ extent=sun_info.height*sun_info.width;
+ if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
+diff --git a/coders/wpg.c b/coders/wpg.c
+index 8c1b900..842be6d 100644
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -458,7 +458,7 @@ static int UnpackWPGRaster(Image *image,int bpp)
+
+ ldblk=(long) ((bpp*image->columns+7)/8);
+ BImgBuff=(unsigned char *) AcquireQuantumMemory((size_t) ldblk,
+- 4*sizeof(*BImgBuff));
++ 8*sizeof(*BImgBuff));
+ if(BImgBuff==NULL) return(-2);
+
+ while(y<(long) image->rows)
+diff --git a/coders/xpm.c b/coders/xpm.c
+index 7b1af9a..b412b46 100644
+--- a/coders/xpm.c
++++ b/coders/xpm.c
+@@ -369,6 +369,8 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ while ((isspace((int) ((unsigned char) *q)) == 0) && (*q != '\0'))
+ q++;
++ if ((next-q) < 0)
++ break;
+ if (next != (char *) NULL)
+ (void) CopyXPMColor(target,q,MagickMin((size_t) (next-q),
+ MaxTextExtent));
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0039-Additional-PNM-sanity-checks.patch imagemagick-6.6.0.4/debian/patches/0039-Additional-PNM-sanity-checks.patch
--- imagemagick-6.6.0.4/debian/patches/0039-Additional-PNM-sanity-checks.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0039-Additional-PNM-sanity-checks.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,46 @@
+From 0cc236c1d843253e8e6c884fb6df5b8d17fbf377 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sat, 13 Dec 2014 22:14:04 +0000
+Subject: [PATCH] Additional PNM sanity checks
+
+bug: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26682
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17200 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17200 and http://trac.imagemagick.org/changeset/17202 and http://trac.imagemagick.org/changeset/17237
+---
+ coders/pnm.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/coders/pnm.c b/coders/pnm.c
+index 76f94e9..2989393 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -191,12 +191,12 @@ static void PNMComment(Image *image)
+ comment=DestroyString(comment);
+ }
+
+-static size_t PNMInteger(Image *image,const unsigned int base)
++static unsigned int PNMInteger(Image *image,const unsigned int base)
+ {
+ int
+ c;
+
+- size_t
++ unsigned int
+ value;
+
+ /*
+@@ -218,7 +218,11 @@ static size_t PNMInteger(Image *image,const unsigned int base)
+ value=0;
+ do
+ {
++ if (value > (unsigned int) (INT_MAX/10))
++ break;
+ value*=10;
++ if (value > (INT_MAX-c))
++ break;
+ value+=c-(int) '0';
+ c=ReadBlobByte(image);
+ if (c == EOF)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0040-Robustify-xmp-and-pnm-reader.patch imagemagick-6.6.0.4/debian/patches/0040-Robustify-xmp-and-pnm-reader.patch
--- imagemagick-6.6.0.4/debian/patches/0040-Robustify-xmp-and-pnm-reader.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0040-Robustify-xmp-and-pnm-reader.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,116 @@
+From 8824afbbee638a87d9d05d50b6d4597a46f53fce Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 15 Dec 2014 01:32:48 +0000
+Subject: [PATCH] Robustify xmp and pnm reader
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17240 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17245 and http://trac.imagemagick.org/changeset/17240 and http://trac.imagemagick.org/changeset/17248
+---
+ coders/pnm.c | 8 +++-----
+ coders/xbm.c | 48 +++++++++++++++++++++++++++---------------------
+ 2 files changed, 30 insertions(+), 26 deletions(-)
+
+diff --git a/coders/pnm.c b/coders/pnm.c
+index 2989393..e5922a2 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -209,7 +209,7 @@ static unsigned int PNMInteger(Image *image,const unsigned int base)
+ return(0);
+ if (c == (int) '#')
+ PNMComment(image);
+- } while (isdigit(c) == MagickFalse);
++ } while (isdigit(c) == 0);
+ if (base == 2)
+ return((unsigned long) (c-(int) '0'));
+ /*
+@@ -221,13 +221,11 @@ static unsigned int PNMInteger(Image *image,const unsigned int base)
+ if (value > (unsigned int) (INT_MAX/10))
+ break;
+ value*=10;
+- if (value > (INT_MAX-c))
++ if (value > (INT_MAX-(c-(int) '0')))
+ break;
+ value+=c-(int) '0';
+ c=ReadBlobByte(image);
+- if (c == EOF)
+- return(value);
+- } while (isdigit(c) != MagickFalse);
++ } while (isdigit(c) != 0);
+ return(value);
+ }
+
+diff --git a/coders/xbm.c b/coders/xbm.c
+index 999fa9a..692eb2c 100644
+--- a/coders/xbm.c
++++ b/coders/xbm.c
+@@ -127,33 +127,38 @@ static MagickBooleanType IsXBM(const unsigned char *magick,const size_t length)
+ %
+ */
+
+-static int XBMInteger(Image *image,short int *hex_digits)
+-{
++static unsigned int XBMInteger(Image *image,short int *hex_digits)
++{
+ int
+- c,
+- flag,
++ c;
++
++ unsigned int
+ value;
+-
+- value=0;
+- flag=0;
+- for ( ; ; )
+- {
++
++ /*
++ Skip any leading whitespace.
++ */
++ do
++ {
+ c=ReadBlobByte(image);
+ if (c == EOF)
+- {
+- value=(-1);
+- break;
+- }
++ return(0);
++ } while (hex_digits[c] < 0);
++ /*
++ Evaluate number.
++ */
++ value=0;
++ do
++ {
++ if (value > (unsigned int) (INT_MAX/10))
++ break;
++ value*=16;
+ c&=0xff;
+- if (isxdigit(c) != MagickFalse)
+- {
+- value=(int) ((unsigned long) value << 4)+hex_digits[c];
+- flag++;
+- continue;
+- }
+- if ((hex_digits[c]) < 0 && (flag != 0))
++ if (value > (INT_MAX-hex_digits[c]))
+ break;
+- }
++ value+=hex_digits[c];
++ c=ReadBlobByte(image);
++ } while (hex_digits[c] >= 0);
+ return(value);
+ }
+
+@@ -188,6 +193,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ short int
+ hex_digits[256];
+
++
+ size_t
+ length;
+
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0041-Detect-allocation-error-earlier.patch imagemagick-6.6.0.4/debian/patches/0041-Detect-allocation-error-earlier.patch
--- imagemagick-6.6.0.4/debian/patches/0041-Detect-allocation-error-earlier.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0041-Detect-allocation-error-earlier.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,30 @@
+From 3010cb2ecb66d3d97c75e2b3bd814f02afa787f8 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 15 Dec 2014 02:50:44 +0000
+Subject: [PATCH] Detect allocation error earlier
+
+Avoid a segv due to NULL pointer dereference
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17243 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17243
+---
+ magick/cache.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/magick/cache.c b/magick/cache.c
+index 98fb393..111dd1b 100644
+--- a/magick/cache.c
++++ b/magick/cache.c
+@@ -4064,7 +4064,8 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode,
+ packet_size+=sizeof(IndexPacket);
+ length=number_pixels*packet_size;
+ columns=(unsigned long) (length/cache_info->rows/packet_size);
+- if (cache_info->columns != columns)
++ if ((cache_info->columns != columns) || ((ssize_t) cache_info->columns < 0) ||
++ ((ssize_t) cache_info->rows < 0))
+ ThrowBinaryException(ResourceLimitError,"PixelCacheAllocationFailed",
+ image->filename);
+ cache_info->length=length;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0042-Avoid-a-crash-in-coders-rle.c.patch imagemagick-6.6.0.4/debian/patches/0042-Avoid-a-crash-in-coders-rle.c.patch
--- imagemagick-6.6.0.4/debian/patches/0042-Avoid-a-crash-in-coders-rle.c.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0042-Avoid-a-crash-in-coders-rle.c.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,83 @@
+From 22289bcac76a7f77015cd72ad2d3df9693ff77c2 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 15 Dec 2014 11:30:43 +0000
+Subject: [PATCH] Avoid a crash in coders/rle.c
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17255 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17255
+---
+ coders/rle.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index 23c1c6a..767d61c 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -40,10 +40,12 @@
+ Include declarations.
+ */
+ #include "magick/studio.h"
+-#include "magick/property.h"
+ #include "magick/blob.h"
+ #include "magick/blob-private.h"
+ #include "magick/cache.h"
++
++#include "magick/colormap.h"
++#include "magick/colormap-private.h"
+ #include "magick/exception.h"
+ #include "magick/exception-private.h"
+ #include "magick/image.h"
+@@ -54,6 +56,8 @@
+ #include "magick/monitor.h"
+ #include "magick/monitor-private.h"
+ #include "magick/quantum-private.h"
++#include "magick/pixel.h"
++#include "magick/property.h"
+ #include "magick/static.h"
+ #include "magick/string_.h"
+ #include "magick/module.h"
+@@ -120,6 +124,14 @@ static MagickBooleanType IsRLE(const unsigned char *magick,const size_t length)
+ %
+ %
+ */
++
++static inline size_t MagickMax(const size_t x,const size_t y)
++{
++ if (x > y)
++ return(x);
++ return(y);
++}
++
+ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ #define SkipLinesOp 0x01
+@@ -293,7 +305,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ rle_pixels=(unsigned char *) AcquireQuantumMemory(image->columns,
+- image->rows*number_planes*sizeof(*rle_pixels));
++ image->rows*MagickMax(number_planes,4)*sizeof(*rle_pixels));
+ if (rle_pixels == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ if ((flags & 0x01) && !(flags & 0x02))
+@@ -523,10 +535,13 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ break;
+ for (x=0; x < (long) image->columns; x++)
+ {
+- q->red=image->colormap[*p++].red;
+- q->green=image->colormap[*p++].green;
+- q->blue=image->colormap[*p++].blue;
+- q->opacity=(Quantum) (QuantumRange-ScaleCharToQuantum(*p++));
++ q->red=image->colormap[(ssize_t)
++ ConstrainColormapIndex(image,*p++)].red;
++ q->green=image->colormap[(ssize_t)
++ ConstrainColormapIndex(image,*p++)].green;
++ q->blue=image->colormap[(ssize_t)
++ ConstrainColormapIndex(image,*p++)].blue;
++ q->opacity=(Quantum) (QuantumRange-ScaleCharToQuantum(*p++));
+ q++;
+ }
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0043-Avoid-an-overflow-in-ConstrainColormapIndex.patch imagemagick-6.6.0.4/debian/patches/0043-Avoid-an-overflow-in-ConstrainColormapIndex.patch
--- imagemagick-6.6.0.4/debian/patches/0043-Avoid-an-overflow-in-ConstrainColormapIndex.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0043-Avoid-an-overflow-in-ConstrainColormapIndex.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,28 @@
+From 51e99b3a8acfc555bf627af9ab1bd3f261cd17a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Tue, 23 Dec 2014 15:39:55 +0100
+Subject: [PATCH] Avoid an overflow in ConstrainColormapIndex
+
+ConstrainColormapIndex is used like array[ConstrainColormapIndex]. Test if cast to ssize_t render it negative and thus crash later
+
+Origin: http://trac.imagemagick.org/changeset/17291
+---
+ magick/colormap-private.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/colormap-private.h b/magick/colormap-private.h
+index 7a77961..9a8539d 100644
+--- a/magick/colormap-private.h
++++ b/magick/colormap-private.h
+@@ -29,7 +29,7 @@ extern "C" {
+ static inline IndexPacket ConstrainColormapIndex(Image *image,
+ const unsigned long index)
+ {
+- if (index < image->colors)
++ if ((index < image->colors) && ((ssize_t) index >= 0))
+ return((IndexPacket) index);
+ (void) ThrowMagickException(&image->exception,GetMagickModule(),
+ CorruptImageError,"InvalidColormapIndex","`%s'",image->filename);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0044-Avoid-an-out-of-bound-access-in-palm-file.patch imagemagick-6.6.0.4/debian/patches/0044-Avoid-an-out-of-bound-access-in-palm-file.patch
--- imagemagick-6.6.0.4/debian/patches/0044-Avoid-an-out-of-bound-access-in-palm-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0044-Avoid-an-out-of-bound-access-in-palm-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,29 @@
+From b00c4d46fb59bfc807df5e58c0a33f9d3812be05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Tue, 23 Dec 2014 15:41:32 +0100
+Subject: [PATCH] Avoid an out of bound access in palm file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17291 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+Origin: http://trac.imagemagick.org/changeset/17291
+---
+ coders/palm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/coders/palm.c b/coders/palm.c
+index 9d5f7a5..d080c5a 100644
+--- a/coders/palm.c
++++ b/coders/palm.c
+@@ -505,8 +505,9 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
+ }
+ if (flags & PALM_HAS_TRANSPARENCY_FLAG)
+ {
++ IndexPacket index=ConstrainColormapIndex(image,(mask-transparentIndex));
+ if (bits_per_pixel != 16)
+- SetMagickPixelPacket(image,image->colormap+(mask-transparentIndex),
++ SetMagickPixelPacket(image,image->colormap+index,
+ (const IndexPacket *) NULL,&transpix);
+ (void) TransparentPaintImage(image,&transpix,(Quantum)
+ TransparentOpacity,MagickFalse);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0045-Fix-another-crash-in-pnm-and-xpm-parser.patch imagemagick-6.6.0.4/debian/patches/0045-Fix-another-crash-in-pnm-and-xpm-parser.patch
--- imagemagick-6.6.0.4/debian/patches/0045-Fix-another-crash-in-pnm-and-xpm-parser.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0045-Fix-another-crash-in-pnm-and-xpm-parser.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,42 @@
+From cd3fbe4fc3ab0231049cfe84f3842cd242b59833 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Tue, 16 Dec 2014 19:43:22 +0000
+Subject: [PATCH] Fix another crash in pnm and xpm parser
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17297 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+Origin: http://trac.imagemagick.org/changeset/17297
+---
+ coders/pnm.c | 2 +-
+ coders/xpm.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/pnm.c b/coders/pnm.c
+index e5922a2..23033d3 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -165,8 +165,8 @@ static void PNMComment(Image *image)
+ Read comment.
+ */
+ comment=AcquireString(GetImageProperty(image,"comment"));
+- extent=MaxTextExtent;
+ p=comment+strlen(comment);
++ extent=strlen(comment)+MaxTextExtent;
+ for (c='#'; (c != EOF) && (c != (int) '\n'); p++)
+ {
+ if ((size_t) (p-comment+1) >= extent)
+diff --git a/coders/xpm.c b/coders/xpm.c
+index b412b46..07a3ded 100644
+--- a/coders/xpm.c
++++ b/coders/xpm.c
+@@ -154,7 +154,7 @@ static size_t CopyXPMColor(char *destination,const char *source,size_t length)
+ *p;
+
+ p=source;
+- while (length-- && (*p != '\0'))
++ while (--length && (*p != '\0'))
+ *destination++=(*p++);
+ *destination='\0';
+ return((size_t) (p-source));
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0046-Fix-another-out-of-bound-problem-in-rle-file.patch imagemagick-6.6.0.4/debian/patches/0046-Fix-another-out-of-bound-problem-in-rle-file.patch
--- imagemagick-6.6.0.4/debian/patches/0046-Fix-another-out-of-bound-problem-in-rle-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0046-Fix-another-out-of-bound-problem-in-rle-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,48 @@
+From 3997bca2e5f812b9e6d7d9c2264e5bc7fc3b2734 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 19 Dec 2014 00:26:33 +0000
+Subject: [PATCH] Fix another out of bound problem in rle file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17336 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17336
+---
+ coders/rle.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index 767d61c..fdc58c9 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -413,6 +413,9 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF));
+ if (number_colormaps != 0)
+ {
++ IndexPacket
++ index;
++
+ MagickStatusType
+ mask;
+
+@@ -424,7 +427,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (number_colormaps == 1)
+ for (i=0; i < (long) number_pixels; i++)
+ {
+- *p=colormap[*p & mask];
++ index=ConstrainColormapIndex(image,*p & mask);
++ *p=colormap[index];
+ p++;
+ }
+ else
+@@ -432,7 +436,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ for (i=0; i < (long) number_pixels; i++)
+ for (x=0; x < (long) number_planes; x++)
+ {
+- *p=colormap[x*map_length+(*p & mask)];
++ index=ConstrainColormapIndex(image,x*map_length+(*p & mask));
++ *p=colormap[index];
+ p++;
+ }
+ }
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0047-Fix-crash-due-to-corrupted-dib-file.patch imagemagick-6.6.0.4/debian/patches/0047-Fix-crash-due-to-corrupted-dib-file.patch
--- imagemagick-6.6.0.4/debian/patches/0047-Fix-crash-due-to-corrupted-dib-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0047-Fix-crash-due-to-corrupted-dib-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,74 @@
+From c4153f18bfdc1f7e88c1da8d6e495a55c8771a03 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Fri, 19 Dec 2014 12:12:18 +0000
+Subject: [PATCH] Fix crash due to corrupted dib file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17343 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17343
+---
+ coders/dib.c | 41 +++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/coders/dib.c b/coders/dib.c
+index afe6634..eb367cd 100644
+--- a/coders/dib.c
++++ b/coders/dib.c
+@@ -155,6 +155,10 @@ static MagickBooleanType DecodeImage(Image *image,
+ #define BI_RLE8 1
+ #define BI_RLE4 2
+ #define BI_BITFIELDS 3
++#undef BI_JPEG
++#define BI_JPEG 4
++#undef BI_PNG
++#define BI_PNG 5
+ #endif
+
+ int
+@@ -537,9 +541,42 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ dib_info.green_mask=ReadBlobLSBLong(image);
+ dib_info.blue_mask=ReadBlobLSBLong(image);
+ }
++ if (dib_info.width <= 0)
++ ThrowReaderException(CorruptImageError,"NegativeOrZeroImageSize");
++ if (dib_info.height == 0)
++ ThrowReaderException(CorruptImageError,"NegativeOrZeroImageSize");
++ if (dib_info.planes != 1)
++ ThrowReaderException(CorruptImageError,"StaticPlanesValueNotEqualToOne");
++ if ((dib_info.bits_per_pixel != 1) && (dib_info.bits_per_pixel != 4) &&
++ (dib_info.bits_per_pixel != 8) && (dib_info.bits_per_pixel != 16) &&
++ (dib_info.bits_per_pixel != 24) && (dib_info.bits_per_pixel != 32))
++ ThrowReaderException(CorruptImageError,"UnrecognizedBitsPerPixel");
++ if (dib_info.bits_per_pixel < 16 &&
++ dib_info.number_colors > (1U << dib_info.bits_per_pixel))
++ ThrowReaderException(CorruptImageError,"UnrecognizedNumberOfColors");
++ if ((dib_info.compression == 1) && (dib_info.bits_per_pixel != 8))
++ ThrowReaderException(CorruptImageError,"UnrecognizedBitsPerPixel");
++ if ((dib_info.compression == 2) && (dib_info.bits_per_pixel != 4))
++ ThrowReaderException(CorruptImageError,"UnrecognizedBitsPerPixel");
++ if ((dib_info.compression == 3) && (dib_info.bits_per_pixel < 16))
++ ThrowReaderException(CorruptImageError,"UnrecognizedBitsPerPixel");
++ switch (dib_info.compression)
++ {
++ case BI_RGB:
++ case BI_RLE8:
++ case BI_RLE4:
++ case BI_BITFIELDS:
++ break;
++ case BI_JPEG:
++ ThrowReaderException(CoderError,"JPEGCompressNotSupported");
++ case BI_PNG:
++ ThrowReaderException(CoderError,"PNGCompressNotSupported");
++ default:
++ ThrowReaderException(CorruptImageError,"UnrecognizedImageCompression");
++ }
++ image->columns=(size_t) MagickAbsoluteValue(dib_info.width);
++ image->rows=(size_t) MagickAbsoluteValue(dib_info.height);
+ image->matte=dib_info.bits_per_pixel == 32 ? MagickTrue : MagickFalse;
+- image->columns=(unsigned long) MagickAbsoluteValue(dib_info.width);
+- image->rows=(unsigned long) MagickAbsoluteValue(dib_info.height);
+ image->depth=8;
+ if ((dib_info.number_colors != 0) || (dib_info.bits_per_pixel < 16))
+ {
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0048-Added-checks-to-prevent-overflow-in-rle-file.patch imagemagick-6.6.0.4/debian/patches/0048-Added-checks-to-prevent-overflow-in-rle-file.patch
--- imagemagick-6.6.0.4/debian/patches/0048-Added-checks-to-prevent-overflow-in-rle-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0048-Added-checks-to-prevent-overflow-in-rle-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,86 @@
+From 9409c2a9e99fcc97be22f54b23e7547a10cf02be Mon Sep 17 00:00:00 2001
+From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sat, 20 Dec 2014 13:40:37 +0000
+Subject: [PATCH] Added checks to prevent overflow in rle file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17348 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17348
+---
+ coders/rle.c | 37 ++++++++++++++++++++++++++++---------
+ 1 file changed, 28 insertions(+), 9 deletions(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index fdc58c9..7998b46 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -190,7 +190,10 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ bits_per_pixel,
+ map_length,
+ number_colormaps,
+- number_planes;
++ number_planes,
++ one,
++ offset,
++ pixel_info_length;;
+
+ /*
+ Open image file.
+@@ -304,8 +307,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ number_pixels=(MagickSizeType) image->columns*image->rows;
+ if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+- rle_pixels=(unsigned char *) AcquireQuantumMemory(image->columns,
+- image->rows*MagickMax(number_planes,4)*sizeof(*rle_pixels));
++ pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4);
++ rle_pixels=(unsigned char *) AcquireQuantumMemory(pixel_info_length,sizeof(*rle_pixels));
+ if (rle_pixels == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ if ((flags & 0x01) && !(flags & 0x02))
+@@ -372,12 +375,20 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ operand=ReadBlobByte(image);
+ if (opcode & 0x40)
+ operand=(int) ReadBlobLSBShort(image);
+- p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
+- x*number_planes+plane;
++ offset=((image->rows-y-1)*image->columns*number_planes)+x*
++ number_planes+plane;
+ operand++;
++ if (offset+((size_t) operand*number_planes) > pixel_info_length)
++ {
++ if (number_colormaps != 0)
++ colormap=(unsigned char *) RelinquishMagickMemory(colormap);
++ rle_pixels=(unsigned char *) RelinquishMagickMemory(rle_pixels);
++ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
++ }
++ p=rle_pixels+offset;
+ for (i=0; i < (long) operand; i++)
+ {
+- pixel=(unsigned char) ReadBlobByte(image);
++ pixel=(unsigned char) ReadBlobByte(image);
+ if ((y < (long) image->rows) && ((x+i) < (long) image->columns))
+ *p=pixel;
+ p+=number_planes;
+@@ -395,9 +406,17 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ pixel=(unsigned char) ReadBlobByte(image);
+ (void) ReadBlobByte(image);
+ operand++;
+- p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
+- x*number_planes+plane;
+- for (i=0; i < (long) operand; i++)
++ offset=((image->rows-y-1)*image->columns*number_planes)+x*
++ number_planes+plane;
++ p=rle_pixels+offset;
++ if (offset+((size_t) operand*number_planes) > pixel_info_length)
++ {
++ if (number_colormaps != 0)
++ colormap=(unsigned char *) RelinquishMagickMemory(colormap);
++ rle_pixels=(unsigned char *) RelinquishMagickMemory(rle_pixels);
++ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
++ }
++ for (i=0; i < (ssize_t) operand; i++)
+ {
+ if ((y < (long) image->rows) && ((x+i) < (long) image->columns))
+ *p=pixel;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0049-Impose-a-limit-of-10-million-columns-or-rows-in-an-i.patch imagemagick-6.6.0.4/debian/patches/0049-Impose-a-limit-of-10-million-columns-or-rows-in-an-i.patch
--- imagemagick-6.6.0.4/debian/patches/0049-Impose-a-limit-of-10-million-columns-or-rows-in-an-i.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0049-Impose-a-limit-of-10-million-columns-or-rows-in-an-i.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,36 @@
+From 7a68c93ec6efc9a54efadfaa7284d48877de2b55 Mon Sep 17 00:00:00 2001
+From: glennrp <glennrp@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 21 Dec 2014 17:18:01 +0000
+Subject: [PATCH] Impose a limit of 10 million columns or rows in an input PNG.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17368 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17368
+---
+ coders/png.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/coders/png.c b/coders/png.c
+index dd2f3e4..ba0b621 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -1815,6 +1815,17 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
+ }
+ return(GetFirstImageInList(image));
+ }
++
++ /* { For navigation to end of SETJMP-protected block. Within this
++ * block, use png_error() instead of Throwing an Exception, to ensure
++ * that libpng is able to clean up, and that the semaphore is unlocked.
++ */
++
++#ifdef PNG_SET_USER_LIMITS_SUPPORTED
++ /* Reject images with more than 10 million rows or columns */
++ png_set_user_limits(ping, 10000000L, 10000000L);
++#endif /* PNG_SET_USER_LIMITS_SUPPORTED */
++
+ /*
+ Prepare PNG for reading.
+ */
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0050-Be-a-little-bit-fuzzy-in-test-suite.patch imagemagick-6.6.0.4/debian/patches/0050-Be-a-little-bit-fuzzy-in-test-suite.patch
--- imagemagick-6.6.0.4/debian/patches/0050-Be-a-little-bit-fuzzy-in-test-suite.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0050-Be-a-little-bit-fuzzy-in-test-suite.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,37 @@
+From 9b799e047cbb5f99c9cd6ca5432c14ea96708c9a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Thu, 25 Dec 2014 20:20:56 +0100
+Subject: [PATCH] Be a little bit fuzzy in test suite
+
+Avoid a test failure due to 1e-6 dispersion.
+
+Forwarded: no
+---
+ tests/validate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/validate.c b/tests/validate.c
+index d2d9ce6..1392502 100644
+--- a/tests/validate.c
++++ b/tests/validate.c
+@@ -588,7 +588,7 @@ static unsigned long ValidateImageFormatsInMemory(ImageInfo *image_info,
+ #endif
+ if (reference_image->colorspace != RGBColorspace)
+ fuzz+=0.3;
+- fuzz+=MagickEpsilon;
++ fuzz+=1e-5;
+ difference_image=CompareImageChannels(reference_image,reconstruct_image,
+ AllChannels,MeanSquaredErrorMetric,&distortion,exception);
+ reconstruct_image=DestroyImage(reconstruct_image);
+@@ -795,7 +795,7 @@ static unsigned long ValidateImageFormatsOnDisk(ImageInfo *image_info,
+ #endif
+ if (reference_image->colorspace != RGBColorspace)
+ fuzz+=0.3;
+- fuzz+=MagickEpsilon;
++ fuzz+=1e-5;
+ difference_image=CompareImageChannels(reference_image,reconstruct_image,
+ AllChannels,MeanSquaredErrorMetric,&distortion,exception);
+ reconstruct_image=DestroyImage(reconstruct_image);
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0051-Avoid-heap-overflow-in-rle-file.patch imagemagick-6.6.0.4/debian/patches/0051-Avoid-heap-overflow-in-rle-file.patch
--- imagemagick-6.6.0.4/debian/patches/0051-Avoid-heap-overflow-in-rle-file.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0051-Avoid-heap-overflow-in-rle-file.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,27 @@
+From 83811c02f0d3e979176b91fa2e74cdd337e3b7e8 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 21 Dec 2014 21:04:29 +0000
+Subject: [PATCH] Avoid heap overflow in rle file
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17372 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17372
+---
+ coders/rle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index 7998b46..d8f0dd4 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -263,7 +263,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ Read image colormaps.
+ */
+ colormap=(unsigned char *) AcquireQuantumMemory(number_colormaps,
+- map_length*sizeof(*colormap));
++ 3*map_length*sizeof(*colormap));
+ if (colormap == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ p=colormap;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0052-Don-t-try-to-handle-a-previous-image-in-the-JNG-deco.patch imagemagick-6.6.0.4/debian/patches/0052-Don-t-try-to-handle-a-previous-image-in-the-JNG-deco.patch
--- imagemagick-6.6.0.4/debian/patches/0052-Don-t-try-to-handle-a-previous-image-in-the-JNG-deco.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0052-Don-t-try-to-handle-a-previous-image-in-the-JNG-deco.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,45 @@
+From e88bfc96dd4aae61fba91cb1f4189bdaf97c925a Mon Sep 17 00:00:00 2001
+From: glennrp <glennrp@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Thu, 20 Nov 2014 18:27:10 +0000
+Subject: [PATCH] Don't try to handle a "previous" image in the JNG decoder.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17078 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+http://trac.imagemagick.org/changeset/17078
+---
+ coders/png.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/coders/png.c b/coders/png.c
+index ba0b621..6c72cd1 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -3697,8 +3697,7 @@ static Image *ReadOneJNGImage(MngInfo *mng_info,
+ static Image *ReadJNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ Image
+- *image,
+- *previous;
++ *image;
+
+ MagickBooleanType
+ status;
+@@ -3752,16 +3751,10 @@ static Image *ReadJNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ have_mng_structure=MagickTrue;
+
+ mng_info->image=image;
+- previous=image;
+ image=ReadOneJNGImage(mng_info,image_info,exception);
+ MngInfoFreeStruct(mng_info,&have_mng_structure);
+ if (image == (Image *) NULL)
+ {
+- if (IsImageObject(previous) != MagickFalse)
+- {
+- (void) CloseBlob(previous);
+- (void) DestroyImageList(previous);
+- }
+ if (logging != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "exit ReadJNGImage() with error");
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0053-Avoid-heap-overflow.patch imagemagick-6.6.0.4/debian/patches/0053-Avoid-heap-overflow.patch
--- imagemagick-6.6.0.4/debian/patches/0053-Avoid-heap-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0053-Avoid-heap-overflow.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,72 @@
+From e02ef0c28e495c3c38109c46de28229b51ce67d6 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 14 Dec 2014 17:43:28 +0000
+Subject: [PATCH] Avoid heap overflow
+
+Avoid to allocate too much memory
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17210 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17210
+---
+ coders/fits.c | 2 +-
+ coders/pnm.c | 10 ++++++----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/coders/fits.c b/coders/fits.c
+index 8f7829a..00d8283 100644
+--- a/coders/fits.c
++++ b/coders/fits.c
+@@ -648,7 +648,7 @@ static MagickBooleanType WriteFITSImage(const ImageInfo *image_info,
+ Initialize image header.
+ */
+ image->depth=GetImageQuantumDepth(image,MagickFalse);
+- quantum_info=AcquireQuantumInfo((const ImageInfo *) NULL,image);
++ quantum_info=AcquireQuantumInfo(image_info,image);
+ if (quantum_info == (QuantumInfo *) NULL)
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+ offset=0;
+diff --git a/coders/pnm.c b/coders/pnm.c
+index 23033d3..8021475 100644
+--- a/coders/pnm.c
++++ b/coders/pnm.c
+@@ -1850,7 +1850,7 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image)
+ Convert image to a PBM image.
+ */
+ image->depth=1;
+- quantum_info=AcquireQuantumInfo((const ImageInfo *) NULL,image);
++ quantum_info=AcquireQuantumInfo(image_info,image);
+ if (quantum_info == (QuantumInfo *) NULL)
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+ quantum_info->min_is_white=MagickTrue;
+@@ -1891,7 +1891,7 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image)
+ (void) FormatMagickString(buffer,MaxTextExtent,"%lu\n",(unsigned long)
+ GetQuantumRange(image->depth));
+ (void) WriteBlobString(image,buffer);
+- quantum_info=AcquireQuantumInfo((const ImageInfo *) NULL,image);
++ quantum_info=AcquireQuantumInfo(image_info,image);
+ if (quantum_info == (QuantumInfo *) NULL)
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+ quantum_info->min_is_white=MagickTrue;
+@@ -1973,7 +1973,7 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image)
+ (void) FormatMagickString(buffer,MaxTextExtent,"%lu\n",(unsigned long)
+ GetQuantumRange(image->depth));
+ (void) WriteBlobString(image,buffer);
+- quantum_info=AcquireQuantumInfo((const ImageInfo *) NULL,image);
++ quantum_info=AcquireQuantumInfo(image_info,image);
+ if (quantum_info == (QuantumInfo *) NULL)
+ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+ pixels=GetQuantumPixels(quantum_info);
+@@ -2055,7 +2055,9 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image)
+ */
+ if (image->depth > 16)
+ image->depth=16;
+- quantum_info=AcquireQuantumInfo((const ImageInfo *) NULL,image);
++ quantum_info=AcquireQuantumInfo((const ImageInfo *) image_info,image);
++ if (quantum_info == (QuantumInfo *) NULL)
++ ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+ pixels=GetQuantumPixels(quantum_info);
+ range=GetQuantumRange(image->depth);
+ for (y=0; y < (long) image->rows; y++)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0054-Create-IsValidColormapIndex-function.patch imagemagick-6.6.0.4/debian/patches/0054-Create-IsValidColormapIndex-function.patch
--- imagemagick-6.6.0.4/debian/patches/0054-Create-IsValidColormapIndex-function.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0054-Create-IsValidColormapIndex-function.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,41 @@
+From 2c9ae3e9b18301cb5006beadd6535eed8207433c Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 21 Dec 2014 23:32:33 +0000
+Subject: [PATCH] Create IsValidColormapIndex function
+
+This function will be used to avoid a memory leak in rle.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17379 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17379 and http://trac.imagemagick.org/changeset/17382
+---
+ magick/colormap-private.h | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/magick/colormap-private.h b/magick/colormap-private.h
+index 9a8539d..d7def77 100644
+--- a/magick/colormap-private.h
++++ b/magick/colormap-private.h
+@@ -36,6 +36,20 @@ static inline IndexPacket ConstrainColormapIndex(Image *image,
+ return((IndexPacket) 0);
+ }
+
++static inline MagickBooleanType IsValidColormapIndex(Image *image,
++ const ssize_t index,IndexPacket *target,ExceptionInfo *exception)
++{
++ if ((index < 0) || (index >= (ssize_t) image->colors))
++ {
++ (void) ThrowMagickException(exception,GetMagickModule(),CorruptImageError,
++ "InvalidColormapIndex","`%s'",image->filename);
++ *target=(IndexPacket) 0;
++ return(MagickFalse);
++ }
++ *target=(IndexPacket) index;
++ return(MagickTrue);
++}
++
+ #if defined(__cplusplus) || defined(c_plusplus)
+ }
+ #endif
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0055-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch imagemagick-6.6.0.4/debian/patches/0055-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch
--- imagemagick-6.6.0.4/debian/patches/0055-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0055-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,103 @@
+From 93676c92dad16d47101dc4aa7645cc1d00009d8f Mon Sep 17 00:00:00 2001
+From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Mon, 22 Dec 2014 01:26:10 +0000
+Subject: [PATCH] Replaced calls to ConstrainColormapIndex with
+ IsValidColormapIndex.
+
+Avoid a memory leak.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17385 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17385
+---
+ coders/rle.c | 32 +++++++++++++++++++++++++++-----
+ 1 file changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index d8f0dd4..dc795ae 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -147,6 +147,9 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ Image
+ *image;
+
++ IndexPacket
++ index;
++
+ int
+ opcode,
+ operand,
+@@ -432,9 +435,6 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF));
+ if (number_colormaps != 0)
+ {
+- IndexPacket
+- index;
+-
+ MagickStatusType
+ mask;
+
+@@ -443,10 +443,13 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ */
+ mask=(MagickStatusType) (map_length-1);
+ p=rle_pixels;
++ x=(ssize_t) number_planes;
+ if (number_colormaps == 1)
+ for (i=0; i < (long) number_pixels; i++)
+ {
+- index=ConstrainColormapIndex(image,*p & mask);
++ if (IsValidColormapIndex(image,*p & mask,&index,exception) ==
++ MagickFalse)
++ break;
+ *p=colormap[index];
+ p++;
+ }
+@@ -455,10 +458,18 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ for (i=0; i < (long) number_pixels; i++)
+ for (x=0; x < (long) number_planes; x++)
+ {
+- index=ConstrainColormapIndex(image,x*map_length+(*p & mask));
++ if (IsValidColormapIndex(image,(size_t) (x*map_length+
++ (*p & mask)),&index,exception) == MagickFalse)
++ break;
+ *p=colormap[index];
+ p++;
+ }
++ if ((i < (ssize_t) number_pixels) || (x < (ssize_t) number_planes))
++ {
++ colormap=(unsigned char *) RelinquishMagickMemory(colormap);
++ rle_pixels=(unsigned char *) RelinquishMagickMemory(rle_pixels);
++ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
++ }
+ }
+ /*
+ Initialize image structure.
+@@ -559,15 +570,26 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ break;
+ for (x=0; x < (long) image->columns; x++)
+ {
++ if (IsValidColormapIndex(image,*p++,&index,exception) ==
++ MagickFalse)
++ break;
+ q->red=image->colormap[(ssize_t)
+ ConstrainColormapIndex(image,*p++)].red;
++ if (IsValidColormapIndex(image,*p++,&index,exception) ==
++ MagickFalse)
++ break;
+ q->green=image->colormap[(ssize_t)
+ ConstrainColormapIndex(image,*p++)].green;
++ if (IsValidColormapIndex(image,*p++,&index,exception) ==
++ MagickFalse)
++ break;
+ q->blue=image->colormap[(ssize_t)
+ ConstrainColormapIndex(image,*p++)].blue;
+ q->opacity=(Quantum) (QuantumRange-ScaleCharToQuantum(*p++));
+ q++;
+ }
++ if (x < (ssize_t) image->columns)
++ break;
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+ break;
+ if (image->previous == (Image *) NULL)
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0056-During-identification-of-image-do-not-fill-memory.patch imagemagick-6.6.0.4/debian/patches/0056-During-identification-of-image-do-not-fill-memory.patch
--- imagemagick-6.6.0.4/debian/patches/0056-During-identification-of-image-do-not-fill-memory.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0056-During-identification-of-image-do-not-fill-memory.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,37 @@
+From ae1a58d6503db1d0e050ad87475f5839d042c251 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Tue, 23 Dec 2014 01:25:22 +0000
+Subject: [PATCH] During identification of image do not fill memory
+
+This create a security risk (DOS) by filling all memory during identification of image.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17413 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17413
+---
+ coders/tiff.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 8d8f2c8..37051f2 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1029,6 +1029,16 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ case COMPRESSION_ADOBE_DEFLATE: image->compression=ZipCompression; break;
+ default: image->compression=RLECompression; break;
+ }
++ if (image_info->ping == MagickFalse)
++ TIFFGetProfiles(tiff,image);
++ TIFFGetProperties(tiff,image);
++ option=GetImageOption(image_info,"tiff:exif-properties");
++ if ((option == (const char *) NULL) ||
++ (IsMagickTrue(option) != MagickFalse))
++ TIFFGetEXIFProperties(tiff,image);
++ /*
++ Allocate memory for the image and pixel buffer.
++ */
+ quantum_info=AcquireQuantumInfo(image_info,image);
+ if (quantum_info == (QuantumInfo *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0057-Fix-correctly-the-xpm-crash-problem.patch imagemagick-6.6.0.4/debian/patches/0057-Fix-correctly-the-xpm-crash-problem.patch
--- imagemagick-6.6.0.4/debian/patches/0057-Fix-correctly-the-xpm-crash-problem.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0057-Fix-correctly-the-xpm-crash-problem.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,62 @@
+From 6237f184423b1829df8d41a75d45b609db9c00bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Mon, 29 Dec 2014 10:51:48 +0100
+Subject: [PATCH] Fix correctly the xpm crash problem
+
+The xpm crash was fixed but the xpm result was not correct (xpm file was destroyed).
+
+Fix correctly.
+
+Bug-Debian: https://bugs.debian.org/773980
+Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773980#47 and http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26787&p=118367#p118368
+---
+ coders/xpm.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/coders/xpm.c b/coders/xpm.c
+index 07a3ded..914599b 100644
+--- a/coders/xpm.c
++++ b/coders/xpm.c
+@@ -154,9 +154,10 @@ static size_t CopyXPMColor(char *destination,const char *source,size_t length)
+ *p;
+
+ p=source;
+- while (--length && (*p != '\0'))
++ while (length-- && (*p != '\0'))
+ *destination++=(*p++);
+- *destination='\0';
++ if (length != 0)
++ *destination='\0';
+ return((size_t) (p-source));
+ }
+
+@@ -358,7 +359,7 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ {
+ p=next;
+ next=NextXPMLine(p);
+- (void) CopyXPMColor(key,p,MagickMin((size_t) width,MaxTextExtent));
++ (void) CopyXPMColor(key,p,MagickMin((size_t) width,MaxTextExtent-1));
+ status=AddValueToSplayTree(xpm_colors,ConstantString(key),(void *) j);
+ /*
+ Parse color.
+@@ -373,7 +374,7 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ break;
+ if (next != (char *) NULL)
+ (void) CopyXPMColor(target,q,MagickMin((size_t) (next-q),
+- MaxTextExtent));
++ MaxTextExtent-1));
+ else
+ (void) CopyMagickString(target,q,MaxTextExtent);
+ q=ParseXPMColor(target);
+@@ -408,7 +409,7 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ indexes=GetAuthenticIndexQueue(image);
+ for (x=0; x < (long) image->columns; x++)
+ {
+- (void) CopyXPMColor(key,p,(size_t) width);
++ (void) CopyXPMColor(key,p,MagickMin(width,MaxTextExtent-1));
+ j=(long) GetValueFromSplayTree(xpm_colors,key);
+ if (image->storage_class == PseudoClass)
+ indexes[x]=(IndexPacket) j;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/0058-Avoid-a-memory-leak-in-quantum-management.patch imagemagick-6.6.0.4/debian/patches/0058-Avoid-a-memory-leak-in-quantum-management.patch
--- imagemagick-6.6.0.4/debian/patches/0058-Avoid-a-memory-leak-in-quantum-management.patch 1970-01-01 01:00:00.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/0058-Avoid-a-memory-leak-in-quantum-management.patch 2015-05-16 02:00:33.000000000 +0200
@@ -0,0 +1,51 @@
+From a44b400f34260627ca73e3463f1cdd6dd22e4821 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Tue, 30 Dec 2014 20:05:25 +0100
+Subject: [PATCH] Avoid a memory leak in quantum management
+
+Note that upstream magick/colormap-private.h patch is buggy and already applied in the patch queue.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17207 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17207 and http://trac.imagemagick.org/changeset/17228
+---
+ magick/quantum.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/magick/quantum.c b/magick/quantum.c
+index a282a0e..d3bab0e 100644
+--- a/magick/quantum.c
++++ b/magick/quantum.c
+@@ -46,6 +46,7 @@
+ #include "magick/exception.h"
+ #include "magick/exception-private.h"
+ #include "magick/cache.h"
++#include "magick/cache-private.h"
+ #include "magick/constitute.h"
+ #include "magick/delegate.h"
+ #include "magick/geometry.h"
+@@ -144,7 +145,7 @@ MagickExport QuantumInfo *AcquireQuantumInfo(const ImageInfo *image_info,
+ % %
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %
+-% AcquireQuantumPixels() allocates the unsigned char structure.
++% AcquireQuantumPixels() allocates the pixel staging area.
+ %
+ % The format of the AcquireQuantumPixels method is:
+ %
+@@ -179,7 +180,12 @@ static MagickBooleanType AcquireQuantumPixels(QuantumInfo *quantum_info,
+ quantum_info->pixels[i]=(unsigned char *) AcquireQuantumMemory(extent+1,
+ sizeof(**quantum_info->pixels));
+ if (quantum_info->pixels[i] == (unsigned char *) NULL)
+- return(MagickFalse);
++ {
++ while (--i >= 0)
++ quantum_info->pixels[i]=(unsigned char *) RelinquishMagickMemory(
++ quantum_info->pixels[i]);
++ return(MagickFalse);
++ }
+ (void) ResetMagickMemory(quantum_info->pixels[i],0,(extent+1)*
+ sizeof(**quantum_info->pixels));
+ quantum_info->pixels[i][extent]=QuantumSignature;
+--
+2.1.4
+
diff -Nru imagemagick-6.6.0.4/debian/patches/series imagemagick-6.6.0.4/debian/patches/series
--- imagemagick-6.6.0.4/debian/patches/series 2014-11-22 19:16:12.000000000 +0100
+++ imagemagick-6.6.0.4/debian/patches/series 2015-05-16 02:00:33.000000000 +0200
@@ -4,6 +4,56 @@
0003-Fix-CVE-2012-1185-CVE-2012-1186-assignment-notificat.patch
0004-Fix-security-holes-JPEG-EXIF-TIFF.patch
0005-Fix-security-bug-for-special-crafted-EXIF-properties.patch
-0006-CVE-2014-1947-Fix-buffer-overflow-when-handling-PSD-images.patch
-0007-Prevent-buffer-overflow-in-messaging-system.patch
-0008-CVE-2014-8716-crafted-jpeg-file-could-lead-to-DOS.patch
+0006-CVE-2014-1947-Fix-buffer-overrun.patch
+0007-Prevent-buffer-overflow-in-messaging-system-CVE-2014.patch
+0008-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
+0009-Fix-CVE-2012-3437-ImageMagick-Magick_png_malloc-size.patch
+0010-Memory-leak-after-setjmp-used-variable-need-to-be-vo.patch
+0011-Magick-fix-a-memory-leak.patch
+0012-Fix-last-value-in-dicom_info-and-added-missing-NULL-.patch
+0013-Fixed-buffer-overflow-in-PCX-reader.patch
+0014-Don-t-clone-a-0x0-image.patch
+0015-Quit-earlier-in-case-of-corrupted-pnm-image.patch
+0016-Prepare-next-patch-by-using-inline-function-instead-.patch
+0017-Do-not-crash-in-case-of-corrupted-pict-image.patch
+0018-Added-missing-calls-to-RelinquishUniqueFileResource.patch
+0019-Fix-a-double-free-in-pdb-coder.patch
+0020-Fix-handling-of-corrupted-dpc-and-xwd-image.patch
+0021-Bail-out-early-in-case-of-malformed-dpx-file.patch
+0022-Avoid-SEGV-in-malformed-xwd-file.patch
+0023-Avoid-a-NULL-dereference-in-ps-handling.patch
+0024-Avoid-out-of-bound-access-in-xwd-file-handling.patch
+0025-Fix-a-SEGV-with-corrupted-viff-image.patch
+0026-Fix-a-null-pointer-dereference-in-wpg-file-handling.patch
+0027-Do-not-continue-on-corrupted-wpg-file.patch
+0028-Avoid-a-out-of-bound-acess-in-viff-image.patch
+0029-Avoid-a-heap-buffer-overflow-in-pdb-file-handling.patch
+0030-Avoid-an-out-of-bound-acess-on-malformed-sun-file.patch
+0031-Prepare-security-fix.patch
+0032-Avoid-heap-overflow-in-palm-pnm-and-xpm-files.patch
+0033-Fix-heap-overflow-in-quantum.c-palm-image-handling-a.patch
+0034-Do-not-try-to-read-corrupted-sun-image.patch
+0035-Fix-corrupted-too-many-colors-psd-file.patch
+0036-Fix-out-of-bound-access-in-sun-image-handling.patch
+0037-Fix-handling-of-corrupted-sun-and-wpg-file.patch
+0038-Fix-heap-overflow-in-pcx-file-psd-pict-and-wpf-files.patch
+0039-Additional-PNM-sanity-checks.patch
+0040-Robustify-xmp-and-pnm-reader.patch
+0041-Detect-allocation-error-earlier.patch
+0042-Avoid-a-crash-in-coders-rle.c.patch
+0043-Avoid-an-overflow-in-ConstrainColormapIndex.patch
+0044-Avoid-an-out-of-bound-access-in-palm-file.patch
+0045-Fix-another-crash-in-pnm-and-xpm-parser.patch
+0046-Fix-another-out-of-bound-problem-in-rle-file.patch
+0047-Fix-crash-due-to-corrupted-dib-file.patch
+0048-Added-checks-to-prevent-overflow-in-rle-file.patch
+0049-Impose-a-limit-of-10-million-columns-or-rows-in-an-i.patch
+0050-Be-a-little-bit-fuzzy-in-test-suite.patch
+0051-Avoid-heap-overflow-in-rle-file.patch
+0052-Don-t-try-to-handle-a-previous-image-in-the-JNG-deco.patch
+0053-Avoid-heap-overflow.patch
+0054-Create-IsValidColormapIndex-function.patch
+0055-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch
+0056-During-identification-of-image-do-not-fill-memory.patch
+0057-Fix-correctly-the-xpm-crash-problem.patch
+0058-Avoid-a-memory-leak-in-quantum-management.patch
Reply to: