Re: imagemagick

To: Brian May <bam@debian.org>
Cc: team@security.debian.org, debian-lts@lists.debian.org
Subject: Re: imagemagick
From: Luciano Bello <luciano@debian.org>
Date: Wed, 09 Mar 2016 22:49:55 +0100
Message-id: <[🔎] 1811533.gTroOtjBmr@box>
In-reply-to: <[🔎] 871t7lsmss.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87egbodva5.fsf@prune.linuxpenguins.xyz> <[🔎] 1809943.TWGfu1MPuV@box> <[🔎] 871t7lsmss.fsf@prune.linuxpenguins.xyz>

On Tuesday 08 March 2016 13.53.07 Brian May wrote:
> ...
> > Do you think is also possible to include the issues from
> > TEMP-0811308-B63DA1?
> 
> All but one of the patches fails to apply. Suspect this will be
> non-trivial to fix. It is possible that this means the vulnerability
> doesn't exist.
> 
> 
> Should I apply the
> 0071-Prevent-null-pointer-access-in-magick-constitute.c.patch patch?

I think is a good idea to add it. 

> It looks like it should be possible to massage
> 0072-Fixed-out-of-bounds-error-in-SpliceImage.patch into place too, as
> only the first hunk fails, and it just adds a new function.

I merge by hand the patches on top of the current jessie version. But this 
needs testing. Could you please apply them and test them all together with the 
other patches?

> [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1
> --dry-run <
> ../imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-i
> ncorrect-PSD-files.patch checking file coders/psd.c
> ...
> > Hunk #1 FAILED at 1521.
> 1 out of 1 hunk FAILED

check out the attached 0069... 

> [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1
> --dry-run <
> ../imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i38
> 6.patch checking file coders/jpeg.c

Check the attached 0070..

> [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1
> --dry-run <
> ../imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-m
> agick-constitute.c.patch checking file magick/constitute.c

0071... for completeness. 

> [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] % patch -p1
> --dry-run <
> ../imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-Spl
> iceImage.patch checking file magick/transform.c

the attached 0072... should work now.

> [brian:~/tree … eze-lts/imagemagick/imagemagick-6.7.7.10] 1 % patch -p1
> --dry-run <
> ../imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch

Check the attached 0073...

Hope this helps, luciano

--- a/magick/transform.c
+++ b/magick/transform.c
@@ -1733,6 +1733,7 @@ MagickExport Image *SpliceImage(const Im
     splice_geometry;
 
   ssize_t
+    columns,
     y;
 
   /*
@@ -1817,6 +1818,7 @@ MagickExport Image *SpliceImage(const Im
   */
   status=MagickTrue;
   progress=0;
+  columns=MagickMin(splice_geometry.x,(ssize_t) splice_image->columns);
   image_view=AcquireVirtualCacheView(image,exception);
   splice_view=AcquireAuthenticCacheView(splice_image,exception);
 #if defined(MAGICKCORE_OPENMP_SUPPORT)
@@ -1840,7 +1842,8 @@ MagickExport Image *SpliceImage(const Im
 
     if (status == MagickFalse)
       continue;
-    p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);
+    p=GetCacheViewVirtualPixels(image_view,0,y,splice_image->columns,1,
+      exception);
     q=QueueCacheViewAuthenticPixels(splice_view,0,y,splice_image->columns,1,
       exception);
     if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
@@ -1850,7 +1853,7 @@ MagickExport Image *SpliceImage(const Im
       }
     indexes=GetCacheViewAuthenticIndexQueue(image_view);
     splice_indexes=GetCacheViewAuthenticIndexQueue(splice_view);
-    for (x=0; x < splice_geometry.x; x++)
+    for (x=0; x < columns; x++)
     {
       SetPixelRed(q,GetPixelRed(p));
       SetPixelGreen(q,GetPixelGreen(p));
@@ -1918,10 +1921,10 @@ MagickExport Image *SpliceImage(const Im
 
     if (status == MagickFalse)
       continue;
-    p=GetCacheViewVirtualPixels(image_view,0,y-(ssize_t) splice_geometry.height,
-      image->columns,1,exception);
-    if ((y < 0) || (y >= (ssize_t) splice_image->rows))
+    if ((y < 0) || (y >= (ssize_t)splice_image->rows))
       continue;
+    p=GetCacheViewVirtualPixels(image_view,0,y-(ssize_t) splice_geometry.height,
+      splice_image->columns,1,exception);
     q=QueueCacheViewAuthenticPixels(splice_view,0,y,splice_image->columns,1,
       exception);
     if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
@@ -1931,7 +1934,7 @@ MagickExport Image *SpliceImage(const Im
       }
     indexes=GetCacheViewAuthenticIndexQueue(image_view);
     splice_indexes=GetCacheViewAuthenticIndexQueue(splice_view);
-    for (x=0; x < splice_geometry.x; x++)
+    for (x=0; x < columns; x++)
     {
       SetPixelRed(q,GetPixelRed(p));
       SetPixelGreen(q,GetPixelGreen(p));

--- a/coders/psd.c
+++ b/coders/psd.c
@@ -1521,8 +1521,10 @@ static MagickStatusType ReadPSDLayers(Im
             image->next=layer_info[0].image;
             layer_info[0].image->previous=image;
           }
+        layer_info=(LayerInfo *) RelinquishMagickMemory(layer_info);
       }
-      layer_info=(LayerInfo *) RelinquishMagickMemory(layer_info);
+      else
+        layer_info=DestroyLayerInfo(layer_info,number_layers);
     }
 
   return(status);

--- a/magick/cache.c
+++ b/magick/cache.c
@@ -3420,6 +3420,11 @@ static inline MagickOffsetType WritePixe
   const CacheInfo *restrict cache_info,const MagickOffsetType offset,
   const MagickSizeType length,const unsigned char *restrict buffer)
 {
+#if !defined(MAGICKCORE_HAVE_PWRITE)
+  MagickOffsetType
+    current_offset;
+#endif
+
   register MagickOffsetType
     i;
 
@@ -3427,6 +3432,9 @@ static inline MagickOffsetType WritePixe
     count;
 
 #if !defined(MAGICKCORE_HAVE_PWRITE)
+  current_offset=(MagickOffsetType) lseek(cache_info->file,0,SEEK_CUR);
+  if (current_offset < 0)
+    return((MagickOffsetType) -1);
   if (lseek(cache_info->file,offset,SEEK_SET) < 0)
     return((MagickOffsetType) -1);
 #endif
@@ -3447,6 +3455,10 @@ static inline MagickOffsetType WritePixe
           break;
       }
   }
+#if !defined(MAGICKCORE_HAVE_PWRITE)
+  if (lseek(cache_info->file,current_offset,SEEK_SET) < 0)
+    return((MagickOffsetType) -1);
+#endif
   return(i);
 }
 
@@ -4173,6 +4185,11 @@ static inline MagickOffsetType ReadPixel
   const CacheInfo *restrict cache_info,const MagickOffsetType offset,
   const MagickSizeType length,unsigned char *restrict buffer)
 {
+#if !defined(MAGICKCORE_HAVE_PREAD)
+  MagickOffsetType
+    current_offset;
+#endif
+
   register MagickOffsetType
     i;
 
@@ -4180,6 +4197,9 @@ static inline MagickOffsetType ReadPixel
     count;
 
 #if !defined(MAGICKCORE_HAVE_PREAD)
+  current_offset=(MagickOffsetType) lseek(cache_info->file,0,SEEK_CUR);
+  if (current_offset < 0)
+    return((MagickOffsetType) -1);
   if (lseek(cache_info->file,offset,SEEK_SET) < 0)
     return((MagickOffsetType) -1);
 #endif
@@ -4200,6 +4220,10 @@ static inline MagickOffsetType ReadPixel
           break;
       }
   }
+#if !defined(MAGICKCORE_HAVE_PREAD)
+  if (lseek(cache_info->file,current_offset,SEEK_SET) < 0)
+    return((MagickOffsetType) -1);
+#endif
   return(i);
 }
 
@@ -4394,6 +4418,8 @@ static MagickBooleanType ReadPixelCacheP
     return(MagickTrue);
   offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+
     nexus_info->region.x;
+  if ((offset/cache_info->columns) != (MagickOffsetType) nexus_info->region.y)
+     return(MagickFalse);
   length=(MagickSizeType) nexus_info->region.width*sizeof(PixelPacket);
   rows=nexus_info->region.height;
   extent=length*rows;
--- a/magick/color.c
+++ b/magick/color.c
@@ -2729,20 +2729,22 @@ MagickExport MagickBooleanType QueryMagi
       else
         {
           if ((flags & PercentValue) != 0)
-            scale=(MagickRealType) (QuantumRange/100.0);
+            scale=(double) (QuantumRange/100.0);
           if ((flags & RhoValue) != 0)
-            color->red=(MagickRealType) ClampToQuantum(scale*geometry_info.rho);
+            color->red=(MagickRealType) ClampToQuantum((MagickRealType)
+              floor(scale*geometry_info.rho));
           if ((flags & SigmaValue) != 0)
-            color->green=(MagickRealType) ClampToQuantum(scale*
-              geometry_info.sigma);
+            color->green=(MagickRealType) ClampToQuantum((MagickRealType)
+              floor(scale*geometry_info.sigma));
           if ((flags & XiValue) != 0)
-            color->blue=(MagickRealType) ClampToQuantum(scale*geometry_info.xi);
+            color->blue=(MagickRealType) ClampToQuantum((MagickRealType)
+              floor(scale*geometry_info.xi));
           color->opacity=(MagickRealType) OpaqueOpacity;
           if ((flags & PsiValue) != 0)
             {
               if (color->colorspace == CMYKColorspace)
-                color->index=(MagickRealType) ClampToQuantum(scale*
-                  geometry_info.psi);
+                color->index=(MagickRealType) ClampToQuantum((MagickRealType)
+                  floor(scale*geometry_info.psi));
               else
                 if (color->matte != MagickFalse)
                   color->opacity=(MagickRealType) ClampToQuantum(
@@ -2755,11 +2757,11 @@ MagickExport MagickBooleanType QueryMagi
           if (color->colorspace == LabColorspace)
             {
               if ((flags & SigmaValue) != 0)
-                color->green=(MagickRealType) ClampToQuantum(scale*
-                  geometry_info.sigma+(QuantumRange+1)/2.0);
+                color->green=(MagickRealType) ClampToQuantum((MagickRealType)
+                  floor(scale*geometry_info.sigma+(QuantumRange+1)/2.0));
               if ((flags & XiValue) != 0)
-                color->blue=(MagickRealType) ClampToQuantum(scale*
-                  geometry_info.xi+(QuantumRange+1)/2.0);
+                color->blue=(MagickRealType) ClampToQuantum((MagickRealType)
+                  floor(scale*geometry_info.xi+(QuantumRange+1)/2.0));
             }
           if (LocaleCompare(colorspace,"gray") == 0)
             {
--- a/magick/identify.c
+++ b/magick/identify.c
@@ -455,11 +455,13 @@ static ssize_t PrintChannelStatistics(FI
 
   if (channel == AlphaChannel)
     {
-      n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum(scale*
-        (QuantumRange-channel_statistics[channel].maxima)),
-        (QuantumRange-channel_statistics[channel].maxima)/(double) QuantumRange,
-        ClampToQuantum(scale*(QuantumRange-channel_statistics[channel].minima)),
-        (QuantumRange-channel_statistics[channel].minima)/(double) QuantumRange,
+      n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum(
+        (MagickRealType) floor(scale*(QuantumRange-
+        channel_statistics[channel].maxima))),(QuantumRange-
+        channel_statistics[channel].maxima)/(double) QuantumRange,
+        ClampToQuantum((MagickRealType) floor(scale*(QuantumRange-
+        channel_statistics[channel].minima))),(QuantumRange-
+        channel_statistics[channel].minima)/(double) QuantumRange,
         scale*(QuantumRange-channel_statistics[channel].mean),(QuantumRange-
         channel_statistics[channel].mean)/(double) QuantumRange,scale*
         channel_statistics[channel].standard_deviation,
@@ -468,13 +470,13 @@ static ssize_t PrintChannelStatistics(FI
         channel_statistics[channel].skewness);
       return(n);
     }
-  n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum(scale*
-    channel_statistics[channel].minima),channel_statistics[channel].minima/
-    (double) QuantumRange,ClampToQuantum(scale*
-    channel_statistics[channel].maxima),channel_statistics[channel].maxima/
-    (double) QuantumRange,scale*channel_statistics[channel].mean,
-    channel_statistics[channel].mean/(double) QuantumRange,scale*
-    channel_statistics[channel].standard_deviation,
+  n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum((MagickRealType)
+    floor(scale*channel_statistics[channel].minima)),
+    channel_statistics[channel].minima/(double) QuantumRange,ClampToQuantum(
+    (MagickRealType) (scale*channel_statistics[channel].maxima)),
+    channel_statistics[channel].maxima/(double) QuantumRange,scale*
+    channel_statistics[channel].mean,channel_statistics[channel].mean/(double)
+    QuantumRange,scale*channel_statistics[channel].standard_deviation,
     channel_statistics[channel].standard_deviation/(double) QuantumRange,
     channel_statistics[channel].kurtosis,channel_statistics[channel].skewness);
   return(n);

--- a/magick/constitute.c
+++ b/magick/constitute.c
@@ -1299,7 +1299,14 @@ MagickExport MagickBooleanType WriteImag
   sans_exception=DestroyExceptionInfo(sans_exception);
   p=images;
   for ( ; GetNextImageInList(p) != (Image *) NULL; p=GetNextImageInList(p))
-    if (p->scene >= GetNextImageInList(p)->scene)
+  {
+    register Image
+      *next;
+    
+    next=GetNextImageInList(p);
+    if (next == (Image *) NULL)
+      break;
+    if (p->scene >= next->scene)
       {
         register ssize_t
           i;
@@ -1312,6 +1319,7 @@ MagickExport MagickBooleanType WriteImag
           p->scene=(size_t) i++;
         break;
       }
+  }
   /*
     Write images.
   */

--- a/magick/nt-base.c
+++ b/magick/nt-base.c
@@ -1107,6 +1107,7 @@ static int NTGhostscriptGetString(const
             directory,DirectorySeparator);
           if (IsPathAccessible(buffer) != MagickFalse)
             {
+              directory=DestroyString(directory);
               (void) CopyMagickString(value,buffer,length);
               if (is_64_bit != NULL)
                 *is_64_bit=FALSE;
@@ -1116,6 +1117,7 @@ static int NTGhostscriptGetString(const
             directory,DirectorySeparator);
           if (IsPathAccessible(buffer) != MagickFalse)
             {
+              directory=DestroyString(directory);
               (void) CopyMagickString(value,buffer,length);
               if (is_64_bit != NULL)
                 *is_64_bit=TRUE;
--- a/magick/utility.c
+++ b/magick/utility.c
@@ -1817,6 +1817,7 @@ MagickPrivate MagickBooleanType ShredFil
       /*
         Don't shred the file, just remove it.
       */
+      passes=DestroyString(passes);
       status=remove_utf8(path);
       if (status == -1)
         return(MagickFalse);
@@ -1828,6 +1829,7 @@ MagickPrivate MagickBooleanType ShredFil
       /*
         Don't shred the file, just remove it.
       */
+      passes=DestroyString(passes);
       status=remove_utf8(path);
       return(MagickFalse);
     }
@@ -1877,7 +1879,8 @@ MagickPrivate MagickBooleanType ShredFil
   }
   status=close(file);
   status=remove_utf8(path);
-  if (status == -1)
-    return(MagickFalse);
-  return(i < (ssize_t) StringToInteger(passes) ? MagickFalse : MagickTrue);
+  if (status != -1)
+    status=StringToInteger(passes);
+  passes=DestroyString(passes);
+  return((status == -1 || i < (ssize_t) status) ? MagickFalse : MagickTrue);
 }

Reply to:

Follow-Ups:
- Re: imagemagick
  - From: Brian May <bam@debian.org>

References:
- imagemagick
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: imagemagick
  - From: Luciano Bello <luciano@debian.org>
- Re: imagemagick
  - From: Brian May <bam@debian.org>

Prev by Date: Re: imagemagick
Next by Date: Re: imagemagick
Previous by thread: Re: imagemagick
Next by thread: Re: imagemagick
Index(es):
- Date
- Thread