Re: imagemagick
Brian May <bam@debian.org> writes:
> However, it looks like version -5.1 (see below) has some non-security
> related changes that might not be appopriate for Jessie, so not yet
> decided. I will investigate further and report here.
Here is my attempt at a Jessie security update. It takes all security
fixes straight from the Sid version. It seems to build fine on i386, and
I will test amd64 shortly.
diff -Nru imagemagick-6.8.9.9/debian/changelog imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog 2014-12-29 21:53:11.000000000 +1100
+++ imagemagick-6.8.9.9/debian/changelog 2016-03-10 12:19:45.000000000 +1100
@@ -1,3 +1,36 @@
+imagemagick (8:6.8.9.9-5+deb8u1) jessie-security; urgency=high
+
+ * Port all security patches from 8:6.8.9.9-7.
+ * Fix various minor security issues
+ - Fix an integer overflow that can lead to a buffer overrun
+ in the icon parsing code (LP: #1459747, closes: #806441)
+ - Fix an integer overflow that can lead to a double free in
+ pict parsing (LP: #1448803, closes: #806441).
+ - Memory Leak while handle psd file (closes: #811308)
+ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
+ - IM 6.9.2 crash with some PNG (closes: #811308, LP: #1492881)
+ http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
+ - Null pointer access in magick/constitute.c (closes: #811308)
+ https://github.com/ImageMagick/ImageMagick/pull/34
+ - PixelColor off by one on i386 (closes: #811308)
+ https://github.com/ImageMagick/ImageMagick/issues/54
+ - Fixed other memory leaks (closes: #811308)
+ * Fix build on mips by printing progress (Closes: #770009).
+ * Fix a few security bugs: (closes: #799524)
+ - A DOS on specially crafted MIFF file (TEMP-0000000-FDAC72).
+ - A DOS on specially crafted Vicar file (TEMP-0000000-EEF23C).
+ - A DOS on specially crafted HDR file (TEMP-0000000-7C079F).
+ - A DOS on specially crafted PDB file (TEMP-0000000-2FC21E).
+ - Avoid a null pointer dereference in JNG decoder.
+ - Avoid a DOS for RLE file.
+ - Avoid double free on TGA file.
+ - Avoid a bufer overflow by using field limit in sprintf.
+ - Avoid a stack overflow in fx handling.
+ * Replace density of 1 for JPEG by unknown working around
+ a TeX bug (Closes: #763799).
+
+ -- Brian May <bam@debian.org> Thu, 10 Mar 2016 12:12:49 +1100
+
imagemagick (8:6.8.9.9-5) unstable; urgency=high
* Fix incorrect fix for xpm security problem.
diff -Nru imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch
--- imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0057-Fix-a-miff-security-bug.patch 2016-03-10 12:11:20.000000000 +1100
@@ -0,0 +1,69 @@
+From 75657e1145de7d6904fd67f4f235bbeec652ad3b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Fri, 31 Jul 2015 19:08:37 +0200
+Subject: [PATCH] Fix a miff security bug
+
+Specially crafted MIFF file could lead to DOS by using excessive CPU.
+
+Fix TEMP-0000000-FDAC72
+
+origin: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17854 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+---
+ coders/miff.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index a55879a..958ab46 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1405,6 +1405,9 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ bzip_info.avail_out=(unsigned int) (packet_size*image->columns);
+ do
+ {
++ int
++ code;
++
+ if (bzip_info.avail_in == 0)
+ {
+ bzip_info.next_in=(char *) compress_pixels;
+@@ -1414,7 +1417,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ bzip_info.avail_in=(unsigned int) ReadBlob(image,length,
+ (unsigned char *) bzip_info.next_in);
+ }
+- if (BZ2_bzDecompress(&bzip_info) == BZ_STREAM_END)
++ code=BZ2_bzDecompress(&bzip_info);
++ if (code < 0)
++ {
++ status=MagickFalse;
++ break;
++ }
++ if (code == BZ_STREAM_END)
+ break;
+ } while (bzip_info.avail_out != 0);
+ (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
+@@ -1461,6 +1470,9 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ zip_info.avail_out=(uInt) (packet_size*image->columns);
+ do
+ {
++ int
++ code;
++
+ if (zip_info.avail_in == 0)
+ {
+ zip_info.next_in=compress_pixels;
+@@ -1470,7 +1482,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+ zip_info.avail_in=(unsigned int) ReadBlob(image,length,
+ zip_info.next_in);
+ }
+- if (inflate(&zip_info,Z_SYNC_FLUSH) == Z_STREAM_END)
++ code=inflate(&zip_info,Z_SYNC_FLUSH);
++ if (code < 0)
++ {
++ status=MagickFalse;
++ break;
++ }
++ if (code == Z_STREAM_END)
+ break;
+ } while (zip_info.avail_out != 0);
+ (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
diff -Nru imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch
--- imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0058-Fix-a-DOS-in-viccar-file-handling.patch 2016-03-10 12:11:28.000000000 +1100
@@ -0,0 +1,26 @@
+From aa2bed6c629866065a6e4ad47563e6152cc4bd41 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 25 Jan 2015 17:31:57 +0000
+Subject: [PATCH] Fix a DOS in viccar file handling
+
+The current code does not check for EOF condition leading to infinite loop
+
+origin: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17856 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+---
+ coders/vicar.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/vicar.c b/coders/vicar.c
+index 78b4732..9a148a0 100644
+--- a/coders/vicar.c
++++ b/coders/vicar.c
+@@ -275,6 +275,8 @@ static Image *ReadVICARImage(const ImageInfo *image_info,
+ while (count < (ssize_t) length)
+ {
+ c=ReadBlobByte(image);
++ if (c == EOF)
++ break;
+ count++;
+ }
+ if ((image->columns == 0) || (image->rows == 0))
diff -Nru imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch
--- imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0059-Fix-a-DOS-in-HDR-file.patch 2016-03-10 12:11:33.000000000 +1100
@@ -0,0 +1,74 @@
+From 36132fa46fc18445f48a36be50473921d1aa7f93 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 25 Jan 2015 07:32:56 +0000
+Subject: [PATCH] Fix a DOS in HDR file
+
+Fixed infinite loop and added checks for the sscanf result.
+
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17846 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+origin: http://trac.imagemagick.org/changeset/17846
+---
+ coders/hdr.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+diff --git a/coders/hdr.c b/coders/hdr.c
+index 393dc89..5c3414f 100644
+--- a/coders/hdr.c
++++ b/coders/hdr.c
+@@ -274,7 +274,7 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ if (value_expected == MagickFalse)
+ continue;
+ p=value;
+- while ((c != '\n') && (c != '\0'))
++ while ((c != '\n') && (c != '\0') && (c != EOF))
+ {
+ if ((size_t) (p-value) < (MaxTextExtent-1))
+ *p++=c;
+@@ -319,18 +319,20 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ chromaticity[6],
+ white_point[2];
+
+- (void) sscanf(value,"%g %g %g %g %g %g %g %g",
+- &chromaticity[0],&chromaticity[1],&chromaticity[2],
+- &chromaticity[3],&chromaticity[4],&chromaticity[5],
+- &white_point[0],&white_point[1]);
+- image->chromaticity.red_primary.x=chromaticity[0];
+- image->chromaticity.red_primary.y=chromaticity[1];
+- image->chromaticity.green_primary.x=chromaticity[2];
+- image->chromaticity.green_primary.y=chromaticity[3];
+- image->chromaticity.blue_primary.x=chromaticity[4];
+- image->chromaticity.blue_primary.y=chromaticity[5];
+- image->chromaticity.white_point.x=white_point[0],
+- image->chromaticity.white_point.y=white_point[1];
++ if (sscanf(value,"%g %g %g %g %g %g %g %g",&chromaticity[0],
++ &chromaticity[1],&chromaticity[2],&chromaticity[3],
++ &chromaticity[4],&chromaticity[5],&white_point[0],
++ &white_point[1]) == 8)
++ {
++ image->chromaticity.red_primary.x=chromaticity[0];
++ image->chromaticity.red_primary.y=chromaticity[1];
++ image->chromaticity.green_primary.x=chromaticity[2];
++ image->chromaticity.green_primary.y=chromaticity[3];
++ image->chromaticity.blue_primary.x=chromaticity[4];
++ image->chromaticity.blue_primary.y=chromaticity[5];
++ image->chromaticity.white_point.x=white_point[0],
++ image->chromaticity.white_point.y=white_point[1];
++ }
+ break;
+ }
+ (void) FormatLocaleString(tag,MaxTextExtent,"hdr:%s",keyword);
+@@ -346,9 +348,11 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ height,
+ width;
+
+- (void) sscanf(value,"%d +X %d",&height,&width);
+- image->columns=(size_t) width;
+- image->rows=(size_t) height;
++ if (sscanf(value,"%d +X %d",&height,&width) == 2)
++ {
++ image->columns=(size_t) width;
++ image->rows=(size_t) height;
++ }
+ break;
+ }
+ (void) FormatLocaleString(tag,MaxTextExtent,"hdr:%s",keyword);
diff -Nru imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch
--- imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0060-Fix-a-DOS-in-PDB-file-handling.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,36 @@
+From 13fe49da6e584b8ae8a06095b2d1db0af5a81b13 Mon Sep 17 00:00:00 2001
+From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
+Date: Sun, 25 Jan 2015 17:29:48 +0000
+Subject: [PATCH] Fix a DOS in PDB file handling
+
+Avoid an infinite loop by checking EOF.
+
+http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932
+
+origin: http://trac.imagemagick.org/changeset/17855
+git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17855 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
+---
+ coders/pdb.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/coders/pdb.c b/coders/pdb.c
+index af6bfec..914d4c3 100644
+--- a/coders/pdb.c
++++ b/coders/pdb.c
+@@ -370,7 +370,15 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ ThrowReaderException(CorruptImageError,"CorruptImage");
+ }
+ num_pad_bytes = (size_t) (img_offset - TellBlob( image ));
+- while (num_pad_bytes--) ReadBlobByte( image );
++ while (num_pad_bytes-- != 0)
++ {
++ int
++ c;
++
++ c=ReadBlobByte(image);
++ if (c == EOF)
++ break;
++ }
+ /*
+ Read image header.
+ */
diff -Nru imagemagick-6.8.9.9/debian/patches/0061-Avoid-using-NULL-alpha_image-in-the-JNG-decoder.patch imagemagick-6.8.9.9/debian/patches/0061-Avoid-using-NULL-alpha_image-in-the-JNG-decoder.patch
--- imagemagick-6.8.9.9/debian/patches/0061-Avoid-using-NULL-alpha_image-in-the-JNG-decoder.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0061-Avoid-using-NULL-alpha_image-in-the-JNG-decoder.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,67 @@
+From c987f85c86ac553d832b08e3f21dfbb166c4ee7d Mon Sep 17 00:00:00 2001
+From: glennrp <glennrp@git.imagemagick.org>
+Date: Thu, 9 Apr 2015 16:51:44 +0000
+Subject: [PATCH] Avoid using NULL alpha_image in the JNG decoder.
+
+Avoid a NULL pointer dereference
+
+Applied-upstream: 6.9.1.2
+---
+ coders/png.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+diff --git a/coders/png.c b/coders/png.c
+index ed6d613..c8c4568 100644
+--- a/coders/png.c
++++ b/coders/png.c
+@@ -4367,7 +4367,7 @@ static Image *ReadOneJNGImage(MngInfo *mng_info,
+
+ /* Copy IDAT header and chunk data to alpha_image->blob */
+
+- if (image_info->ping == MagickFalse)
++ if (alpha_image != NULL && image_info->ping == MagickFalse)
+ {
+ if (logging != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -4392,7 +4392,7 @@ static Image *ReadOneJNGImage(MngInfo *mng_info,
+ {
+ /* Copy chunk data to alpha_image->blob */
+
+- if (image_info->ping == MagickFalse)
++ if (alpha_image != NULL && image_info->ping == MagickFalse)
+ {
+ if (logging != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+@@ -4826,8 +4826,7 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ page_geometry[MaxTextExtent];
+
+ Image
+- *image,
+- *previous;
++ *image;
+
+ MagickBooleanType
+ logging,
+@@ -6291,7 +6290,6 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
+
+- previous=image;
+ mng_info->image=image;
+ mng_info->mng_type=mng_type;
+ mng_info->object_id=object_id;
+@@ -6306,11 +6304,9 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+
+ if (image == (Image *) NULL)
+ {
+- if (IsImageObject(previous) != MagickFalse)
+- {
+- (void) DestroyImageList(previous);
+- (void) CloseBlob(previous);
+- }
++ if (logging != MagickFalse)
++ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++ "exit ReadJNGImage() with error");
+
+ MngInfoFreeStruct(mng_info,&have_mng_structure);
+ return((Image *) NULL);
diff -Nru imagemagick-6.8.9.9/debian/patches/0062-Jpeg-images-no-longer-have-pixels-per-inch-as-a-defa.patch imagemagick-6.8.9.9/debian/patches/0062-Jpeg-images-no-longer-have-pixels-per-inch-as-a-defa.patch
--- imagemagick-6.8.9.9/debian/patches/0062-Jpeg-images-no-longer-have-pixels-per-inch-as-a-defa.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0062-Jpeg-images-no-longer-have-pixels-per-inch-as-a-defa.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,32 @@
+From 1697553b33407927669f173dfd8c815cf0f113e1 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Mon, 11 May 2015 11:02:38 +0000
+Subject: [PATCH] Jpeg images no longer have pixels per inch as a default value
+ for density units when the density is not set.
+
+Debian-bug: https://bugs.debian.org/763799
+Applied-upstream: 6.9.1.3
+---
+ coders/jpeg.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/coders/jpeg.c b/coders/jpeg.c
+index 2263eaf..d1310f6 100644
+--- a/coders/jpeg.c
++++ b/coders/jpeg.c
+@@ -2155,7 +2155,6 @@ static MagickBooleanType WriteJPEGImage(const ImageInfo *image_info,
+ jpeg_info.data_precision=8;
+ else
+ jpeg_info.data_precision=BITS_IN_JSAMPLE;
+- jpeg_info.density_unit=1;
+ if (image->debug != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Image resolution: %.20g,%.20g",floor(image->x_resolution+0.5),
+@@ -2171,7 +2170,6 @@ static MagickBooleanType WriteJPEGImage(const ImageInfo *image_info,
+ /*
+ Set image resolution units.
+ */
+- jpeg_info.density_unit=(UINT8) 0;
+ if (image->units == PixelsPerInchResolution)
+ jpeg_info.density_unit=(UINT8) 1;
+ if (image->units == PixelsPerCentimeterResolution)
diff -Nru imagemagick-6.8.9.9/debian/patches/0063-Add-an-additional-check-for-end-of-file-for-the-RLE-.patch imagemagick-6.8.9.9/debian/patches/0063-Add-an-additional-check-for-end-of-file-for-the-RLE-.patch
--- imagemagick-6.8.9.9/debian/patches/0063-Add-an-additional-check-for-end-of-file-for-the-RLE-.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0063-Add-an-additional-check-for-end-of-file-for-the-RLE-.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,48 @@
+From 0c7c348630121b7ed156bc6542e4f165bbe1a0be Mon Sep 17 00:00:00 2001
+From: cristy <urban-warrior@git.imagemagick.org>
+Date: Thu, 18 Jun 2015 23:36:26 +0000
+Subject: [PATCH] Add an additional check for end-of-file for the RLE coder
+
+Bug: http://www.imagemagick.org/discourse-server/viewforum.php?f=3
+Applied-upstream: 6.9.1.6
+---
+ coders/rle.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index 74f4968..84b0ccc 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -227,8 +227,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ /*
+ Read image header.
+ */
+- (void) ReadBlobLSBShort(image);
+- (void) ReadBlobLSBShort(image);
++ image->page.x=ReadBlobLSBShort(image);
++ image->page.y=ReadBlobLSBShort(image);
+ image->columns=ReadBlobLSBShort(image);
+ image->rows=ReadBlobLSBShort(image);
+ flags=(MagickStatusType) ReadBlobByte(image);
+@@ -237,7 +237,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ bits_per_pixel=1UL*ReadBlobByte(image);
+ number_colormaps=1UL*ReadBlobByte(image);
+ map_length=(unsigned char) ReadBlobByte(image);
+- if (map_length >= 64)
++ if (map_length >= 32)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ one=1;
+ map_length=one << map_length;
+@@ -264,6 +264,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ }
+ if ((number_planes & 0x01) == 0)
+ (void) ReadBlobByte(image);
++ if (EOFBlob(image) != MagickFalse)
++ {
++ ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
++ image->filename);
++ break;
++ }
+ colormap=(unsigned char *) NULL;
+ if (number_colormaps != 0)
+ {
diff -Nru imagemagick-6.8.9.9/debian/patches/0064-Fix-a-double-free-in-tga-file.patch imagemagick-6.8.9.9/debian/patches/0064-Fix-a-double-free-in-tga-file.patch
--- imagemagick-6.8.9.9/debian/patches/0064-Fix-a-double-free-in-tga-file.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0064-Fix-a-double-free-in-tga-file.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,23 @@
+From fb898d9633396f8e39a97e318ae5cf63de422477 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Mon, 31 Aug 2015 16:19:40 -0400
+Subject: [PATCH] Fix a double free in tga file
+
+Bug-ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362
+---
+ coders/tga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/tga.c b/coders/tga.c
+index a527f32..5eec5fe 100644
+--- a/coders/tga.c
++++ b/coders/tga.c
+@@ -314,6 +314,8 @@ static Image *ReadTGAImage(const ImageInfo *image_info,
+ /*
+ Read TGA raster colormap.
+ */
++ if (image->colors < tga_info.colormap_index)
++ image->colors=tga_info.colormap_index;
+ if (AcquireImageColormap(image,image->colors) == MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ for (i=0; i < (ssize_t) image->colors; i++)
diff -Nru imagemagick-6.8.9.9/debian/patches/0065-Add-field-width-to-sscanf-to-prevent-buffer-overflow.patch imagemagick-6.8.9.9/debian/patches/0065-Add-field-width-to-sscanf-to-prevent-buffer-overflow.patch
--- imagemagick-6.8.9.9/debian/patches/0065-Add-field-width-to-sscanf-to-prevent-buffer-overflow.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0065-Add-field-width-to-sscanf-to-prevent-buffer-overflow.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,76 @@
+From 15e201fdc2a42c826480b888014794d372d2f1f7 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 5 Sep 2015 08:12:48 -0400
+Subject: [PATCH] Add field width to sscanf() to prevent buffer overflow
+
+Applied-upstream: 6.9.2.1
+---
+ coders/gradient.c | 2 +-
+ coders/xbm.c | 10 +++++-----
+ magick/property.c | 4 ++--
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/coders/gradient.c b/coders/gradient.c
+index c41b71c..84d93bc 100644
+--- a/coders/gradient.c
++++ b/coders/gradient.c
+@@ -95,7 +95,7 @@ static Image *ReadGRADIENTImage(const ImageInfo *image_info,
+ ExceptionInfo *exception)
+ {
+ char
+- colorname[MaxTextExtent];
++ colorname[MaxTextExtent+4];
+
+ Image
+ *image;
+diff --git a/coders/xbm.c b/coders/xbm.c
+index d8045fc..7ce7b6a 100644
+--- a/coders/xbm.c
++++ b/coders/xbm.c
+@@ -234,12 +234,12 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ width=0;
+ height=0;
+ while (ReadBlobString(image,buffer) != (char *) NULL)
+- if (sscanf(buffer,"#define %s %u",name,&width) == 2)
++ if (sscanf(buffer,"#define %32s %u",name,&width) == 2)
+ if ((strlen(name) >= 6) &&
+ (LocaleCompare(name+strlen(name)-6,"_width") == 0))
+ break;
+ while (ReadBlobString(image,buffer) != (char *) NULL)
+- if (sscanf(buffer,"#define %s %u",name,&height) == 2)
++ if (sscanf(buffer,"#define %32s %u",name,&height) == 2)
+ if ((strlen(name) >= 7) &&
+ (LocaleCompare(name+strlen(name)-7,"_height") == 0))
+ break;
+@@ -254,13 +254,13 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ version=11;
+ while (ReadBlobString(image,buffer) != (char *) NULL)
+ {
+- if (sscanf(buffer,"static short %s = {",name) == 1)
++ if (sscanf(buffer,"static short %32s = {",name) == 1)
+ version=10;
+ else
+- if (sscanf(buffer,"static unsigned char %s = {",name) == 1)
++ if (sscanf(buffer,"static unsigned char %32s = {",name) == 1)
+ version=11;
+ else
+- if (sscanf(buffer,"static char %s = {",name) == 1)
++ if (sscanf(buffer,"static char %32s = {",name) == 1)
+ version=11;
+ else
+ continue;
+diff --git a/magick/property.c b/magick/property.c
+index c9c81d4..545cb6f 100644
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -580,8 +580,8 @@ static MagickBooleanType Get8BIMProperty(const Image *image,const char *key)
+ profile=GetImageProfile(image,"8bim");
+ if (profile == (StringInfo *) NULL)
+ return(MagickFalse);
+- count=(ssize_t) sscanf(key,"8BIM:%ld,%ld:%[^\n]\n%[^\n]",&start,&stop,name,
+- format);
++ count=(ssize_t) sscanf(key,"8BIM:%ld,%ld:%1024[^\n]\n%1024[^\n]",&start,&stop,
++ name,format);
+ if ((count != 2) && (count != 3) && (count != 4))
+ return(MagickFalse);
+ if (count < 4)
diff -Nru imagemagick-6.8.9.9/debian/patches/0066-Limit-fx-recursive-to-avoid-stack-overflow.patch imagemagick-6.8.9.9/debian/patches/0066-Limit-fx-recursive-to-avoid-stack-overflow.patch
--- imagemagick-6.8.9.9/debian/patches/0066-Limit-fx-recursive-to-avoid-stack-overflow.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0066-Limit-fx-recursive-to-avoid-stack-overflow.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,803 @@
+From f8f5654938b2f90c6a3955ff79cc495e5ff44047 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 15 Aug 2015 12:44:09 -0400
+Subject: [PATCH] Limit -fx recursive to avoid stack overflow
+
+Applied-upstream: 6.9.2.1
+---
+ magick/color.c | 4 -
+ magick/fx.c | 309 +++++++++++++++++++++++++++++++++------------------------
+ 2 files changed, 178 insertions(+), 135 deletions(-)
+
+diff --git a/magick/color.c b/magick/color.c
+index aa89f59..db9d039 100644
+--- a/magick/color.c
++++ b/magick/color.c
+@@ -2778,10 +2778,6 @@ MagickExport MagickBooleanType QueryMagickColorCompliance(const char *name,
+ PixelPacket
+ pixel;
+
+- scale=1.0/360.0;
+- if ((flags & PercentValue) != 0)
+- scale=1.0/100.0;
+- geometry_info.rho*=360.0*scale;
+ scale=1.0/255.0;
+ if ((flags & PercentValue) != 0)
+ scale=1.0/100.0;
+diff --git a/magick/fx.c b/magick/fx.c
+index 2e9299c..89847a2 100644
+--- a/magick/fx.c
++++ b/magick/fx.c
+@@ -1256,7 +1256,7 @@ static double FxChannelStatistics(FxInfo *fx_info,const Image *image,
+
+ static double
+ FxEvaluateSubexpression(FxInfo *,const ChannelType,const ssize_t,
+- const ssize_t,const char *,double *,ExceptionInfo *);
++ const ssize_t,const char *,size_t *,double *,ExceptionInfo *);
+
+ static MagickOffsetType FxGCD(MagickOffsetType alpha,MagickOffsetType beta)
+ {
+@@ -1325,10 +1325,12 @@ static double FxGetSymbol(FxInfo *fx_info,const ChannelType channel,
+ length;
+
+ size_t
++ depth,
+ level;
+
+ p=expression;
+ i=GetImageIndexInList(fx_info->images);
++ depth=0;
+ level=0;
+ point.x=(double) x;
+ point.y=(double) y;
+@@ -1367,7 +1369,7 @@ static double FxGetSymbol(FxInfo *fx_info,const ChannelType channel,
+ }
+ *q='\0';
+ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,
+- &beta,exception);
++ &depth,&beta,exception);
+ i=(ssize_t) (alpha+0.5);
+ p++;
+ }
+@@ -1396,7 +1398,7 @@ static double FxGetSymbol(FxInfo *fx_info,const ChannelType channel,
+ }
+ *q='\0';
+ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,
+- &beta,exception);
++ &depth,&beta,exception);
+ point.x=alpha;
+ point.y=beta;
+ p++;
+@@ -1421,7 +1423,7 @@ static double FxGetSymbol(FxInfo *fx_info,const ChannelType channel,
+ }
+ *q='\0';
+ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,
+- &beta,exception);
++ &depth,&beta,exception);
+ point.x+=alpha;
+ point.y+=beta;
+ p++;
+@@ -2118,9 +2120,11 @@ static const char *FxOperatorPrecedence(const char *expression,
+ }
+
+ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+- const ssize_t x,const ssize_t y,const char *expression,double *beta,
+- ExceptionInfo *exception)
++ const ssize_t x,const ssize_t y,const char *expression,size_t *depth,
++ double *beta,ExceptionInfo *exception)
+ {
++#define FxMaxParenthesisDepth 58
++
+ char
+ *q,
+ subexpression[MaxTextExtent];
+@@ -2145,36 +2149,40 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ (void) CopyMagickString(subexpression,expression,(size_t)
+ (p-expression+1));
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,depth,
++ beta,exception);
+ switch ((unsigned char) *p)
+ {
+ case '~':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ *beta=(double) (~(size_t) *beta);
+ return(*beta);
+ }
+ case '!':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(*beta == 0.0 ? 1.0 : 0.0);
+ }
+ case '^':
+ {
+ *beta=pow((double) alpha,(double) FxEvaluateSubexpression(fx_info,
+- channel,x,y,++p,beta,exception));
++ channel,x,y,++p,depth,beta,exception));
+ return(*beta);
+ }
+ case '*':
+ case ExponentialNotation:
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha*(*beta));
+ }
+ case '/':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ if (*beta == 0.0)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),
+@@ -2185,7 +2193,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ }
+ case '%':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ *beta=fabs(floor(((double) *beta)+0.5));
+ if (*beta == 0.0)
+ {
+@@ -2197,78 +2206,104 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ }
+ case '+':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha+(*beta));
+ }
+ case '-':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha-(*beta));
+ }
+ case LeftShiftOperator:
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ *beta=(double) ((size_t) (alpha+0.5) << (size_t) (gamma+0.5));
+ return(*beta);
+ }
+ case RightShiftOperator:
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ *beta=(double) ((size_t) (alpha+0.5) >> (size_t) (gamma+0.5));
+ return(*beta);
+ }
+ case '<':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha < *beta ? 1.0 : 0.0);
+ }
+ case LessThanEqualOperator:
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha <= *beta ? 1.0 : 0.0);
+ }
+ case '>':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha > *beta ? 1.0 : 0.0);
+ }
+ case GreaterThanEqualOperator:
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha >= *beta ? 1.0 : 0.0);
+ }
+ case EqualOperator:
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(fabs(alpha-(*beta)) < MagickEpsilon ? 1.0 : 0.0);
+ }
+ case NotEqualOperator:
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(fabs(alpha-(*beta)) >= MagickEpsilon ? 1.0 : 0.0);
+ }
+ case '&':
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ *beta=(double) ((size_t) (alpha+0.5) & (size_t) (gamma+0.5));
+ return(*beta);
+ }
+ case '|':
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ *beta=(double) ((size_t) (alpha+0.5) | (size_t) (gamma+0.5));
+ return(*beta);
+ }
+ case LogicalAndOperator:
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
+- *beta=(alpha > 0.0) && (gamma > 0.0) ? 1.0 : 0.0;
++ p++;
++ if (alpha <= 0.0)
++ {
++ *beta=0.0;
++ return(*beta);
++ }
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,p,depth,beta,
++ exception);
++ *beta=(gamma > 0.0) ? 1.0 : 0.0;
+ return(*beta);
+ }
+ case LogicalOrOperator:
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
+- *beta=(alpha > 0.0) || (gamma > 0.0) ? 1.0 : 0.0;
++ p++;
++ if (alpha > 0.0)
++ {
++ *beta=1.0;
++ return(*beta);
++ }
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,p,depth,beta,
++ exception);
++ *beta=(gamma > 0.0) ? 1.0 : 0.0;
+ return(*beta);
+ }
+ case '?':
+@@ -2286,9 +2321,11 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(0.0);
+ }
+ if (fabs((double) alpha) >= MagickEpsilon)
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,p,beta,exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,p,depth,beta,
++ exception);
+ else
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,q,beta,exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,q,depth,beta,
++ exception);
+ return(gamma);
+ }
+ case '=':
+@@ -2306,7 +2343,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(0.0);
+ }
+ ClearMagickException(exception);
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ (void) FormatLocaleString(numeric,MaxTextExtent,"%g",(double)
+ *beta);
+ (void) DeleteNodeFromSplayTree(fx_info->symbols,subexpression);
+@@ -2316,17 +2354,19 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ }
+ case ',':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(alpha);
+ }
+ case ';':
+ {
+- *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,beta,exception);
++ *beta=FxEvaluateSubexpression(fx_info,channel,x,y,++p,depth,beta,
++ exception);
+ return(*beta);
+ }
+ default:
+ {
+- gamma=alpha*FxEvaluateSubexpression(fx_info,channel,x,y,p,beta,
++ gamma=alpha*FxEvaluateSubexpression(fx_info,channel,x,y,p,depth,beta,
+ exception);
+ return(gamma);
+ }
+@@ -2334,29 +2374,34 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ }
+ if (strchr("(",(int) *expression) != (char *) NULL)
+ {
++ (*depth)++;
++ if (*depth >= FxMaxParenthesisDepth)
++ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
++ "ParenthesisNestedTooDeeply","`%s'",expression);
+ (void) CopyMagickString(subexpression,expression+1,MaxTextExtent);
+ subexpression[strlen(subexpression)-1]='\0';
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,beta,
+- exception);
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,subexpression,depth,
++ beta,exception);
++ (*depth)--;
+ return(gamma);
+ }
+ switch (*expression)
+ {
+ case '+':
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,expression+1,beta,
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,expression+1,depth,beta,
+ exception);
+ return(1.0*gamma);
+ }
+ case '-':
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,expression+1,beta,
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,expression+1,depth,beta,
+ exception);
+ return(-1.0*gamma);
+ }
+ case '~':
+ {
+- gamma=FxEvaluateSubexpression(fx_info,channel,x,y,expression+1,beta,
++ gamma=FxEvaluateSubexpression(fx_info,channel,x,y,expression+1,depth,beta,
+ exception);
+ return((double) (~(size_t) (gamma+0.5)));
+ }
+@@ -2365,29 +2410,29 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"abs",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(fabs((double) alpha));
+ }
+ #if defined(MAGICKCORE_HAVE_ACOSH)
+ if (LocaleNCompare(expression,"acosh",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(acosh((double) alpha));
+ }
+ #endif
+ if (LocaleNCompare(expression,"acos",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(acos((double) alpha));
+ }
+ #if defined(MAGICKCORE_HAVE_J1)
+ if (LocaleNCompare(expression,"airy",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ if (alpha == 0.0)
+ return(1.0);
+ gamma=2.0*j1((double) (MagickPI*alpha))/(MagickPI*alpha);
+@@ -2397,41 +2442,41 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ #if defined(MAGICKCORE_HAVE_ASINH)
+ if (LocaleNCompare(expression,"asinh",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(asinh((double) alpha));
+ }
+ #endif
+ if (LocaleNCompare(expression,"asin",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(asin((double) alpha));
+ }
+ if (LocaleNCompare(expression,"alt",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(((ssize_t) alpha) & 0x01 ? -1.0 : 1.0);
+ }
+ if (LocaleNCompare(expression,"atan2",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(atan2((double) alpha,(double) *beta));
+ }
+ #if defined(MAGICKCORE_HAVE_ATANH)
+ if (LocaleNCompare(expression,"atanh",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(atanh((double) alpha));
+ }
+ #endif
+ if (LocaleNCompare(expression,"atan",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(atan((double) alpha));
+ }
+ if (LocaleCompare(expression,"a") == 0)
+@@ -2450,20 +2495,19 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"ceil",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(ceil((double) alpha));
+ }
+ if (LocaleNCompare(expression,"cosh",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth, beta,exception);
+ return(cosh((double) alpha));
+ }
+ if (LocaleNCompare(expression,"cos",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(cos((double) alpha));
+ }
+ if (LocaleCompare(expression,"c") == 0)
+@@ -2478,8 +2522,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ const char
+ *type;
+
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ if (fx_info->images->colorspace == CMYKColorspace)
+ switch (channel)
+ {
+@@ -2511,8 +2555,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ }
+ if (LocaleNCompare(expression,"drc",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return((alpha/(*beta*(alpha-1.0)+1.0)));
+ }
+ break;
+@@ -2524,8 +2568,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(MagickEpsilon);
+ if (LocaleNCompare(expression,"exp",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(exp((double) alpha));
+ }
+ if (LocaleCompare(expression,"e") == 0)
+@@ -2537,8 +2581,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"floor",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(floor((double) alpha));
+ }
+ break;
+@@ -2548,8 +2592,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"gauss",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ gamma=exp((double) (-alpha*alpha/2.0))/sqrt(2.0*MagickPI);
+ return(gamma);
+ }
+@@ -2558,8 +2602,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ MagickOffsetType
+ gcd;
+
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ gcd=FxGCD((MagickOffsetType) (alpha+0.5),(MagickOffsetType)
+ (*beta+0.5));
+ return((double) gcd);
+@@ -2577,8 +2621,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(FxGetSymbol(fx_info,channel,x,y,expression,exception));
+ if (LocaleNCompare(expression,"hypot",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(hypot((double) alpha,(double) *beta));
+ }
+ break;
+@@ -2597,15 +2641,15 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(FxGetSymbol(fx_info,channel,x,y,expression,exception));
+ if (LocaleNCompare(expression,"int",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(floor(alpha));
+ }
+ #if defined(MAGICKCORE_HAVE_ISNAN)
+ if (LocaleNCompare(expression,"isnan",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return((double) !!isnan((double) alpha));
+ }
+ #endif
+@@ -2621,24 +2665,23 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ #if defined(MAGICKCORE_HAVE_J0)
+ if (LocaleNCompare(expression,"j0",2) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+2,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+2,depth,
++ beta,exception);
+ return(j0((double) alpha));
+ }
+ #endif
+ #if defined(MAGICKCORE_HAVE_J1)
+ if (LocaleNCompare(expression,"j1",2) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+2,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+2,depth, beta,exception);
+ return(j1((double) alpha));
+ }
+ #endif
+ #if defined(MAGICKCORE_HAVE_J1)
+ if (LocaleNCompare(expression,"jinc",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ if (alpha == 0.0)
+ return(1.0);
+ gamma=(2.0*j1((double) (MagickPI*alpha))/(MagickPI*alpha));
+@@ -2652,20 +2695,20 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"ln",2) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+2,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+2,depth,
++ beta,exception);
+ return(log((double) alpha));
+ }
+ if (LocaleNCompare(expression,"logtwo",6) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+6,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+6,depth,
++ beta,exception);
+ return(log10((double) alpha))/log10(2.0);
+ }
+ if (LocaleNCompare(expression,"log",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(log10((double) alpha));
+ }
+ if (LocaleCompare(expression,"lightness") == 0)
+@@ -2681,22 +2724,22 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ break;
+ if (LocaleNCompare(expression,"max",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(alpha > *beta ? alpha : *beta);
+ }
+ if (LocaleNCompare(expression,"minima",6) == 0)
+ break;
+ if (LocaleNCompare(expression,"min",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(alpha < *beta ? alpha : *beta);
+ }
+ if (LocaleNCompare(expression,"mod",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ gamma=alpha-floor((double) (alpha/(*beta)))*(*beta);
+ return(gamma);
+ }
+@@ -2709,8 +2752,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"not",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return((double) (alpha < MagickEpsilon));
+ }
+ if (LocaleCompare(expression,"n") == 0)
+@@ -2735,8 +2778,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(MagickPI);
+ if (LocaleNCompare(expression,"pow",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(pow((double) alpha,(double) *beta));
+ }
+ if (LocaleCompare(expression,"p") == 0)
+@@ -2759,8 +2802,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(GetPseudoRandomValue(fx_info->random_info));
+ if (LocaleNCompare(expression,"round",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ return(floor((double) alpha+0.5));
+ }
+ if (LocaleCompare(expression,"r") == 0)
+@@ -2774,14 +2817,14 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ return(FxGetSymbol(fx_info,channel,x,y,expression,exception));
+ if (LocaleNCompare(expression,"sign",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(alpha < 0.0 ? -1.0 : 1.0);
+ }
+ if (LocaleNCompare(expression,"sinc",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ if (alpha == 0)
+ return(1.0);
+ gamma=(sin((double) (MagickPI*alpha))/(MagickPI*alpha));
+@@ -2789,26 +2832,26 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ }
+ if (LocaleNCompare(expression,"sinh",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(sinh((double) alpha));
+ }
+ if (LocaleNCompare(expression,"sin",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(sin((double) alpha));
+ }
+ if (LocaleNCompare(expression,"sqrt",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(sqrt((double) alpha));
+ }
+ if (LocaleNCompare(expression,"squish",6) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+6,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+6,depth,
++ beta,exception);
+ return((1.0/(1.0+exp((double) (-alpha)))));
+ }
+ if (LocaleCompare(expression,"s") == 0)
+@@ -2820,22 +2863,22 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ if (LocaleNCompare(expression,"tanh",4) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+4,depth,
++ beta,exception);
+ return(tanh((double) alpha));
+ }
+ if (LocaleNCompare(expression,"tan",3) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+3,depth,
++ beta,exception);
+ return(tan((double) alpha));
+ }
+ if (LocaleCompare(expression,"Transparent") == 0)
+ return(0.0);
+ if (LocaleNCompare(expression,"trunc",5) == 0)
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,depth,
++ beta,exception);
+ if (alpha >= 0.0)
+ return(floor((double) alpha));
+ return(ceil((double) alpha));
+@@ -2865,8 +2908,8 @@ static double FxEvaluateSubexpression(FxInfo *fx_info,const ChannelType channel,
+ {
+ do
+ {
+- alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,beta,
+- exception);
++ alpha=FxEvaluateSubexpression(fx_info,channel,x,y,expression+5,
++ depth,beta,exception);
+ } while (fabs((double) alpha) >= MagickEpsilon);
+ return(*beta);
+ }
+@@ -2931,9 +2974,13 @@ MagickExport MagickBooleanType FxEvaluateChannelExpression(FxInfo *fx_info,
+ double
+ beta;
+
++ size_t
++ depth;
++
+ beta=0.0;
+- *alpha=FxEvaluateSubexpression(fx_info,channel,x,y,fx_info->expression,&beta,
+- exception);
++ depth=0;
++ *alpha=FxEvaluateSubexpression(fx_info,channel,x,y,fx_info->expression,&depth,
++ &beta,exception);
+ return(exception->severity == OptionError ? MagickFalse : MagickTrue);
+ }
+ �
diff -Nru imagemagick-6.8.9.9/debian/patches/0067-Added-extra-checks-to-avoid-out-of-bounds-error-when.patch imagemagick-6.8.9.9/debian/patches/0067-Added-extra-checks-to-avoid-out-of-bounds-error-when.patch
--- imagemagick-6.8.9.9/debian/patches/0067-Added-extra-checks-to-avoid-out-of-bounds-error-when.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0067-Added-extra-checks-to-avoid-out-of-bounds-error-when.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,42 @@
+From 8c953645e59e07bdebb2fe5469dd9756f0a515a6 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Thu, 17 Sep 2015 13:10:15 +0200
+Subject: [PATCH] Added extra checks to avoid out of bounds error when parsing
+ the 8bim profile. (Github: #31)
+
+Bug: https://github.com/ImageMagick/ImageMagick/issues/31
+Fixed-upstream: 6.9.2-2
+---
+ magick/profile.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/magick/profile.c b/magick/profile.c
+index e8ee899..44b45b3 100644
+--- a/magick/profile.c
++++ b/magick/profile.c
+@@ -1573,7 +1573,8 @@ static void GetProfilesFromResourceBlock(Image *image,
+ break;
+ p=ReadResourceLong(p,&value);
+ count=(ssize_t) value;
+- if ((p > (datum+length-count)) || (count > (ssize_t) length))
++ if ((p > (datum+length-count)) || (count > (ssize_t) length) ||
++ (count < 0))
+ break;
+ switch (id)
+ {
+@@ -1913,13 +1914,13 @@ static MagickBooleanType Sync8BimProfile(Image *image,StringInfo *profile)
+ return(MagickFalse);
+ id=ReadProfileMSBShort(&p,&length);
+ count=(ssize_t) ReadProfileByte(&p,&length);
+- if (count > length)
++ if ((count > (ssize_t) length) || (count < 0))
+ return(MagickFalse);
+ p+=count;
+ if ((*p & 0x01) == 0)
+ (void) ReadProfileByte(&p,&length);
+ count=(ssize_t) ReadProfileMSBLong(&p,&length);
+- if (count > length)
++ if ((count > (ssize_t) length) || (count < 0))
+ return(MagickFalse);
+ if ((id == 0x3ED) && (count == 16))
+ {
diff -Nru imagemagick-6.8.9.9/debian/patches/0068-Fixed-size-of-memory-allocation-to-avoid-segfault-Gi.patch imagemagick-6.8.9.9/debian/patches/0068-Fixed-size-of-memory-allocation-to-avoid-segfault-Gi.patch
--- imagemagick-6.8.9.9/debian/patches/0068-Fixed-size-of-memory-allocation-to-avoid-segfault-Gi.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0068-Fixed-size-of-memory-allocation-to-avoid-segfault-Gi.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,37 @@
+From 235cd684fd1283d5db85376c8a7f41622391e0ce Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Thu, 17 Sep 2015 22:35:27 +0200
+Subject: [PATCH] Fixed size of memory allocation to avoid segfault (Github:
+ #32).
+
+Bug: https://github.com/ImageMagick/ImageMagick/issues/32
+Fixed-upstream: 6.9.2-2
+---
+ coders/rle.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/coders/rle.c b/coders/rle.c
+index 84b0ccc..5808d5b 100644
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -212,10 +212,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ image=AcquireImage(image_info);
+ status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
+ if (status == MagickFalse)
+- {
+- image=DestroyImageList(image);
+- return((Image *) NULL);
+- }
++ return(DestroyImageList(image));
+ /*
+ Determine if this a RLE file.
+ */
+@@ -321,7 +318,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ number_pixels=(MagickSizeType) image->columns*image->rows;
+ if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+- pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4);
++ pixel_info_length=image->columns*image->rows*number_planes;
+ pixel_info=AcquireVirtualMemory(pixel_info_length,sizeof(*pixels));
+ if (pixel_info == (MemoryInfo *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
diff -Nru imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
--- imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch 2016-03-10 12:11:41.000000000 +1100
@@ -0,0 +1,26 @@
+From cd8f0c3d9d7f4a1a51a42d746179f40f71a76da9 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Wed, 16 Dec 2015 21:37:00 +0100
+Subject: [PATCH] Fixed memory leak when reading incorrect PSD files
+
+Fixed-upstream: 6.9.2.10
+---
+ coders/psd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/coders/psd.c b/coders/psd.c
+index e0dc766..f6eedb7 100644
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -1521,8 +1521,10 @@ static MagickStatusType ReadPSDLayers(Image *image,const ImageInfo *image_info,
+ image->next=layer_info[0].image;
+ layer_info[0].image->previous=image;
+ }
++ layer_info=(LayerInfo *) RelinquishMagickMemory(layer_info);
+ }
+- layer_info=(LayerInfo *) RelinquishMagickMemory(layer_info);
++ else
++ layer_info=DestroyLayerInfo(layer_info,number_layers);
+ }
+
+ return(status);
diff -Nru imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch
--- imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0070-Fix-PixelColor-off-by-one-on-i386.patch 2016-03-10 12:11:43.000000000 +1100
@@ -0,0 +1,314 @@
+From f40ae7899afa53437ea99f7be105e549e85b0c47 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 8 Nov 2015 13:16:51 -0500
+Subject: [PATCH] Fix PixelColor off by one on i386
+
+Bug: https://github.com/ImageMagick/ImageMagick/issues/54
+---
+ coders/jpeg.c | 20 ++++++++++----------
+ magick/cache.c | 48 +++++++++++++++++++++++++++++++++++++++---------
+ magick/color.c | 22 ++++++++++++----------
+ magick/identify.c | 26 ++++++++++++++------------
+ 4 files changed, 75 insertions(+), 41 deletions(-)
+
+diff --git a/coders/jpeg.c b/coders/jpeg.c
+index d1310f6..2c963bb 100644
+--- a/coders/jpeg.c
++++ b/coders/jpeg.c
+@@ -1668,7 +1668,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (description == (XMLTreeInfo *) NULL)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlMissingElement", "<description>, slot \"%s\"",slot);
++ "XmlMissingElement","<description>, slot \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ xml=DestroyString(xml);
+ return(table);
+@@ -1677,7 +1677,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (levels == (XMLTreeInfo *) NULL)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlMissingElement", "<levels>, slot \"%s\"", slot);
++ "XmlMissingElement","<levels>, slot \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ xml=DestroyString(xml);
+ return(table);
+@@ -1699,7 +1699,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (attribute == (char *) NULL)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlMissingAttribute", "<levels width>, slot \"%s\"",slot);
++ "XmlMissingAttribute","<levels width>, slot \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1709,7 +1709,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (table->width == 0)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlInvalidAttribute", "<levels width>, table \"%s\"",slot);
++ "XmlInvalidAttribute","<levels width>, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1719,7 +1719,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (attribute == (char *) NULL)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlMissingAttribute", "<levels height>, table \"%s\"",slot);
++ "XmlMissingAttribute","<levels height>, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1729,7 +1729,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (table->height == 0)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlInvalidAttribute", "<levels height>, table \"%s\"",slot);
++ "XmlInvalidAttribute","<levels height>, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1739,7 +1739,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (attribute == (char *) NULL)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlMissingAttribute", "<levels divisor>, table \"%s\"",slot);
++ "XmlMissingAttribute","<levels divisor>, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1749,7 +1749,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (table->divisor == 0.0)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlInvalidAttribute", "<levels divisor>, table \"%s\"",slot);
++ "XmlInvalidAttribute","<levels divisor>, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1759,7 +1759,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (content == (char *) NULL)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlMissingContent", "<levels>, table \"%s\"",slot);
++ "XmlMissingContent","<levels>, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+@@ -1788,7 +1788,7 @@ static QuantizationTable *GetQuantizationTable(const char *filename,
+ if (p != content)
+ {
+ (void) ThrowMagickException(exception,GetMagickModule(),OptionError,
+- "XmlInvalidContent", "<level> too many values, table \"%s\"",slot);
++ "XmlInvalidContent","<level> too many values, table \"%s\"",slot);
+ quantization_tables=DestroyXMLTree(quantization_tables);
+ table=DestroyQuantizationTable(table);
+ xml=DestroyString(xml);
+diff --git a/magick/cache.c b/magick/cache.c
+index 129b769..c34f62c 100644
+--- a/magick/cache.c
++++ b/magick/cache.c
+@@ -3420,6 +3420,11 @@ static inline MagickOffsetType WritePixelCacheRegion(
+ const CacheInfo *restrict cache_info,const MagickOffsetType offset,
+ const MagickSizeType length,const unsigned char *restrict buffer)
+ {
++#if !defined(MAGICKCORE_HAVE_PWRITE)
++ MagickOffsetType
++ current_offset;
++#endif
++
+ register MagickOffsetType
+ i;
+
+@@ -3427,6 +3432,9 @@ static inline MagickOffsetType WritePixelCacheRegion(
+ count;
+
+ #if !defined(MAGICKCORE_HAVE_PWRITE)
++ current_offset=(MagickOffsetType) lseek(cache_info->file,0,SEEK_CUR);
++ if (current_offset < 0)
++ return((MagickOffsetType) -1);
+ if (lseek(cache_info->file,offset,SEEK_SET) < 0)
+ return((MagickOffsetType) -1);
+ #endif
+@@ -3447,6 +3455,10 @@ static inline MagickOffsetType WritePixelCacheRegion(
+ break;
+ }
+ }
++#if !defined(MAGICKCORE_HAVE_PWRITE)
++ if (lseek(cache_info->file,current_offset,SEEK_SET) < 0)
++ return((MagickOffsetType) -1);
++#endif
+ return(i);
+ }
+
+@@ -3479,9 +3491,13 @@ static MagickBooleanType SetPixelCacheExtent(Image *image,MagickSizeType length)
+ if (offset < 0)
+ return(MagickFalse);
+ if ((MagickSizeType) offset >= length)
+- return(MagickTrue);
+- extent=(MagickOffsetType) length-1;
+- count=WritePixelCacheRegion(cache_info,extent,1,(const unsigned char *) "");
++ count=(MagickOffsetType) 1;
++ else
++ {
++ extent=(MagickOffsetType) length-1;
++ count=WritePixelCacheRegion(cache_info,extent,1,(const unsigned char *)
++ "");
++ }
+ #if defined(MAGICKCORE_HAVE_POSIX_FALLOCATE)
+ if (cache_info->synchronize != MagickFalse)
+ {
+@@ -4173,6 +4189,11 @@ static inline MagickOffsetType ReadPixelCacheRegion(
+ const CacheInfo *restrict cache_info,const MagickOffsetType offset,
+ const MagickSizeType length,unsigned char *restrict buffer)
+ {
++#if !defined(MAGICKCORE_HAVE_PREAD)
++ MagickOffsetType
++ current_offset;
++#endif
++
+ register MagickOffsetType
+ i;
+
+@@ -4180,6 +4201,9 @@ static inline MagickOffsetType ReadPixelCacheRegion(
+ count;
+
+ #if !defined(MAGICKCORE_HAVE_PREAD)
++ current_offset=(MagickOffsetType) lseek(cache_info->file,0,SEEK_CUR);
++ if (current_offset < 0)
++ return((MagickOffsetType) -1);
+ if (lseek(cache_info->file,offset,SEEK_SET) < 0)
+ return((MagickOffsetType) -1);
+ #endif
+@@ -4187,11 +4211,11 @@ static inline MagickOffsetType ReadPixelCacheRegion(
+ for (i=0; i < (MagickOffsetType) length; i+=count)
+ {
+ #if !defined(MAGICKCORE_HAVE_PREAD)
+- count=read(cache_info->file,buffer+i,(size_t) MagickMin(length-i,
+- (MagickSizeType) SSIZE_MAX));
++ count=read(cache_info->file,buffer+i,(size_t) MagickMin(length-i,(size_t)
++ SSIZE_MAX));
+ #else
+- count=pread(cache_info->file,buffer+i,(size_t) MagickMin(length-i,
+- (MagickSizeType) SSIZE_MAX),(off_t) (offset+i));
++ count=pread(cache_info->file,buffer+i,(size_t) MagickMin(length-i,(size_t)
++ SSIZE_MAX),(off_t) (offset+i));
+ #endif
+ if (count <= 0)
+ {
+@@ -4200,6 +4224,10 @@ static inline MagickOffsetType ReadPixelCacheRegion(
+ break;
+ }
+ }
++#if !defined(MAGICKCORE_HAVE_PREAD)
++ if (lseek(cache_info->file,current_offset,SEEK_SET) < 0)
++ return((MagickOffsetType) -1);
++#endif
+ return(i);
+ }
+
+@@ -4392,8 +4420,10 @@ static MagickBooleanType ReadPixelCachePixels(CacheInfo *restrict cache_info,
+
+ if (nexus_info->authentic_pixel_cache != MagickFalse)
+ return(MagickTrue);
+- offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+
+- nexus_info->region.x;
++ offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns;
++ if ((offset/cache_info->columns) != (MagickOffsetType) nexus_info->region.y)
++ return(MagickFalse);
++ offset+=nexus_info->region.x;
+ length=(MagickSizeType) nexus_info->region.width*sizeof(PixelPacket);
+ rows=nexus_info->region.height;
+ extent=length*rows;
+diff --git a/magick/color.c b/magick/color.c
+index db9d039..12fdffe 100644
+--- a/magick/color.c
++++ b/magick/color.c
+@@ -2731,18 +2731,20 @@ MagickExport MagickBooleanType QueryMagickColorCompliance(const char *name,
+ if ((flags & PercentValue) != 0)
+ scale=(MagickRealType) (QuantumRange/100.0);
+ if ((flags & RhoValue) != 0)
+- color->red=(MagickRealType) ClampToQuantum(scale*geometry_info.rho);
++ color->red=(MagickRealType) ClampToQuantum((MagickRealType)
++ floor(scale*geometry_info.rho));
+ if ((flags & SigmaValue) != 0)
+- color->green=(MagickRealType) ClampToQuantum(scale*
+- geometry_info.sigma);
++ color->green=(MagickRealType) ClampToQuantum((MagickRealType)
++ floor(scale*geometry_info.sigma));
+ if ((flags & XiValue) != 0)
+- color->blue=(MagickRealType) ClampToQuantum(scale*geometry_info.xi);
++ color->blue=(MagickRealType) ClampToQuantum((MagickRealType)
++ floor(scale*geometry_info.xi));
+ color->opacity=(MagickRealType) OpaqueOpacity;
+ if ((flags & PsiValue) != 0)
+ {
+ if (color->colorspace == CMYKColorspace)
+- color->index=(MagickRealType) ClampToQuantum(scale*
+- geometry_info.psi);
++ color->index=(MagickRealType) ClampToQuantum((MagickRealType)
++ floor(scale*geometry_info.psi));
+ else
+ if (color->matte != MagickFalse)
+ color->opacity=(MagickRealType) ClampToQuantum(
+@@ -2755,11 +2757,11 @@ MagickExport MagickBooleanType QueryMagickColorCompliance(const char *name,
+ if (color->colorspace == LabColorspace)
+ {
+ if ((flags & SigmaValue) != 0)
+- color->green=(MagickRealType) ClampToQuantum(scale*
+- geometry_info.sigma+(QuantumRange+1)/2.0);
++ color->green=(MagickRealType) ClampToQuantum((MagickRealType)
++ floor(scale*geometry_info.sigma+(QuantumRange+1)/2.0));
+ if ((flags & XiValue) != 0)
+- color->blue=(MagickRealType) ClampToQuantum(scale*
+- geometry_info.xi+(QuantumRange+1)/2.0);
++ color->blue=(MagickRealType) ClampToQuantum((MagickRealType)
++ floor(scale*geometry_info.xi+(QuantumRange+1)/2.0));
+ }
+ if (LocaleCompare(colorspace,"gray") == 0)
+ {
+diff --git a/magick/identify.c b/magick/identify.c
+index 2a9ed92..8a3bd7b 100644
+--- a/magick/identify.c
++++ b/magick/identify.c
+@@ -455,11 +455,13 @@ static ssize_t PrintChannelStatistics(FILE *file,const ChannelType channel,
+
+ if (channel == AlphaChannel)
+ {
+- n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum(scale*
+- (QuantumRange-channel_statistics[channel].maxima)),
+- (QuantumRange-channel_statistics[channel].maxima)/(double) QuantumRange,
+- ClampToQuantum(scale*(QuantumRange-channel_statistics[channel].minima)),
+- (QuantumRange-channel_statistics[channel].minima)/(double) QuantumRange,
++ n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum(
++ (MagickRealType) floor(scale*(QuantumRange-
++ channel_statistics[channel].maxima))),(QuantumRange-
++ channel_statistics[channel].maxima)/(double) QuantumRange,
++ ClampToQuantum((MagickRealType) floor(scale*(QuantumRange-
++ channel_statistics[channel].minima))),(QuantumRange-
++ channel_statistics[channel].minima)/(double) QuantumRange,
+ scale*(QuantumRange-channel_statistics[channel].mean),(QuantumRange-
+ channel_statistics[channel].mean)/(double) QuantumRange,scale*
+ channel_statistics[channel].standard_deviation,
+@@ -468,13 +470,13 @@ static ssize_t PrintChannelStatistics(FILE *file,const ChannelType channel,
+ channel_statistics[channel].skewness);
+ return(n);
+ }
+- n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum(scale*
+- channel_statistics[channel].minima),channel_statistics[channel].minima/
+- (double) QuantumRange,ClampToQuantum(scale*
+- channel_statistics[channel].maxima),channel_statistics[channel].maxima/
+- (double) QuantumRange,scale*channel_statistics[channel].mean,
+- channel_statistics[channel].mean/(double) QuantumRange,scale*
+- channel_statistics[channel].standard_deviation,
++ n=FormatLocaleFile(file,StatisticsFormat,name,ClampToQuantum((MagickRealType)
++ floor(scale*channel_statistics[channel].minima)),
++ channel_statistics[channel].minima/(double) QuantumRange,ClampToQuantum(
++ (MagickRealType) (scale*channel_statistics[channel].maxima)),
++ channel_statistics[channel].maxima/(double) QuantumRange,scale*
++ channel_statistics[channel].mean,channel_statistics[channel].mean/(double)
++ QuantumRange,scale*channel_statistics[channel].standard_deviation,
+ channel_statistics[channel].standard_deviation/(double) QuantumRange,
+ channel_statistics[channel].kurtosis,channel_statistics[channel].skewness);
+ return(n);
diff -Nru imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-magick-constitute.c.patch imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
--- imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-magick-constitute.c.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0071-Prevent-null-pointer-access-in-magick-constitute.c.patch 2016-03-10 12:11:43.000000000 +1100
@@ -0,0 +1,38 @@
+From d8ccf0cde8b1df3d44b47f560a69c821bcb96921 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 24 Sep 2015 09:37:24 -0400
+Subject: [PATCH] Prevent null pointer access in magick/constitute.c
+
+Bug: https://github.com/ImageMagick/ImageMagick/pull/34
+---
+ magick/constitute.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/magick/constitute.c b/magick/constitute.c
+index ff339ee..820f632 100644
+--- a/magick/constitute.c
++++ b/magick/constitute.c
+@@ -1299,7 +1299,14 @@ MagickExport MagickBooleanType WriteImages(const ImageInfo *image_info,
+ sans_exception=DestroyExceptionInfo(sans_exception);
+ p=images;
+ for ( ; GetNextImageInList(p) != (Image *) NULL; p=GetNextImageInList(p))
+- if (p->scene >= GetNextImageInList(p)->scene)
++ {
++ register Image
++ *next;
++
++ next=GetNextImageInList(p);
++ if (next == (Image *) NULL)
++ break;
++ if (p->scene >= next->scene)
+ {
+ register ssize_t
+ i;
+@@ -1312,6 +1319,7 @@ MagickExport MagickBooleanType WriteImages(const ImageInfo *image_info,
+ p->scene=(size_t) i++;
+ break;
+ }
++ }
+ /*
+ Write images.
+ */
diff -Nru imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
--- imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch 2016-03-10 12:11:43.000000000 +1100
@@ -0,0 +1,87 @@
+From 281308d0fc7b1beaa3b71c44f472b7664f53d0e5 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Fri, 9 Oct 2015 10:08:06 +0200
+Subject: [PATCH] Fixed out of bounds error in SpliceImage.
+
+Bug: http://www.imagemagick.org/discourse-server/viewtopic.html?f=3&t=28466
+---
+ magick/transform.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/magick/transform.c b/magick/transform.c
+index 69ff36e..785090e 100644
+--- a/magick/transform.c
++++ b/magick/transform.c
+@@ -95,6 +95,14 @@
+ % o exception: Return any errors or warnings in this structure.
+ %
+ */
++static inline size_t MagickMin(const size_t x,const size_t y)
++{
++ if (x < y)
++ return(x);
++ return(y);
++}
++
++
+ MagickExport Image *AutoOrientImage(const Image *image,
+ const OrientationType orientation,ExceptionInfo *exception)
+ {
+@@ -1733,6 +1741,7 @@ MagickExport Image *SpliceImage(const Image *image,
+ splice_geometry;
+
+ ssize_t
++ columns,
+ y;
+
+ /*
+@@ -1817,6 +1826,7 @@ MagickExport Image *SpliceImage(const Image *image,
+ */
+ status=MagickTrue;
+ progress=0;
++ columns=MagickMin(splice_geometry.x,(ssize_t) splice_image->columns);
+ image_view=AcquireVirtualCacheView(image,exception);
+ splice_view=AcquireAuthenticCacheView(splice_image,exception);
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+@@ -1840,7 +1850,8 @@ MagickExport Image *SpliceImage(const Image *image,
+
+ if (status == MagickFalse)
+ continue;
+- p=GetCacheViewVirtualPixels(image_view,0,y,image->columns,1,exception);
++ p=GetCacheViewVirtualPixels(image_view,0,y,splice_image->columns,1,
++ exception);
+ q=QueueCacheViewAuthenticPixels(splice_view,0,y,splice_image->columns,1,
+ exception);
+ if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
+@@ -1850,7 +1861,7 @@ MagickExport Image *SpliceImage(const Image *image,
+ }
+ indexes=GetCacheViewAuthenticIndexQueue(image_view);
+ splice_indexes=GetCacheViewAuthenticIndexQueue(splice_view);
+- for (x=0; x < splice_geometry.x; x++)
++ for (x=0; x < columns; x++)
+ {
+ SetPixelRed(q,GetPixelRed(p));
+ SetPixelGreen(q,GetPixelGreen(p));
+@@ -1918,10 +1929,10 @@ MagickExport Image *SpliceImage(const Image *image,
+
+ if (status == MagickFalse)
+ continue;
+- p=GetCacheViewVirtualPixels(image_view,0,y-(ssize_t) splice_geometry.height,
+- image->columns,1,exception);
+- if ((y < 0) || (y >= (ssize_t) splice_image->rows))
++ if ((y < 0) || (y >= (ssize_t)splice_image->rows))
+ continue;
++ p=GetCacheViewVirtualPixels(image_view,0,y-(ssize_t) splice_geometry.height,
++ splice_image->columns,1,exception);
+ q=QueueCacheViewAuthenticPixels(splice_view,0,y,splice_image->columns,1,
+ exception);
+ if ((p == (const PixelPacket *) NULL) || (q == (PixelPacket *) NULL))
+@@ -1931,7 +1942,7 @@ MagickExport Image *SpliceImage(const Image *image,
+ }
+ indexes=GetCacheViewAuthenticIndexQueue(image_view);
+ splice_indexes=GetCacheViewAuthenticIndexQueue(splice_view);
+- for (x=0; x < splice_geometry.x; x++)
++ for (x=0; x < columns; x++)
+ {
+ SetPixelRed(q,GetPixelRed(p));
+ SetPixelGreen(q,GetPixelGreen(p));
diff -Nru imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch
--- imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0073-Fixed-memory-leaks.patch 2016-03-10 12:11:43.000000000 +1100
@@ -0,0 +1,64 @@
+From 1d726ed4bdeec8a4852c81e561375b7f8890a04f Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Sat, 26 Dec 2015 20:17:54 +0100
+Subject: [PATCH] Fixed memory leaks.
+
+Bug: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
+Applied-upstream: https://github.com/ImageMagick/ImageMagick/commit/9043f3d1fb76c8f4f158d75dc6e2455c43d2f1de
+---
+ magick/nt-base.c | 2 ++
+ magick/utility.c | 9 ++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/magick/nt-base.c b/magick/nt-base.c
+index 9730631..302bc1e 100644
+--- a/magick/nt-base.c
++++ b/magick/nt-base.c
+@@ -1107,6 +1107,7 @@ static int NTGhostscriptGetString(const char *name,BOOL *is_64_bit,
+ directory,DirectorySeparator);
+ if (IsPathAccessible(buffer) != MagickFalse)
+ {
++ directory=DestroyString(directory);
+ (void) CopyMagickString(value,buffer,length);
+ if (is_64_bit != NULL)
+ *is_64_bit=FALSE;
+@@ -1116,6 +1117,7 @@ static int NTGhostscriptGetString(const char *name,BOOL *is_64_bit,
+ directory,DirectorySeparator);
+ if (IsPathAccessible(buffer) != MagickFalse)
+ {
++ directory=DestroyString(directory);
+ (void) CopyMagickString(value,buffer,length);
+ if (is_64_bit != NULL)
+ *is_64_bit=TRUE;
+diff --git a/magick/utility.c b/magick/utility.c
+index 8b1efe2..4a88e61 100644
+--- a/magick/utility.c
++++ b/magick/utility.c
+@@ -1817,6 +1817,7 @@ MagickPrivate MagickBooleanType ShredFile(const char *path)
+ /*
+ Don't shred the file, just remove it.
+ */
++ passes=DestroyString(passes);
+ status=remove_utf8(path);
+ if (status == -1)
+ return(MagickFalse);
+@@ -1828,6 +1829,7 @@ MagickPrivate MagickBooleanType ShredFile(const char *path)
+ /*
+ Don't shred the file, just remove it.
+ */
++ passes=DestroyString(passes);
+ status=remove_utf8(path);
+ return(MagickFalse);
+ }
+@@ -1877,7 +1879,8 @@ MagickPrivate MagickBooleanType ShredFile(const char *path)
+ }
+ status=close(file);
+ status=remove_utf8(path);
+- if (status == -1)
+- return(MagickFalse);
+- return(i < (ssize_t) StringToInteger(passes) ? MagickFalse : MagickTrue);
++ if (status != -1)
++ status=StringToInteger(passes);
++ passes=DestroyString(passes);
++ return((status == -1 || i < (ssize_t) status) ? MagickFalse : MagickTrue);
+ }
diff -Nru imagemagick-6.8.9.9/debian/patches/0074-Fix-overflow-in-pict-image-parsing.patch imagemagick-6.8.9.9/debian/patches/0074-Fix-overflow-in-pict-image-parsing.patch
--- imagemagick-6.8.9.9/debian/patches/0074-Fix-overflow-in-pict-image-parsing.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0074-Fix-overflow-in-pict-image-parsing.patch 2016-03-10 12:11:43.000000000 +1100
@@ -0,0 +1,56 @@
+From 2176134da732b638db47c5aa713dffccbe4837b9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Mon, 7 Dec 2015 16:04:17 +0100
+Subject: [PATCH] Fix overflow in pict image parsing Backport a small part of
+ an upstream commit fixing an issue with pict image parsing. Origin:
+ backport,
+ https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734
+ Bug-Ubuntu:
+ https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803
+ Applied-Upstream: 7.0.0 Last-Update: 2015-11-27 --- This patch header follows
+ DEP-3: http://dep.debian.net/deps/dep3/
+
+---
+ coders/pict.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/coders/pict.c b/coders/pict.c
+index f6165a4..ee24aeb 100644
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -1615,7 +1615,8 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
+ storage_class;
+
+ ssize_t
+- y;
++ y,
++ row_bytes;
+
+ unsigned char
+ *buffer,
+@@ -1625,7 +1626,6 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
+
+ unsigned short
+ base_address,
+- row_bytes,
+ transfer_mode;
+
+ /*
+@@ -1656,7 +1656,7 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
+ source_rectangle=size_rectangle;
+ destination_rectangle=size_rectangle;
+ base_address=0xff;
+- row_bytes=(unsigned short) (image->columns | 0x8000);
++ row_bytes=image->columns;
+ bounds.top=0;
+ bounds.left=0;
+ bounds.bottom=(short) image->rows;
+@@ -1686,7 +1686,7 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
+ pixmap.bits_per_pixel=32;
+ pixmap.pack_type=0x04;
+ transfer_mode=0x40;
+- row_bytes=(unsigned short) ((4*image->columns) | 0x8000);
++ row_bytes=4*image->columns;
+ }
+ /*
+ Allocate memory.
diff -Nru imagemagick-6.8.9.9/debian/patches/0075-Fix-buffer-overflow-in-icon-parsing-code.patch imagemagick-6.8.9.9/debian/patches/0075-Fix-buffer-overflow-in-icon-parsing-code.patch
--- imagemagick-6.8.9.9/debian/patches/0075-Fix-buffer-overflow-in-icon-parsing-code.patch 1970-01-01 10:00:00.000000000 +1000
+++ imagemagick-6.8.9.9/debian/patches/0075-Fix-buffer-overflow-in-icon-parsing-code.patch 2016-03-10 12:11:43.000000000 +1100
@@ -0,0 +1,30 @@
+From 67cdf9296c72b6e2d7ff2e64ea28f1797e8a7ddc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
+Date: Mon, 7 Dec 2015 16:02:33 +0100
+Subject: [PATCH] Fix buffer overflow in icon parsing code
+
+ This patch backports a small extract of a larger upstream
+ commit that addresses this specific issue.
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747
+Origin: backport, https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734
+Applied-Upstream: 7.0.0
+Last-Update: 2015-11-26
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+---
+ coders/icon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/coders/icon.c b/coders/icon.c
+index 80a0e1a..2bcdbc1 100644
+--- a/coders/icon.c
++++ b/coders/icon.c
+@@ -347,6 +347,8 @@ static Image *ReadICONImage(const ImageInfo *image_info,
+ Icon image encoded as a compressed PNG image.
+ */
+ length=icon_file.directory[i].size;
++ if (~length < 16)
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ png=(unsigned char *) AcquireQuantumMemory(length+16,sizeof(*png));
+ if (png == (unsigned char *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
diff -Nru imagemagick-6.8.9.9/debian/patches/series imagemagick-6.8.9.9/debian/patches/series
--- imagemagick-6.8.9.9/debian/patches/series 2014-12-29 21:55:39.000000000 +1100
+++ imagemagick-6.8.9.9/debian/patches/series 2016-03-10 12:12:20.000000000 +1100
@@ -55,3 +55,22 @@
0054-Replaced-calls-to-ConstrainColormapIndex-with-IsVali.patch
0055-During-identification-of-image-do-not-fill-memory.patch
0056-Fix-correctly-the-xpm-crash-problem.patch
+0057-Fix-a-miff-security-bug.patch
+0058-Fix-a-DOS-in-viccar-file-handling.patch
+0059-Fix-a-DOS-in-HDR-file.patch
+0060-Fix-a-DOS-in-PDB-file-handling.patch
+0061-Avoid-using-NULL-alpha_image-in-the-JNG-decoder.patch
+0062-Jpeg-images-no-longer-have-pixels-per-inch-as-a-defa.patch
+0063-Add-an-additional-check-for-end-of-file-for-the-RLE-.patch
+0064-Fix-a-double-free-in-tga-file.patch
+0065-Add-field-width-to-sscanf-to-prevent-buffer-overflow.patch
+0066-Limit-fx-recursive-to-avoid-stack-overflow.patch
+0067-Added-extra-checks-to-avoid-out-of-bounds-error-when.patch
+0068-Fixed-size-of-memory-allocation-to-avoid-segfault-Gi.patch
+0069-Fixed-memory-leak-when-reading-incorrect-PSD-files.patch
+0070-Fix-PixelColor-off-by-one-on-i386.patch
+0071-Prevent-null-pointer-access-in-magick-constitute.c.patch
+0072-Fixed-out-of-bounds-error-in-SpliceImage.patch
+0073-Fixed-memory-leaks.patch
+0074-Fix-overflow-in-pict-image-parsing.patch
+0075-Fix-buffer-overflow-in-icon-parsing-code.patch
--
Brian May <bam@debian.org>
Reply to: