imagemagick security update ready for testing
TL;DR: please test and review:
https://people.debian.org/~anarcat/debian/wheezy-lts
diff -Nru imagemagick-6.7.7.10/debian/changelog imagemagick-6.7.7.10/debian/changelog
--- imagemagick-6.7.7.10/debian/changelog 2016-12-11 00:57:24.000000000 -0500
+++ imagemagick-6.7.7.10/debian/changelog 2016-12-18 17:35:45.000000000 -0500
@@ -1,3 +1,28 @@
+imagemagick (8:6.7.7.10-5+deb7u10) UNRELEASED; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * mogrify global buffer overflow (CVE-2016-7799) (Closes: #840437)
+ * mogrify use after free (CVE-2016-7906) (Closes: #840435)
+ * memory allocate failure in AcquireQuantumPixels (CVE-2016-8677) (Closes: #845206)
+ * ImageMagick Convert Tiff Adobe Deflate Code Execution
+ Vulnerability (CVE-2016-8707) (Closes: #848139)
+ * memory allocation failure in AcquireMagickMemory (CVE-2016-8862, CVE-2016-8866) (Closes: #845634)
+ * Heap buffer overflow in heap-buffer-overflow in IsPixelGray (CVE-2016-9556) (Closes: #845242)
+ * null pointer passed as argument 2, which is declared to never be null (CVE-2016-9559) (Closes: #845243)
+ * TIFF file buffer overflow (Closes: #845195)
+ * Check return of write function (Closes: #845196)
+ * Check validity of extend during TIFF file reading (Closes: #845198)
+ * Better check for bufferoverflow for TIFF handling (Closes: #845202)
+ * Fix out of bound read in viff file handling (Closes: #845212)
+ * 0161-Do-not-ignore-SetImageBias-bias-value.patch: DOS fix?
+ Do not ignore SetImageBias() bias value (undocumented patch from Jessie)
+ * Suspend exception processing if there are too many exceptions (Closes: #845213)
+ * Prevent fault in MSL interpreter (Closes: #845241)
+ * Add check for invalid mat file (Closes: #845244)
+ * mat file out of bound (Closes: #845246)
+
+ -- Antoine Beaupré <anarcat@debian.org> Fri, 16 Dec 2016 16:10:35 -0500
+
imagemagick (8:6.7.7.10-5+deb7u9) wheezy-security; urgency=high
* Non-maintainer upload by the LTS Team
diff -Nru imagemagick-6.7.7.10/debian/patches/0125-CVE-2016-7799.patch imagemagick-6.7.7.10/debian/patches/0125-CVE-2016-7799.patch
--- imagemagick-6.7.7.10/debian/patches/0125-CVE-2016-7799.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0125-CVE-2016-7799.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,20 @@
+From a7bb158b7bedd1449a34432feb3a67c8f1873bfa Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 30 Sep 2016 15:19:06 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/280
+
+---
+ MagickCore/profile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/magick/profile.c
++++ b/magick/profile.c
+@@ -1581,7 +1581,7 @@ MagickExport MagickBooleanType SyncImage
+ (void) AddValueToSplayTree(exif_resources,q,q);
+ tag_value=(ssize_t) ReadProfileShort(endian,q);
+ format=(ssize_t) ReadProfileShort(endian,q+2);
+- if ((format-1) >= EXIF_NUM_FORMATS)
++ if ((format < 0) || ((format-1) >= EXIF_NUM_FORMATS))
+ break;
+ components=(ssize_t) ReadProfileLong(endian,q+4);
+ if (components < 0)
diff -Nru imagemagick-6.7.7.10/debian/patches/0126-CVE-2016-7906.patch imagemagick-6.7.7.10/debian/patches/0126-CVE-2016-7906.patch
--- imagemagick-6.7.7.10/debian/patches/0126-CVE-2016-7906.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0126-CVE-2016-7906.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,19 @@
+From d63a3c5729df59f183e9e110d5d8385d17caaad0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 1 Oct 2016 11:16:55 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/281
+
+---
+ magick/attribute.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/magick/attribute.c
++++ b/magick/attribute.c
+@@ -1175,6 +1175,7 @@ MagickExport MagickBooleanType SetImageT
+ status=QuantizeImage(quantize_info,image);
+ quantize_info=DestroyQuantizeInfo(quantize_info);
+ }
++ status=AcquireImageColormap(image,2);
+ image->matte=MagickFalse;
+ break;
+ }
diff -Nru imagemagick-6.7.7.10/debian/patches/0127-CVE-2016-8677.patch imagemagick-6.7.7.10/debian/patches/0127-CVE-2016-8677.patch
--- imagemagick-6.7.7.10/debian/patches/0127-CVE-2016-8677.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0127-CVE-2016-8677.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,21 @@
+From 524349d2b3fed7fa0e53de2c908458474eb24418 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 15 Sep 2016 20:26:36 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/268
+
+---
+ coders/tiff.c | 131 +++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 65 insertions(+), 66 deletions(-)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1678,7 +1678,8 @@ static Image *ReadTIFFImage(const ImageI
+ }
+ SetQuantumImageType(image,quantum_type);
+ next_tiff_frame:
+- quantum_info=DestroyQuantumInfo(quantum_info);
++ if (quantum_info != (QuantumInfo *) NULL)
++ quantum_info=DestroyQuantumInfo(quantum_info);
+ if ((photometric == PHOTOMETRIC_LOGL) ||
+ (photometric == PHOTOMETRIC_MINISBLACK) ||
+ (photometric == PHOTOMETRIC_MINISWHITE))
diff -Nru imagemagick-6.7.7.10/debian/patches/0128-CVE-2016-8707.patch imagemagick-6.7.7.10/debian/patches/0128-CVE-2016-8707.patch
--- imagemagick-6.7.7.10/debian/patches/0128-CVE-2016-8707.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0128-CVE-2016-8707.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,141 @@
+From e5fd9ab1b70b2edd06de8efb606e04482cb9a2f0 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Thu, 1 Dec 2016 20:06:50 -0500
+Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS
+
+---
+ ChangeLog | 2 ++
+ coders/tiff.c | 34 +++++++++++++++++++---------------
+ 2 files changed, 21 insertions(+), 15 deletions(-)
+
+Patch was modified to remove ReadYCCKMethod case because absent from wheezy.
+
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -3,6 +3,8 @@
+
+ 2012-06-26 6.7.7-10 Glenn Randers-Pehrson <glennrp@image...>
+ * Don't attempt to use Z_RLE compression strategy with old zlib (prior to
++ * Fix possible buffer overflow when writing compressed TIFFS (vulnerability
++ report from Cisco Talos, CVE-2016-8707).
+ zlib-1.2.0) that does not support it.
+ * Increase PLTE chunk length to accommodate background color in indexed PNG
+ (reference www.imagemagick.org/discourse-server/viewtopic.php?f=1&t=21288).
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -866,7 +866,7 @@ static Image *ReadTIFFImage(const ImageI
+ width;
+
+ unsigned char
+- *pixels;
++ *tiff_pixels;
+
+ /*
+ Open image.
+@@ -1223,7 +1223,13 @@ static Image *ReadTIFFImage(const ImageI
+ method=ReadTileMethod;
+ quantum_info->endian=LSBEndian;
+ quantum_type=RGBQuantum;
+- pixels=GetQuantumPixels(quantum_info);
++ tiff_pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+
++ sizeof(uint32));
++ if (tiff_pixels == (unsigned char *) NULL)
++ {
++ TIFFClose(tiff);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
+ switch (method)
+ {
+ case ReadSingleSampleMethod:
+@@ -1294,7 +1300,6 @@ static Image *ReadTIFFImage(const ImageI
+ TIFFClose(tiff);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+- pixels=GetQuantumPixels(quantum_info);
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+ int
+@@ -1303,14 +1308,14 @@ static Image *ReadTIFFImage(const ImageI
+ register PixelPacket
+ *restrict q;
+
+- status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
++ status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
+ if (status == -1)
+ break;
+ q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
+ if (q == (PixelPacket *) NULL)
+ break;
+ length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
+- quantum_type,pixels,exception);
++ quantum_type,tiff_pixels,exception);
+ (void) length;
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+ break;
+@@ -1352,7 +1357,6 @@ static Image *ReadTIFFImage(const ImageI
+ TIFFClose(tiff);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+- pixels=GetQuantumPixels(quantum_info);
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+ int
+@@ -1361,14 +1365,14 @@ static Image *ReadTIFFImage(const ImageI
+ register PixelPacket
+ *restrict q;
+
+- status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
++ status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
+ if (status == -1)
+ break;
+ q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
+ if (q == (PixelPacket *) NULL)
+ break;
+ length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
+- quantum_type,pixels,exception);
++ quantum_type,tiff_pixels,exception);
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+ break;
+ if (image->previous == (Image *) NULL)
+@@ -1397,7 +1401,7 @@ static Image *ReadTIFFImage(const ImageI
+ status;
+
+ status=TIFFReadPixels(tiff,bits_per_sample,(tsample_t) i,y,(char *)
+- pixels);
++ tiff_pixels);
+ if (status == -1)
+ break;
+ q=GetAuthenticPixels(image,0,y,image->columns,1,exception);
+@@ -1423,7 +1427,7 @@ static Image *ReadTIFFImage(const ImageI
+ default: quantum_type=UndefinedQuantum; break;
+ }
+ length=ImportQuantumPixels(image,(CacheView *) NULL,quantum_info,
+- quantum_type,pixels,exception);
++ quantum_type,tiff_pixels,exception);
+ if (SyncAuthenticPixels(image,exception) == MagickFalse)
+ break;
+ }
+@@ -1460,13 +1464,13 @@ static Image *ReadTIFFImage(const ImageI
+ break;
+ if (i == 0)
+ {
+- if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) pixels) == 0)
++ if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) tiff_pixels) == 0)
+ break;
+ i=(ssize_t) MagickMin((ssize_t) rows_per_strip,(ssize_t)
+ image->rows-y);
+ }
+ i--;
+- p=((uint32 *) pixels)+image->columns*i;
++ p=((uint32 *) tiff_pixels)+image->columns*i;
+ for (x=0; x < (ssize_t) image->columns; x++)
+ {
+ SetPixelRed(q,ScaleCharToQuantum((unsigned char)
+@@ -1676,6 +1680,7 @@ static Image *ReadTIFFImage(const ImageI
+ break;
+ }
+ }
++ tiff_pixels=(unsigned char *) RelinquishMagickMemory(tiff_pixels);
+ SetQuantumImageType(image,quantum_type);
+ next_tiff_frame:
+ if (quantum_info != (QuantumInfo *) NULL)
diff -Nru imagemagick-6.7.7.10/debian/patches/0129-CVE-2016-8862.patch imagemagick-6.7.7.10/debian/patches/0129-CVE-2016-8862.patch
--- imagemagick-6.7.7.10/debian/patches/0129-CVE-2016-8862.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0129-CVE-2016-8862.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,28 @@
+From d94d85622f120f82240921ae7a83a72afcb79ddf Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <dirk@git.imagemagick.org>
+Date: Mon, 21 Nov 2016 20:54:14 +0100
+Subject: [PATCH] Lowered max map_length to prevent an overflow (#271).
+
+---
+ coders/rle.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+This was modified to also include
+871190145d0d99c81070737bd576333bcf42dbdc which introduced the bounds
+check in the first place, which was missing from 6.7.7.
+
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -233,8 +233,11 @@ static Image *ReadRLEImage(const ImageIn
+ number_planes=1UL*ReadBlobByte(image);
+ bits_per_pixel=1UL*ReadBlobByte(image);
+ number_colormaps=1UL*ReadBlobByte(image);
++ map_length=(unsigned char) ReadBlobByte(image);
++ if (map_length >= 22)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ one=1;
+- map_length=one << ReadBlobByte(image);
++ map_length=one << map_length;
+ if ((number_planes == 0) || (number_planes == 2) ||
+ ((flags & 0x04) && (number_colormaps > 254)) || (bits_per_pixel != 8) ||
+ (image->columns == 0))
diff -Nru imagemagick-6.7.7.10/debian/patches/0130-CVE-2016-9556.patch imagemagick-6.7.7.10/debian/patches/0130-CVE-2016-9556.patch
--- imagemagick-6.7.7.10/debian/patches/0130-CVE-2016-9556.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0130-CVE-2016-9556.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,20 @@
+From 174de08d7c81ce147689f3b1c73fadd6bf1c023c Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 16 Nov 2016 15:49:07 -0500
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/301
+
+---
+ coders/sgi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/coders/sgi.c
++++ b/coders/sgi.c
+@@ -337,6 +337,8 @@ static Image *ReadSGIImage(const ImageIn
+ if ((iris_info.bytes_per_pixel == 0) || (iris_info.bytes_per_pixel > 2))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ iris_info.dimension=ReadBlobMSBShort(image);
++ if ((iris_info.dimension == 0) || (iris_info.dimension > 3))
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ iris_info.columns=ReadBlobMSBShort(image);
+ iris_info.rows=ReadBlobMSBShort(image);
+ iris_info.depth=ReadBlobMSBShort(image);
diff -Nru imagemagick-6.7.7.10/debian/patches/0131-CVE-2016-9559.patch imagemagick-6.7.7.10/debian/patches/0131-CVE-2016-9559.patch
--- imagemagick-6.7.7.10/debian/patches/0131-CVE-2016-9559.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0131-CVE-2016-9559.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,79 @@
+From 1c795ce9fe1d6feac8bc36c2e6c5ba7110b671b1 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 9 Nov 2016 15:56:49 -0500
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/298
+
+---
+ coders/tiff.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -560,41 +560,54 @@ static void TIFFGetProperties(TIFF *tiff
+ uint32
+ count;
+
+- if (TIFFGetField(tiff,TIFFTAG_ARTIST,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_ARTIST,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:artist",text);
+- if (TIFFGetField(tiff,TIFFTAG_COPYRIGHT,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_COPYRIGHT,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:copyright",text);
+- if (TIFFGetField(tiff,TIFFTAG_DATETIME,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_DATETIME,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:timestamp",text);
+- if (TIFFGetField(tiff,TIFFTAG_DOCUMENTNAME,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_DOCUMENTNAME,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:document",text);
+- if (TIFFGetField(tiff,TIFFTAG_HOSTCOMPUTER,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_HOSTCOMPUTER,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:hostcomputer",text);
+- if (TIFFGetField(tiff,TIFFTAG_IMAGEDESCRIPTION,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_IMAGEDESCRIPTION,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"comment",text);
+- if (TIFFGetField(tiff,TIFFTAG_MAKE,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_MAKE,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:make",text);
+- if (TIFFGetField(tiff,TIFFTAG_MODEL,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_MODEL,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:model",text);
+- if (TIFFGetField(tiff,TIFFTAG_OPIIMAGEID,&count,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_OPIIMAGEID,&count,&text) == 1) &&
++ (text != (char *) NULL))
+ {
+ if (count >= MaxTextExtent)
+ count=MaxTextExtent-1;
+ (void) CopyMagickString(message,text,count+1);
+ (void) SetImageProperty(image,"tiff:image-id",message);
+ }
+- if (TIFFGetField(tiff,TIFFTAG_PAGENAME,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_PAGENAME,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"label",text);
+- if (TIFFGetField(tiff,TIFFTAG_SOFTWARE,&text) == 1)
++ if ((TIFFGetField(tiff,TIFFTAG_SOFTWARE,&text) == 1) &&
++ (text != (char *) NULL))
+ (void) SetImageProperty(image,"tiff:software",text);
+- if (TIFFGetField(tiff,33423,&count,&text) == 1)
++ if ((TIFFGetField(tiff,33423,&count,&text) == 1) &&
++ (text != (char *) NULL))
+ {
+ if (count >= MaxTextExtent)
+ count=MaxTextExtent-1;
+ (void) CopyMagickString(message,text,count+1);
+ (void) SetImageProperty(image,"tiff:kodak-33423",message);
+ }
+- if (TIFFGetField(tiff,36867,&count,&text) == 1)
++ if ((TIFFGetField(tiff,36867,&count,&text) == 1) &&
++ (text != (char *) NULL))
+ {
+ if (count >= MaxTextExtent)
+ count=MaxTextExtent-1;
diff -Nru imagemagick-6.7.7.10/debian/patches/0132-Bug-845195-TIFF-file-buffer-overflow.patch imagemagick-6.7.7.10/debian/patches/0132-Bug-845195-TIFF-file-buffer-overflow.patch
--- imagemagick-6.7.7.10/debian/patches/0132-Bug-845195-TIFF-file-buffer-overflow.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0132-Bug-845195-TIFF-file-buffer-overflow.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,37 @@
+From 58cf5bf4fade82e3b510e8f3463a967278a3e410 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 7 May 2016 20:40:33 -0400
+Subject: [PATCH] ...
+
+---
+ coders/jpeg.c | 3 +--
+ coders/tiff.c | 11 +++++++----
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1520,9 +1520,6 @@ static Image *ReadTIFFImage(const ImageI
+ columns,
+ rows;
+
+- size_t
+- number_pixels;
+-
+ /*
+ Convert tiled TIFF image to DirectClass MIFF image.
+ */
+@@ -1533,7 +1530,13 @@ static Image *ReadTIFFImage(const ImageI
+ ThrowReaderException(CoderError,"ImageIsNotTiled");
+ }
+ (void) SetImageStorageClass(image,DirectClass);
+- number_pixels=columns*rows;
++ number_pixels=(MagickSizeType) columns*rows;
++ if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
++ (number_pixels*sizeof(uint32))))
++ {
++ TIFFClose(tiff);
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ }
+ tile_pixels=(uint32 *) AcquireQuantumMemory(number_pixels,
+ sizeof(*tile_pixels));
+ if (tile_pixels == (uint32 *) NULL)
diff -Nru imagemagick-6.7.7.10/debian/patches/0133-Bug-845196-Check-return-of-write-function.patch imagemagick-6.7.7.10/debian/patches/0133-Bug-845196-Check-return-of-write-function.patch
--- imagemagick-6.7.7.10/debian/patches/0133-Bug-845196-Check-return-of-write-function.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0133-Bug-845196-Check-return-of-write-function.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,36 @@
+From c19e513c48c9c03ff29e51ba5e35d866cea449ec Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Fri, 3 Jun 2016 20:16:40 -0400
+Subject: [PATCH] Check return of write function when writting tiff file
+
+Do not checking return of write function could lead to incomplete files
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/196
+bug-debian: https://bugs.debian.org/845196
+---
+ coders/tiff.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -370,8 +370,10 @@ static Image *ReadGROUP4Image(const Imag
+ length=fwrite("\000\000\000\000",1,4,file);
+ length=WriteLSBLong(file,(size_t) (image->x_resolution+0.5));
+ length=WriteLSBLong(file,1);
++ status=MagickTrue;
+ for (length=0; (c=ReadBlobByte(image)) != EOF; length++)
+- (void) fputc(c,file);
++ if (fputc(c,file) != c)
++ status=MagickFalse;
+ offset=(ssize_t) fseek(file,(ssize_t) offset,SEEK_SET);
+ length=WriteLSBLong(file,(unsigned int) length);
+ (void) fclose(file);
+@@ -393,6 +395,8 @@ static Image *ReadGROUP4Image(const Imag
+ (void) CopyMagickString(image->magick,"GROUP4",MaxTextExtent);
+ }
+ (void) RelinquishUniqueFileResource(filename);
++ if (status == MagickFalse)
++ image=DestroyImage(image);
+ return(image);
+ }
+ #endif
diff -Nru imagemagick-6.7.7.10/debian/patches/0134-Bug-845198-Check-validity-of-extend-during-TIFF-file-reading.patch imagemagick-6.7.7.10/debian/patches/0134-Bug-845198-Check-validity-of-extend-during-TIFF-file-reading.patch
--- imagemagick-6.7.7.10/debian/patches/0134-Bug-845198-Check-validity-of-extend-during-TIFF-file-reading.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0134-Bug-845198-Check-validity-of-extend-during-TIFF-file-reading.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,28 @@
+From 73fd61b2ff70ffe52416be519113585e6c5e18de Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 6 Jul 2016 07:57:38 -0400
+Subject: [PATCH] Check validity of extend during TIFF file reading
+
+This will avoid a buffer overflow
+
+origin; https://github.com/ImageMagick/ImageMagick/commit/2bb6941a2d557f26a2f2049ade466e118eeaab91
+bug-debian: https://bugs.debian.org/845198
+---
+ coders/tiff.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1209,6 +1209,12 @@ static Image *ReadTIFFImage(const ImageI
+ break;
+ goto next_tiff_frame;
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ method=ReadGenericMethod;
+ if (TIFFGetField(tiff,TIFFTAG_ROWSPERSTRIP,&rows_per_strip) != 0)
+ {
diff -Nru imagemagick-6.7.7.10/debian/patches/0135-Bug-845202-Improve-buffer-flow-sanity-check-for-TIFF.patch imagemagick-6.7.7.10/debian/patches/0135-Bug-845202-Improve-buffer-flow-sanity-check-for-TIFF.patch
--- imagemagick-6.7.7.10/debian/patches/0135-Bug-845202-Improve-buffer-flow-sanity-check-for-TIFF.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0135-Bug-845202-Improve-buffer-flow-sanity-check-for-TIFF.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,58 @@
+From 125df0f631a922cf2b3cafd6980883a580dc3c75 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 6 Jul 2016 08:15:57 -0400
+Subject: [PATCH] Improve buffer flow sanity check for TIFF
+
+origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/f8877abac8e568b2f339cca70c2c3c1b6eaec288
+bug-debian: bugs.debian.org/845202
+
+(cherry picked from commit f8877abac8e568b2f339cca70c2c3c1b6eaec288)
+---
+ coders/tiff.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -62,6 +62,7 @@
+ #include "magick/log.h"
+ #include "magick/magick.h"
+ #include "magick/memory_.h"
++#include "magick/memory-private.h"
+ #include "magick/module.h"
+ #include "magick/monitor.h"
+ #include "magick/monitor-private.h"
+@@ -1541,14 +1542,13 @@ static Image *ReadTIFFImage(const ImageI
+ }
+ (void) SetImageStorageClass(image,DirectClass);
+ number_pixels=(MagickSizeType) columns*rows;
+- if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
+- (number_pixels*sizeof(uint32))))
++ if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+ {
+ TIFFClose(tiff);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+- tile_pixels=(uint32 *) AcquireQuantumMemory(number_pixels,
+- sizeof(*tile_pixels));
++ tile_pixels=(uint32 *) AcquireQuantumMemory(columns,
++ rows*sizeof(*tile_pixels));
+ if (tile_pixels == (uint32 *) NULL)
+ {
+ TIFFClose(tiff);
+@@ -1647,14 +1647,13 @@ static Image *ReadTIFFImage(const ImageI
+ Convert TIFF image to DirectClass MIFF image.
+ */
+ number_pixels=(MagickSizeType) image->columns*image->rows;
+- if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t)
+- (number_pixels*sizeof(uint32))))
++ if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
+ {
+ TIFFClose(tiff);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
+ pixels=(uint32 *) AcquireQuantumMemory(image->columns,image->rows*
+- sizeof(uint32));
++ sizeof(*pixels));
+ if (pixels == (uint32 *) NULL)
+ {
+ TIFFClose(tiff);
diff -Nru imagemagick-6.7.7.10/debian/patches/0136-Bug-845212-Fix-out-of-bound-read-in-viff-file-handling.patch imagemagick-6.7.7.10/debian/patches/0136-Bug-845212-Fix-out-of-bound-read-in-viff-file-handling.patch
--- imagemagick-6.7.7.10/debian/patches/0136-Bug-845212-Fix-out-of-bound-read-in-viff-file-handling.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0136-Bug-845212-Fix-out-of-bound-read-in-viff-file-handling.patch 2016-12-18 15:55:49.000000000 -0500
@@ -0,0 +1,60 @@
+From dfaec84fda2f126e956d840612f4bed1e7c9f457 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 14 Feb 2016 10:40:23 -0500
+Subject: [PATCH] Fix out of bound read in viff file handling
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/129
+bug-ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545183
+bug-debian: https://bugs.debian.org/845212
+origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/76ac0460463c7f4eab8e58a5dd5cbb2bb012ccd3
+
+(cherry picked from commit 76ac0460463c7f4eab8e58a5dd5cbb2bb012ccd3)
+---
+ coders/viff.c | 28 ++++++++++++++++++++++++++--
+ 1 file changed, 26 insertions(+), 2 deletions(-)
+
+--- a/coders/viff.c
++++ b/coders/viff.c
+@@ -139,6 +139,22 @@ static MagickBooleanType IsVIFF(const un
+ % o exception: return any errors or warnings in this structure.
+ %
+ */
++
++static MagickBooleanType CheckMemoryOverflow(const size_t count,
++ const size_t quantum)
++{
++ size_t
++ size;
++
++ size=count*quantum;
++ if ((count == 0) || (quantum != (size/count)))
++ {
++ errno=ENOMEM;
++ return(MagickTrue);
++ }
++ return(MagickFalse);
++}
++
+ static Image *ReadVIFFImage(const ImageInfo *image_info,
+ ExceptionInfo *exception)
+ {
+@@ -491,9 +507,17 @@ static Image *ReadVIFFImage(const ImageI
+ default: bytes_per_pixel=1; break;
+ }
+ if (viff_info.data_storage_type == VFF_TYP_BIT)
+- max_packets=((image->columns+7UL) >> 3UL)*image->rows;
++ {
++ if (CheckMemoryOverflow((image->columns+7UL) >> 3UL,image->rows) != MagickFalse)
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ max_packets=((image->columns+7UL) >> 3UL)*image->rows;
++ }
+ else
+- max_packets=(size_t) (number_pixels*viff_info.number_data_bands);
++ {
++ if (CheckMemoryOverflow(number_pixels,viff_info.number_data_bands) != MagickFalse)
++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++ max_packets=(size_t) (number_pixels*viff_info.number_data_bands);
++ }
+ viff_pixels=(unsigned char *) AcquireQuantumMemory(MagickMax(number_pixels,
+ max_packets),bytes_per_pixel*sizeof(*viff_pixels));
+ if (viff_pixels == (unsigned char *) NULL)
diff -Nru imagemagick-6.7.7.10/debian/patches/0137-Bug-845213-Suspend-exception-processing-if-there-are-too-many-e.patch imagemagick-6.7.7.10/debian/patches/0137-Bug-845213-Suspend-exception-processing-if-there-are-too-many-e.patch
--- imagemagick-6.7.7.10/debian/patches/0137-Bug-845213-Suspend-exception-processing-if-there-are-too-many-e.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0137-Bug-845213-Suspend-exception-processing-if-there-are-too-many-e.patch 2016-12-18 16:50:17.000000000 -0500
@@ -0,0 +1,240 @@
+From 1c8d232394fdeb3f3fb083d1c6a964ff67d6d353 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 29 May 2016 11:38:56 -0400
+Subject: [PATCH] Suspend exception processing if there are too many exceptions
+
+origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76
+bug-debian: htts://bugs.debian.org/845213
+
+(cherry picked from commit 0474237508f39c4f783208123431815f1ededb76)
+---
+ coders/label.c | 12 ++++++----
+ coders/viff.c | 21 +++--------------
+ magick/exception.c | 26 ++++++++++++++++----
+ magick/memory-private.h | 3 +++
+ magick/memory.c | 63 +++++++++++++++++++++++++++++++++----------------
+ 5 files changed, 77 insertions(+), 48 deletions(-)
+
+--- a/coders/label.c
++++ b/coders/label.c
+@@ -169,9 +169,9 @@ static Image *ReadLABELImage(const Image
+ return((Image *) NULL);
+ }
+ if (image->columns == 0)
+- image->columns=(size_t) (metrics.width+draw_info->stroke_width+1.5);
++ image->columns=(size_t) floor(metrics.width+draw_info->stroke_width+1.5);
+ if (image->columns == 0)
+- image->columns=(size_t) (draw_info->pointsize+draw_info->stroke_width+1.5);
++ image->columns=(size_t) floor(draw_info->pointsize+draw_info->stroke_width+1.5);
+ if (draw_info->gravity == UndefinedGravity)
+ {
+ (void) FormatLocaleString(geometry,MaxTextExtent,"%+g%+g",
+--- a/coders/viff.c
++++ b/coders/viff.c
+@@ -57,6 +57,7 @@
+ #include "magick/list.h"
+ #include "magick/magick.h"
+ #include "magick/memory_.h"
++#include "magick/memory-private.h"
+ #include "magick/monitor.h"
+ #include "magick/monitor-private.h"
+ #include "magick/property.h"
+@@ -139,22 +140,6 @@ static MagickBooleanType IsVIFF(const un
+ % o exception: return any errors or warnings in this structure.
+ %
+ */
+-
+-static MagickBooleanType CheckMemoryOverflow(const size_t count,
+- const size_t quantum)
+-{
+- size_t
+- size;
+-
+- size=count*quantum;
+- if ((count == 0) || (quantum != (size/count)))
+- {
+- errno=ENOMEM;
+- return(MagickTrue);
+- }
+- return(MagickFalse);
+-}
+-
+ static Image *ReadVIFFImage(const ImageInfo *image_info,
+ ExceptionInfo *exception)
+ {
+@@ -514,13 +499,13 @@ static Image *ReadVIFFImage(const ImageI
+ }
+ if (viff_info.data_storage_type == VFF_TYP_BIT)
+ {
+- if (CheckMemoryOverflow((image->columns+7UL) >> 3UL,image->rows) != MagickFalse)
++ if (HeapOverflowSanityCheck((image->columns+7UL) >> 3UL,image->rows) != MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ max_packets=((image->columns+7UL) >> 3UL)*image->rows;
+ }
+ else
+ {
+- if (CheckMemoryOverflow(number_pixels,viff_info.number_data_bands) != MagickFalse)
++ if (HeapOverflowSanityCheck(number_pixels,viff_info.number_data_bands) != MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ max_packets=(size_t) (number_pixels*viff_info.number_data_bands);
+ }
+--- a/magick/exception.c
++++ b/magick/exception.c
+@@ -53,6 +53,11 @@
+ #include "magick/utility.h"
+
+ /*
++ Global declarations.
++*/
++#define MaxExceptions 128
++
++/*
+ Forward declarations.
+ */
+ #if defined(__cplusplus) || defined(c_plusplus)
+@@ -202,6 +207,9 @@ MagickExport void CatchException(Excepti
+ register const ExceptionInfo
+ *p;
+
++ ssize_t
++ i;
++
+ assert(exception != (ExceptionInfo *) NULL);
+ assert(exception->signature == MagickSignature);
+ if (exception->exceptions == (void *) NULL)
+@@ -210,14 +218,22 @@ MagickExport void CatchException(Excepti
+ ResetLinkedListIterator((LinkedListInfo *) exception->exceptions);
+ p=(const ExceptionInfo *) GetNextValueInLinkedList((LinkedListInfo *)
+ exception->exceptions);
+- while (p != (const ExceptionInfo *) NULL)
++ for (i=0; p != (const ExceptionInfo *) NULL; i++)
+ {
+- if ((p->severity >= WarningException) && (p->severity < ErrorException))
+- MagickWarning(p->severity,p->reason,p->description);
+- if ((p->severity >= ErrorException) && (p->severity < FatalErrorException))
+- MagickError(p->severity,p->reason,p->description);
+ if (p->severity >= FatalErrorException)
+ MagickFatalError(p->severity,p->reason,p->description);
++ if (i < MaxExceptions)
++ {
++ if ((p->severity >= ErrorException) &&
++ (p->severity < FatalErrorException))
++ MagickError(p->severity,p->reason,p->description);
++ if ((p->severity >= WarningException) && (p->severity < ErrorException))
++ MagickWarning(p->severity,p->reason,p->description);
++ }
++ else
++ if (i == MaxExceptions)
++ MagickError(ResourceLimitError,"too many exceptions",
++ "exception processing suspended");
+ p=(const ExceptionInfo *) GetNextValueInLinkedList((LinkedListInfo *)
+ exception->exceptions);
+ }
+--- a/magick/memory-private.h
++++ b/magick/memory-private.h
+@@ -25,6 +25,9 @@ extern "C" {
+ #define CACHE_LINE_SIZE (16*sizeof(void *))
+ #define CacheAlign(size) ((size) < CACHE_LINE_SIZE ? CACHE_LINE_SIZE : (size))
+
++MagickExport MagickBooleanType
++ HeapOverflowSanityCheck(const size_t,const size_t) magick_alloc_sizes(1,2);
++
+ #if defined(__cplusplus) || defined(c_plusplus)
+ }
+ #endif
+--- a/magick/memory.c
++++ b/magick/memory.c
+@@ -186,28 +186,12 @@ static MagickBooleanType
+ % o quantum: the number of bytes in each quantum.
+ %
+ */
+-
+-static MagickBooleanType CheckMemoryOverflow(const size_t count,
+- const size_t quantum)
+-{
+- size_t
+- size;
+-
+- size=count*quantum;
+- if ((count == 0) || (quantum != (size/count)))
+- {
+- errno=ENOMEM;
+- return(MagickTrue);
+- }
+- return(MagickFalse);
+-}
+-
+ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum)
+ {
+ size_t
+ size;
+
+- if (CheckMemoryOverflow(count,quantum) != MagickFalse)
++ if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
+ return((void *) NULL);
+ size=count*quantum;
+ #if defined(MAGICKCORE_HAVE_POSIX_MEMALIGN)
+@@ -470,7 +454,7 @@ MagickExport void *AcquireQuantumMemory(
+ size_t
+ extent;
+
+- if (CheckMemoryOverflow(count,quantum) != MagickFalse)
++ if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
+ return((void *) NULL);
+ extent=count*quantum;
+ return(AcquireMagickMemory(extent));
+@@ -699,6 +683,45 @@ MagickExport void GetMagickMemoryMethods
+ % %
+ % %
+ % %
+++ H e a p O v e r f l o w S a n i t y C h e c k %
++% %
++% %
++% %
++%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
++%
++% HeapOverflowSanityCheck() returns MagickTrue if the heap allocation request
++% does not exceed the maximum limits of a size_t otherwise MagickFalse.
++%
++% The format of the HeapOverflowSanityCheck method is:
++%
++% MagickBooleanType HeapOverflowSanityCheck(const size_t count,
++% const size_t quantum)
++%
++% A description of each parameter follows:
++%
++% o size: the size of the memory in bytes we require.
++%
++*/
++MagickExport MagickBooleanType HeapOverflowSanityCheck(const size_t count,
++ const size_t quantum)
++{
++ size_t
++ size;
++
++ size=count*quantum;
++ if ((count == 0) || (quantum != (size/count)))
++ {
++ errno=ENOMEM;
++ return(MagickTrue);
++ }
++ return(MagickFalse);
++}
++
++/*
++%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
++% %
++% %
++% %
+ % R e l i n q u i s h A l i g n e d M e m o r y %
+ % %
+ % %
+@@ -939,7 +962,7 @@ MagickExport void *ResizeQuantumMemory(v
+ size_t
+ extent;
+
+- if (CheckMemoryOverflow(count,quantum) != MagickFalse)
++ if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
+ {
+ memory=RelinquishMagickMemory(memory);
+ return((void *) NULL);
diff -Nru imagemagick-6.7.7.10/debian/patches/0138-Bug-845241-Prevent-fault-in-MSL-interpreter.patch imagemagick-6.7.7.10/debian/patches/0138-Bug-845241-Prevent-fault-in-MSL-interpreter.patch
--- imagemagick-6.7.7.10/debian/patches/0138-Bug-845241-Prevent-fault-in-MSL-interpreter.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0138-Bug-845241-Prevent-fault-in-MSL-interpreter.patch 2016-12-18 17:01:09.000000000 -0500
@@ -0,0 +1,25 @@
+From f821477ee7fcd395cf49a8bfb1cd067f05008fdf Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 2 Nov 2016 17:07:05 -0400
+Subject: [PATCH] Prevent fault in MSL interpreter
+
+origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/56d6e20de489113617cbbddaf41e92600a34db22
+bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797
+bug-debian: https://bugs.debian.org/845241
+
+(cherry picked from commit 56d6e20de489113617cbbddaf41e92600a34db22)
+---
+ coders/msl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/coders/msl.c
++++ b/coders/msl.c
+@@ -4980,6 +4980,8 @@ static void MSLStartElement(void *contex
+ Image
+ *image;
+
++ if (value == (char *) NULL)
++ break;
+ (void) CopyMagickString(msl_info->image_info[n]->filename,
+ value,MaxTextExtent);
+ image=ReadImage(msl_info->image_info[n],&exception);
diff -Nru imagemagick-6.7.7.10/debian/patches/0139-Bug-845244-Added-check-for-invalid-number-of-frames-in-mat-file.patch imagemagick-6.7.7.10/debian/patches/0139-Bug-845244-Added-check-for-invalid-number-of-frames-in-mat-file.patch
--- imagemagick-6.7.7.10/debian/patches/0139-Bug-845244-Added-check-for-invalid-number-of-frames-in-mat-file.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0139-Bug-845244-Added-check-for-invalid-number-of-frames-in-mat-file.patch 2016-12-18 17:04:11.000000000 -0500
@@ -0,0 +1,27 @@
+From 426e56c65935995029a77538ea71ff3a68407a10 Mon Sep 17 00:00:00 2001
+From: dirk <dirk@git.imagemagick.org>
+Date: Sun, 29 May 2016 08:15:48 +0200
+Subject: [PATCH] Added check for invalid number of frames in mat file
+
+Fix crash for corrupted files
+(cherry picked from commit 8a370f9ab120faf182aa160900ba692ba8e2bcf0)
+
+Origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/8a370f9ab120faf182aa160900ba692ba8e2bcf0
+bug-debian: https;//bugs.debian.org/845244
+---
+ coders/mat.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/coders/mat.c
++++ b/coders/mat.c
+@@ -736,7 +736,9 @@ MATLAB_KO: ThrowReaderException(CorruptI
+ case 16: z2=z = ReadBlobXXXLong(image2); /* 4D matrix animation */
+ if(z!=3 && z!=1)
+ ThrowReaderException(CoderError, "MultidimensionalMatricesAreNotSupported");
+- Frames = ReadBlobXXXLong(image2);
++ Frames = ReadBlobXXXLong(image2);
++ if (Frames == 0)
++ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ break;
+ default: ThrowReaderException(CoderError, "MultidimensionalMatricesAreNotSupported");
+ }
diff -Nru imagemagick-6.7.7.10/debian/patches/0140-Bug-845246-Partial-fix-for-out-of-bound-access-of-mat-file.patch imagemagick-6.7.7.10/debian/patches/0140-Bug-845246-Partial-fix-for-out-of-bound-access-of-mat-file.patch
--- imagemagick-6.7.7.10/debian/patches/0140-Bug-845246-Partial-fix-for-out-of-bound-access-of-mat-file.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0140-Bug-845246-Partial-fix-for-out-of-bound-access-of-mat-file.patch 2016-12-18 17:31:43.000000000 -0500
@@ -0,0 +1,36 @@
+From 485a43cb1eeb6634f872eafcad55ba80cabc68bf Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 14 Feb 2016 09:24:32 -0500
+Subject: [PATCH] Partial fix for out of bound access of mat file
+
+Fix an out of bound read in mat file due to insuffisant allocation
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/131
+origin: https://github.com/ImageMagick/ImageMagick/commit/f3b483e8b054c50149912523b4773687e18afe25
+bug-debian: https://bugs.Debian.org/845246
+bug-ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545366
+
+(cherry picked from commit f3b483e8b054c50149912523b4773687e18afe25)
+---
+ coders/mat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/coders/mat.c
++++ b/coders/mat.c
+@@ -888,7 +888,7 @@ NEXT_FRAME:
+ }
+
+ /* ----- Load raster data ----- */
+- BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(unsigned char *)); /* Ldblk was set in the check phase */
++ BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(double)); /* Ldblk was set in the check phase */
+ if (BImgBuff == NULL)
+ goto NoMemory;
+
+@@ -949,6 +949,7 @@ ImportQuantumPixelsFailed:
+ }
+ }
+ } while(z-- >= 2);
++ quantum_info=DestroyQuantumInfo(quantum_info);
+ ExitLoop:
+
+
diff -Nru imagemagick-6.7.7.10/debian/patches/0161-Do-not-ignore-SetImageBias-bias-value.patch imagemagick-6.7.7.10/debian/patches/0161-Do-not-ignore-SetImageBias-bias-value.patch
--- imagemagick-6.7.7.10/debian/patches/0161-Do-not-ignore-SetImageBias-bias-value.patch 1969-12-31 19:00:00.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/0161-Do-not-ignore-SetImageBias-bias-value.patch 2016-12-18 18:17:05.000000000 -0500
@@ -0,0 +1,1414 @@
+From 45b2d5aefde5f5ccd4f1bd6f810becfe7af7f9aa Mon Sep 17 00:00:00 2001
+From: cristy <urban-warrior@git.imagemagick.org>
+Date: Sun, 14 Dec 2014 23:36:27 +0000
+Subject: [PATCH] Do not ignore SetImageBias() bias value
+
+This patch is needed in order to bail out early in case of exception, and thus avoiding a DOS
+
+origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/f6e9d0d9955e85bdd7540b251cd50d598dacc5e6
+---
+ coders/aai.c | 6 ++++++
+ coders/art.c | 6 ++++++
+ coders/avs.c | 6 ++++++
+ coders/bgr.c | 6 ++++++
+ coders/bmp.c | 6 ++++++
+ coders/cin.c | 8 +++++++-
+ coders/clipboard.c | 10 ++++++++--
+ coders/cmyk.c | 6 ++++++
+ coders/cut.c | 8 +++++++-
+ coders/dcm.c | 6 ++++++
+ coders/dds.c | 6 ++++++
+ coders/dib.c | 8 +++++++-
+ coders/djvu.c | 9 ++++++++-
+ coders/dps.c | 6 ++++++
+ coders/dpx.c | 6 ++++++
+ coders/emf.c | 6 ++++++
+ coders/exr.c | 6 ++++++
+ coders/fax.c | 6 ++++++
+ coders/fits.c | 6 ++++++
+ coders/fpx.c | 6 ++++++
+ coders/gif.c | 6 ++++++
+ coders/gray.c | 6 ++++++
+ coders/hald.c | 9 +++++++--
+ coders/hdr.c | 6 ++++++
+ coders/hrz.c | 6 ++++++
+ coders/icon.c | 6 ++++++
+ coders/ipl.c | 8 +++++++-
+ coders/jbig.c | 6 ++++++
+ coders/jp2.c | 6 ++++++
+ coders/jpeg.c | 6 ++++++
+ coders/label.c | 6 ++++++
+ coders/mac.c | 6 ++++++
+ coders/map.c | 6 ++++++
+ coders/mat.c | 6 ++++++
+ coders/miff.c | 6 ++++++
+ coders/mono.c | 6 ++++++
+ coders/mpc.c | 6 ++++++
+ coders/mtv.c | 6 ++++++
+ coders/mvg.c | 6 ++++++
+ coders/null.c | 9 +++++++++
+ coders/otb.c | 6 ++++++
+ coders/palm.c | 6 ++++++
+ coders/pango.c | 10 ++++++++--
+ coders/pcd.c | 6 ++++++
+ coders/pcx.c | 6 ++++++
+ coders/pdb.c | 6 ++++++
+ coders/pict.c | 6 ++++++
+ coders/pix.c | 6 ++++++
+ coders/psd.c | 6 ++++++
+ coders/raw.c | 6 ++++++
+ coders/rgb.c | 6 ++++++
+ coders/rgf.c | 8 ++++++--
+ coders/rla.c | 6 ++++++
+ coders/rle.c | 6 ++++++
+ coders/scr.c | 6 ++++++
+ coders/screenshot.c | 10 +++++++++-
+ coders/sct.c | 6 ++++++
+ coders/sgi.c | 6 ++++++
+ coders/sixel.c | 7 ++++++-
+ coders/stegano.c | 6 ++++++
+ coders/sun.c | 6 ++++++
+ coders/svg.c | 6 ++++++
+ coders/tga.c | 6 ++++++
+ coders/tiff.c | 6 ++++++
+ coders/tile.c | 9 +++++++++
+ coders/tim.c | 6 ++++++
+ coders/ttf.c | 6 ++++++
+ coders/txt.c | 12 ++++++++++++
+ coders/uyvy.c | 6 ++++++
+ coders/vicar.c | 6 ++++++
+ coders/viff.c | 6 ++++++
+ coders/vips.c | 6 ++++++
+ coders/wbmp.c | 6 ++++++
+ coders/webp.c | 6 ++++++
+ coders/wmf.c | 9 +++++++++
+ coders/wpg.c | 6 ++++++
+ coders/xbm.c | 6 ++++++
+ coders/xc.c | 6 ++++++
+ coders/xcf.c | 6 ++++++
+ coders/xpm.c | 6 ++++++
+ coders/xwd.c | 6 ++++++
+ coders/ycbcr.c | 12 ++++++++++++
+ coders/yuv.c | 12 ++++++++++++
+ 83 files changed, 539 insertions(+), 15 deletions(-)
+
+--- a/coders/aai.c
++++ b/coders/aai.c
+@@ -157,6 +157,12 @@ static Image *ReadAAIImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ pixels=(unsigned char *) AcquireQuantumMemory(image->columns,
+ 4*sizeof(*pixels));
+ if (pixels == (unsigned char *) NULL)
+--- a/coders/art.c
++++ b/coders/art.c
+@@ -152,6 +152,12 @@ static Image *ReadARTImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert bi-level image to pixel packets.
+ */
+--- a/coders/avs.c
++++ b/coders/avs.c
+@@ -157,6 +157,12 @@ static Image *ReadAVSImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ pixels=(unsigned char *) AcquireQuantumMemory(image->columns,
+ 4*sizeof(*pixels));
+ if (pixels == (unsigned char *) NULL)
+--- a/coders/bgr.c
++++ b/coders/bgr.c
+@@ -195,6 +195,12 @@ static Image *ReadBGRImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ switch (image_info->interlace)
+ {
+ case NoInterlace:
+--- a/coders/bmp.c
++++ b/coders/bmp.c
+@@ -902,6 +902,12 @@ static Image *ReadBMPImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Read image data.
+ */
+--- a/coders/cin.c
++++ b/coders/cin.c
+@@ -690,11 +690,17 @@ static Image *ReadCINImage(const ImageIn
+ image->depth=cin.image.channel[0].bits_per_pixel;
+ image->columns=cin.image.channel[0].pixels_per_line;
+ image->rows=cin.image.channel[0].lines_per_image;
+- if (image_info->ping)
++ if (image_info->ping != MagickFalse)
+ {
+ (void) CloseBlob(image);
+ return(image);
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert CIN raster image to pixel packets.
+ */
+--- a/coders/clipboard.c
++++ b/coders/clipboard.c
+@@ -134,7 +134,7 @@ static Image *ReadCLIPBOARDImage(const I
+ bitmapH=(HBITMAP) GetClipboardData(CF_BITMAP);
+ hPal=(HPALETTE) GetClipboardData(CF_PALETTE);
+ CloseClipboard();
+- if ( bitmapH == NULL )
++ if (bitmapH == NULL)
+ ThrowReaderException(CoderError,"NoBitmapOnClipboard");
+ {
+ BITMAPINFO
+@@ -161,8 +161,14 @@ static Image *ReadCLIPBOARDImage(const I
+ GetObject(bitmapH,sizeof(BITMAP),(LPSTR) &bitmap);
+ if ((image->columns == 0) || (image->rows == 0))
+ {
+- image->rows=bitmap.bmHeight;
+ image->columns=bitmap.bmWidth;
++ image->rows=bitmap.bmHeight;
++ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
+ }
+ /*
+ Initialize the bitmap header info.
+--- a/coders/cmyk.c
++++ b/coders/cmyk.c
+@@ -195,6 +195,12 @@ static Image *ReadCMYKImage(const ImageI
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ SetImageColorspace(image,CMYKColorspace);
+ switch (image_info->interlace)
+ {
+--- a/coders/cut.c
++++ b/coders/cut.c
+@@ -367,7 +367,13 @@ static Image *ReadCUTImage(const ImageIn
+ image->depth=8;
+ image->colors=(size_t) (GetQuantumRange(1UL*i)+1);
+
+- if (image_info->ping) goto Finish;
++ if (image_info->ping != MagickFalse) goto Finish;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+
+ /* ----- Do something with palette ----- */
+ if ((clone_info=CloneImageInfo(image_info)) == NULL) goto NoPalette;
+--- a/coders/dcm.c
++++ b/coders/dcm.c
+@@ -3648,6 +3648,12 @@ static Image *ReadDCMImage(const ImageIn
+ image->columns=(size_t) width;
+ image->rows=(size_t) height;
+ image->depth=depth;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ break;
++ }
+ if ((image->colormap == (PixelPacket *) NULL) && (samples_per_pixel == 1))
+ {
+ size_t
+--- a/coders/dds.c
++++ b/coders/dds.c
+@@ -388,6 +388,12 @@ static Image *ReadDDSImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+
+ if ((decoder)(image, &dds_info) != MagickTrue)
+ {
+--- a/coders/dib.c
++++ b/coders/dib.c
+@@ -519,7 +519,7 @@ static Image *ReadDIBImage(const ImageIn
+ */
+ (void) ResetMagickMemory(&dib_info,0,sizeof(dib_info));
+ dib_info.size=ReadBlobLSBLong(image);
+- if (dib_info.size!=40)
++ if (dib_info.size != 40)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ /*
+ Microsoft Windows 3.X DIB image file.
+@@ -605,6 +605,12 @@ static Image *ReadDIBImage(const ImageIn
+ if ((geometry.height != 0) && (geometry.height < image->rows))
+ image->rows=geometry.height;
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (image->storage_class == PseudoClass)
+ {
+ size_t
+--- a/coders/djvu.c
++++ b/coders/djvu.c
+@@ -417,7 +417,7 @@ get_page_image(LoadContext *lc, ddjvu_pa
+ if (SyncAuthenticPixels(image,&image->exception) == MagickFalse)
+ break;
+ }
+- if (!image->ping)
++ if (image->ping == MagickFalse)
+ SyncImage(image);
+ } else {
+ #if DEBUG
+@@ -576,6 +576,7 @@ static Image *ReadOneDJVUImage(LoadConte
+ Image *image;
+ int logging;
+ int tag;
++ MagickBooleanType status;
+
+ /* so, we know that the page is there! Get its dimension, and */
+
+@@ -666,6 +667,12 @@ static Image *ReadOneDJVUImage(LoadConte
+ image->matte = MagickTrue;
+ /* is this useful? */
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ #if DEBUG
+ printf("now filling %.20g x %.20g\n",(double) image->columns,(double)
+ image->rows);
+--- a/coders/dps.c
++++ b/coders/dps.c
+@@ -327,6 +327,12 @@ static Image *ReadDPSImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ switch (image->storage_class)
+ {
+ case DirectClass:
+--- a/coders/dpx.c
++++ b/coders/dpx.c
+@@ -1018,6 +1018,12 @@ static Image *ReadDPXImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert DPX raster image to pixel packets.
+ */
+--- a/coders/emf.c
++++ b/coders/emf.c
+@@ -507,6 +507,12 @@ static Image *ReadEMFImage(const ImageIn
+ y=0;
+ (void) GetGeometry(image_info->size,&x,&y,&image->columns,&image->rows);
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (image_info->page != (char *) NULL)
+ {
+ char
+--- a/coders/exr.c
++++ b/coders/exr.c
+@@ -211,6 +211,12 @@ static Image *ReadEXRImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ scanline=(ImfRgba *) AcquireQuantumMemory(image->columns,sizeof(*scanline));
+ if (scanline == (ImfRgba *) NULL)
+ {
+--- a/coders/fax.c
++++ b/coders/fax.c
+@@ -177,6 +177,12 @@ static Image *ReadFAXImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ status=HuffmanDecodeImage(image);
+ if (status == MagickFalse)
+ ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+--- a/coders/fits.c
++++ b/coders/fits.c
+@@ -419,6 +419,12 @@ static Image *ReadFITSImage(const ImageI
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Initialize image structure.
+ */
+--- a/coders/fpx.c
++++ b/coders/fpx.c
+@@ -384,6 +384,12 @@ static Image *ReadFPXImage(const ImageIn
+ FPX_ClearSystem();
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Allocate memory for the image and pixel buffer.
+ */
+--- a/coders/gif.c
++++ b/coders/gif.c
+@@ -1342,6 +1342,12 @@ static Image *ReadGIFImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Decode image.
+ */
+--- a/coders/gray.c
++++ b/coders/gray.c
+@@ -185,6 +185,12 @@ static Image *ReadGRAYImage(const ImageI
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (scene == 0)
+ {
+ length=GetQuantumExtent(canvas_image,quantum_info,quantum_type);
+--- a/coders/hald.c
++++ b/coders/hald.c
+@@ -124,6 +124,12 @@ static Image *ReadHALDImage(const ImageI
+ cube_size=level*level;
+ image->columns=(size_t) (level*cube_size);
+ image->rows=(size_t) (level*cube_size);
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+ #pragma omp parallel for schedule(static,8) shared(status) \
+ dynamic_number_threads(image,image->columns,image->rows,1)
+@@ -140,8 +146,7 @@ static Image *ReadHALDImage(const ImageI
+
+ if (status == MagickFalse)
+ continue;
+- q=QueueAuthenticPixels(image,0,y,image->columns,(size_t) level,
+- exception);
++ q=QueueAuthenticPixels(image,0,y,image->columns,(size_t) level,exception);
+ if (q == (PixelPacket *) NULL)
+ {
+ status=MagickFalse;
+--- a/coders/hdr.c
++++ b/coders/hdr.c
+@@ -380,6 +380,12 @@ static Image *ReadHDRImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Read RGBE (red+green+blue+exponent) pixels.
+ */
+--- a/coders/hrz.c
++++ b/coders/hrz.c
+@@ -141,6 +141,12 @@ static Image *ReadHRZImage(const ImageIn
+ image->columns=256;
+ image->rows=240;
+ image->depth=8;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ pixels=(unsigned char *) AcquireQuantumMemory(image->columns,3*
+ sizeof(*pixels));
+ if (pixels == (unsigned char *) NULL)
+--- a/coders/icon.c
++++ b/coders/icon.c
+@@ -398,6 +398,12 @@ static Image *ReadICONImage(const ImageI
+ (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ bytes_per_line=(((image->columns*icon_info.bits_per_pixel)+31) &
+ ~31) >> 3;
+ (void) bytes_per_line;
+--- a/coders/ipl.c
++++ b/coders/ipl.c
+@@ -312,9 +312,15 @@ static Image *ReadIPLImage(const ImageIn
+ {
+ SetHeaderFromIPL(image, &ipl_info);
+
+- if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
++ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ printf("Length: %.20g, Memory size: %.20g\n", (double) length,(double)
+ image->depth);
+--- a/coders/jbig.c
++++ b/coders/jbig.c
+@@ -217,6 +217,12 @@ static Image *ReadJBIGImage(const ImageI
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert X bitmap image to pixel packets.
+ */
+--- a/coders/jp2.c
++++ b/coders/jp2.c
+@@ -403,6 +403,12 @@ static Image *ReadJP2Image(const ImageIn
+ }
+ image->columns=jas_image_width(jp2_image);
+ image->rows=jas_image_height(jp2_image);
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ image->compression=JPEG2000Compression;
+ switch (jas_clrspc_fam(jas_image_clrspc(jp2_image)))
+ {
+--- a/coders/jpeg.c
++++ b/coders/jpeg.c
+@@ -1231,6 +1231,12 @@ static Image *ReadJPEGImage(const ImageI
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ jpeg_pixels=(JSAMPLE *) AcquireQuantumMemory((size_t) image->columns,
+ jpeg_info.output_components*sizeof(JSAMPLE));
+ if (jpeg_pixels == (JSAMPLE *) NULL)
+--- a/coders/label.c
++++ b/coders/label.c
+@@ -192,6 +192,12 @@ static Image *ReadLABELImage(const Image
+ if (image->rows == 0)
+ image->rows=(size_t) floor(draw_info->pointsize+draw_info->stroke_width+
+ 0.5);
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (SetImageBackgroundColor(image) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+--- a/coders/mac.c
++++ b/coders/mac.c
+@@ -155,6 +155,12 @@ static Image *ReadMACImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert MAC raster image to pixel packets.
+ */
+--- a/coders/map.c
++++ b/coders/map.c
+@@ -205,6 +205,12 @@ static Image *ReadMAPImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Read image pixels.
+ */
+--- a/coders/mat.c
++++ b/coders/mat.c
+@@ -878,6 +878,13 @@ NEXT_FRAME:
+ goto done_reading; /* !!!!!! BAD !!!! */
+ }
+
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
++
+ /* ----- Load raster data ----- */
+ BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(unsigned char *)); /* Ldblk was set in the check phase */
+ if (BImgBuff == NULL)
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1232,6 +1232,12 @@ static Image *ReadMIFFImage(const ImageI
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Allocate image pixels.
+ */
+--- a/coders/mono.c
++++ b/coders/mono.c
+@@ -153,6 +153,12 @@ static Image *ReadMONOImage(const ImageI
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert bi-level image to pixel packets.
+ */
+--- a/coders/mpc.c
++++ b/coders/mpc.c
+@@ -914,6 +914,12 @@ static Image *ReadMPCImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Attach persistent pixel cache.
+ */
+--- a/coders/mtv.c
++++ b/coders/mtv.c
+@@ -157,6 +157,12 @@ static Image *ReadMTVImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert MTV raster image to pixel packets.
+ */
+--- a/coders/mvg.c
++++ b/coders/mvg.c
+@@ -189,6 +189,12 @@ static Image *ReadMVGImage(const ImageIn
+ DefaultResolution;
+ image->columns=(size_t) (draw_info->affine.sx*image->columns);
+ image->rows=(size_t) (draw_info->affine.sy*image->rows);
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (SetImageBackgroundColor(image) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+--- a/coders/null.c
++++ b/coders/null.c
+@@ -99,6 +99,9 @@ static Image *ReadNULLImage(const ImageI
+ Image
+ *image;
+
++ MagickBooleanType
++ status;
++
+ MagickPixelPacket
+ background;
+
+@@ -129,6 +132,12 @@ static Image *ReadNULLImage(const ImageI
+ image->columns=1;
+ if (image->rows == 0)
+ image->rows=1;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ image->matte=MagickTrue;
+ GetMagickPixelPacket(image,&background);
+ background.opacity=(MagickRealType) TransparentOpacity;
+--- a/coders/otb.c
++++ b/coders/otb.c
+@@ -167,6 +167,12 @@ static Image *ReadOTBImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert bi-level image to pixel packets.
+ */
+--- a/coders/palm.c
++++ b/coders/palm.c
+@@ -328,6 +328,12 @@ static Image *ReadPALMImage(const ImageI
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ if ((image->columns == 0) || (image->rows == 0))
+ ThrowReaderException(CorruptImageError,"NegativeOrZeroImageSize");
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ bytes_per_row=ReadBlobMSBShort(image);
+ flags=ReadBlobMSBShort(image);
+ bits_per_pixel=(size_t) ReadBlobByte(image);
+--- a/coders/pango.c
++++ b/coders/pango.c
+@@ -367,10 +367,16 @@ static Image *ReadPANGOImage(const Image
+ pango_layout_set_height(layout,(int) ((PANGO_SCALE*image->rows*
+ image->y_resolution+36.0)/72.0+0.5));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Render markup.
+ */
+- stride=(size_t) cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32,
++ stride=(size_t) cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32,(int)
+ image->columns);
+ pixels=(unsigned char *) AcquireQuantumMemory(image->rows,stride*
+ sizeof(*pixels));
+--- a/coders/pcd.c
++++ b/coders/pcd.c
+@@ -586,6 +586,12 @@ static Image *ReadPCDImage(const ImageIn
+ image->columns<<=1;
+ image->rows<<=1;
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Allocate luma and chroma memory.
+ */
+--- a/coders/pcx.c
++++ b/coders/pcx.c
+@@ -382,6 +382,12 @@ static Image *ReadPCXImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Read image data.
+ */
+--- a/coders/pdb.c
++++ b/coders/pdb.c
+@@ -397,6 +397,12 @@ static Image *ReadPDBImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ packets=(bits_per_pixel*image->columns+7)/8;
+ pixels=(unsigned char *) AcquireQuantumMemory(packets+257UL,image->rows*
+ sizeof(*pixels));
+--- a/coders/pict.c
++++ b/coders/pict.c
+@@ -906,6 +906,12 @@ static Image *ReadPICTImage(const ImageI
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if ((version == 1) || ((TellBlob(image) % 2) != 0))
+ code=ReadBlobByte(image);
+ if (version == 2)
+--- a/coders/pix.c
++++ b/coders/pix.c
+@@ -160,6 +160,12 @@ static Image *ReadPIXImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert PIX raster image to pixel packets.
+ */
+--- a/coders/psd.c
++++ b/coders/psd.c
+@@ -844,6 +844,12 @@ static Image *ReadPSDImage(const ImageIn
+ image->depth=psd_info.depth;
+ image->columns=psd_info.columns;
+ image->rows=psd_info.rows;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (SetImageBackgroundColor(image) == MagickFalse)
+ {
+ InheritException(exception,&image->exception);
+--- a/coders/raw.c
++++ b/coders/raw.c
+@@ -180,6 +180,12 @@ static Image *ReadRAWImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (scene == 0)
+ {
+ length=GetQuantumExtent(canvas_image,quantum_info,quantum_type);
+--- a/coders/rgb.c
++++ b/coders/rgb.c
+@@ -199,6 +199,12 @@ static Image *ReadRGBImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ switch (image_info->interlace)
+ {
+ case NoInterlace:
+--- a/coders/rla.c
++++ b/coders/rla.c
+@@ -259,6 +259,12 @@ static Image *ReadRLAImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ scanlines=(ssize_t *) AcquireQuantumMemory(image->rows,sizeof(*scanlines));
+ if (scanlines == (ssize_t *) NULL)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+--- a/coders/rle.c
++++ b/coders/rle.c
+@@ -305,6 +305,12 @@ static Image *ReadRLEImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Allocate RLE pixels.
+ */
+--- a/coders/scr.c
++++ b/coders/scr.c
+@@ -155,6 +155,12 @@ static Image *ReadSCRImage(const ImageIn
+ }
+ image->columns = 256;
+ image->rows = 192;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ count=ReadBlob(image,6144,(unsigned char *) zxscr);
+ (void) count;
+ count=ReadBlob(image,768,(unsigned char *) zxattr);
+--- a/coders/sct.c
++++ b/coders/sct.c
+@@ -223,6 +223,12 @@ static Image *ReadSCTImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert SCT raster image to pixel packets.
+ */
+--- a/coders/sgi.c
++++ b/coders/sgi.c
+@@ -373,6 +373,12 @@ static Image *ReadSGIImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Allocate SGI pixels.
+ */
+--- a/coders/stegano.c
++++ b/coders/stegano.c
+@@ -168,6 +168,12 @@ static Image *ReadSTEGANOImage(const Ima
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Get hidden watermark from low-order bits of image.
+ */
+--- a/coders/sun.c
++++ b/coders/sun.c
+@@ -402,6 +402,12 @@ static Image *ReadSUNImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if ((sun_info.length*sizeof(*sun_data))/sizeof(*sun_data) !=
+ sun_info.length || !sun_info.length)
+ ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+--- a/coders/svg.c
++++ b/coders/svg.c
+@@ -2858,6 +2858,12 @@ static Image *ReadSVGImage(const ImageIn
+ image->columns=gdk_pixbuf_get_width(pixel_info);
+ image->rows=gdk_pixbuf_get_height(pixel_info);
+ #endif
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ image->matte=MagickTrue;
+ SetImageProperty(image,"svg:base-uri",
+ rsvg_handle_get_base_uri(svg_handle));
+--- a/coders/tga.c
++++ b/coders/tga.c
+@@ -288,6 +288,12 @@ static Image *ReadTGAImage(const ImageIn
+ (void) SetImageProperty(image,"comment",comment);
+ comment=DestroyString(comment);
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ (void) ResetMagickMemory(&pixel,0,sizeof(pixel));
+ pixel.opacity=(Quantum) OpaqueOpacity;
+ if (tga_info.colormap_type != 0)
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1017,6 +1017,12 @@ static Image *ReadTIFFImage(const ImageI
+ image->columns=(size_t) width;
+ image->rows=(size_t) height;
+ image->depth=(size_t) bits_per_sample;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (image->debug != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Image depth: %.20g",
+ (double) image->depth);
+--- a/coders/tile.c
++++ b/coders/tile.c
+@@ -94,6 +94,9 @@ static Image *ReadTILEImage(const ImageI
+ ImageInfo
+ *read_info;
+
++ MagickBooleanType
++ status;
++
+ /*
+ Initialize Image structure.
+ */
+@@ -114,6 +117,12 @@ static Image *ReadTILEImage(const ImageI
+ image=AcquireImage(image_info);
+ if ((image->columns == 0) || (image->rows == 0))
+ ThrowReaderException(OptionError,"MustSpecifyImageSize");
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (*image_info->filename == '\0')
+ ThrowReaderException(OptionError,"MustSpecifyAnImageName");
+ image->colorspace=tile_image->colorspace;
+--- a/coders/tim.c
++++ b/coders/tim.c
+@@ -221,6 +221,12 @@ static Image *ReadTIMImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Read image data.
+ */
+--- a/coders/ttf.c
++++ b/coders/ttf.c
+@@ -226,6 +226,12 @@ static Image *ReadTTFImage(const ImageIn
+ image=DestroyImageList(image);
+ return((Image *) NULL);
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Color canvas with background color
+ */
+--- a/coders/txt.c
++++ b/coders/txt.c
+@@ -227,6 +227,12 @@ static Image *ReadTEXTImage(const ImageI
+ delta.x)+0.5);
+ image->rows=(size_t) floor((((double) page.height*image->y_resolution)/
+ delta.y)+0.5);
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ image->page.x=0;
+ image->page.y=0;
+ texture=(Image *) NULL;
+@@ -431,6 +437,12 @@ static Image *ReadTXTImage(const ImageIn
+ image->rows=height;
+ for (depth=1; (GetQuantumRange(depth)+1) < max_value; depth++) ;
+ image->depth=depth;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ LocaleLower(colorspace);
+ i=(ssize_t) strlen(colorspace)-1;
+ image->matte=MagickFalse;
+--- a/coders/uyvy.c
++++ b/coders/uyvy.c
+@@ -144,6 +144,12 @@ static Image *ReadUYVYImage(const ImageI
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Accumulate UYVY, then unpack into two pixels.
+ */
+--- a/coders/vicar.c
++++ b/coders/vicar.c
+@@ -285,6 +285,12 @@ static Image *ReadVICARImage(const Image
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Read VICAR pixels.
+ */
+--- a/coders/viff.c
++++ b/coders/viff.c
+@@ -495,6 +495,12 @@ static Image *ReadVIFFImage(const ImageI
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Allocate VIFF pixels.
+ */
+--- a/coders/wbmp.c
++++ b/coders/wbmp.c
+@@ -184,6 +184,12 @@ static Image *ReadWBMPImage(const ImageI
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Convert bi-level image to pixel packets.
+ */
+--- a/coders/webp.c
++++ b/coders/webp.c
+@@ -162,6 +162,12 @@ static Image *ReadWEBPImage(const ImageI
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ image->columns=(size_t) width;
+ image->rows=(size_t) height;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ p=pixels;
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+--- a/coders/wmf.c
++++ b/coders/wmf.c
+@@ -2574,6 +2574,9 @@ static Image *ReadWMFImage(const ImageIn
+ Image
+ *image;
+
++ MagickBooleanType
++ status;
++
+ unsigned long
+ wmf_options_flags = 0;
+
+@@ -2865,6 +2868,12 @@ static Image *ReadWMFImage(const ImageIn
+ "leave ReadWMFImage()");
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (image->debug != MagickFalse)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " Creating canvas image with size %lux%lu",(unsigned long) image->rows,
+--- a/coders/wpg.c
++++ b/coders/wpg.c
+@@ -1411,6 +1411,12 @@ static Image *ReadWPGImage(const ImageIn
+ ThrowReaderException(CoderError,"DataEncodingSchemeIsNotSupported");
+ }
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+
+ Finish:
+ (void) CloseBlob(image);
+--- a/coders/xbm.c
++++ b/coders/xbm.c
+@@ -293,6 +293,12 @@ static Image *ReadXBMImage(const ImageIn
+ (void) CloseBlob(image);
+ return(GetFirstImageInList(image));
+ }
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ Initialize hex values.
+ */
+--- a/coders/xc.c
++++ b/coders/xc.c
+@@ -130,6 +130,12 @@ static Image *ReadXCImage(const ImageInf
+ image->columns=1;
+ if (image->rows == 0)
+ image->rows=1;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ (void) CopyMagickString(image->filename,image_info->filename,MaxTextExtent);
+ status=QueryMagickColor((char *) image_info->filename,&color,exception);
+ if (status == MagickFalse)
+--- a/coders/xcf.c
++++ b/coders/xcf.c
+@@ -1279,6 +1279,12 @@ static Image *ReadXCFImage(const ImageIn
+ XCFLayerInfo
+ *layer_info;
+
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ /*
+ the read pointer
+ */
+--- a/coders/xpm.c
++++ b/coders/xpm.c
+@@ -402,6 +402,12 @@ static Image *ReadXPMImage(const ImageIn
+ /*
+ Read image pixels.
+ */
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ for (y=0; y < (ssize_t) image->rows; y++)
+ {
+ p=NextXPMLine(p);
+--- a/coders/xwd.c
++++ b/coders/xwd.c
+@@ -398,6 +398,12 @@ static Image *ReadXWDImage(const ImageIn
+ image->columns=(size_t) ximage->width;
+ image->rows=(size_t) ximage->height;
+ image->depth=8;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if ((header.ncolors == 0U) || (ximage->red_mask != 0) ||
+ (ximage->green_mask != 0) || (ximage->blue_mask != 0))
+ image->storage_class=DirectClass;
+--- a/coders/ycbcr.c
++++ b/coders/ycbcr.c
+@@ -147,6 +147,12 @@ static Image *ReadYCBCRImage(const Image
+ image=AcquireImage(image_info);
+ if ((image->columns == 0) || (image->rows == 0))
+ ThrowReaderException(OptionError,"MustSpecifyImageSize");
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ SetImageColorspace(image,YCbCrColorspace);
+ if (image_info->interlace != PartitionInterlace)
+ {
+@@ -202,6 +208,12 @@ static Image *ReadYCBCRImage(const Image
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ SetImageColorspace(image,YCbCrColorspace);
+ switch (image_info->interlace)
+ {
+--- a/coders/yuv.c
++++ b/coders/yuv.c
+@@ -145,6 +145,12 @@ static Image *ReadYUVImage(const ImageIn
+ image=AcquireImage(image_info);
+ if ((image->columns == 0) || (image->rows == 0))
+ ThrowReaderException(OptionError,"MustSpecifyImageSize");
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ quantum=(size_t) (image->depth <= 8 ? 1 : 2);
+ interlace=image_info->interlace;
+ horizontal_factor=2;
+@@ -211,6 +217,12 @@ static Image *ReadYUVImage(const ImageIn
+ if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
+ if (image->scene >= (image_info->scene+image_info->number_scenes-1))
+ break;
++ status=SetImageExtent(image,image->columns,image->rows);
++ if (status == MagickFalse)
++ {
++ InheritException(exception,&image->exception);
++ return(DestroyImageList(image));
++ }
+ if (interlace == PartitionInterlace)
+ {
+ AppendImageFormat("Y",image->filename);
diff -Nru imagemagick-6.7.7.10/debian/patches/series imagemagick-6.7.7.10/debian/patches/series
--- imagemagick-6.7.7.10/debian/patches/series 2016-12-01 23:45:40.000000000 -0500
+++ imagemagick-6.7.7.10/debian/patches/series 2016-12-18 17:34:45.000000000 -0500
@@ -103,3 +103,20 @@
0122-CVE-2016-7539-Fix-potential-DOS-by-not-releasing-memory.patch
0123-Bug-833730-Prevent-buffer-overflow-in-draw.c.patch
0124-Bug-833735-Fix-loading-arbitrary-module-from-user-side.patch
+0125-CVE-2016-7799.patch
+0126-CVE-2016-7906.patch
+0127-CVE-2016-8677.patch
+0128-CVE-2016-8707.patch
+0129-CVE-2016-8862.patch
+0130-CVE-2016-9556.patch
+0131-CVE-2016-9559.patch
+0132-Bug-845195-TIFF-file-buffer-overflow.patch
+0133-Bug-845196-Check-return-of-write-function.patch
+0134-Bug-845198-Check-validity-of-extend-during-TIFF-file-reading.patch
+0135-Bug-845202-Improve-buffer-flow-sanity-check-for-TIFF.patch
+0136-Bug-845212-Fix-out-of-bound-read-in-viff-file-handling.patch
+0161-Do-not-ignore-SetImageBias-bias-value.patch
+0137-Bug-845213-Suspend-exception-processing-if-there-are-too-many-e.patch
+0138-Bug-845241-Prevent-fault-in-MSL-interpreter.patch
+0139-Bug-845244-Added-check-for-invalid-number-of-frames-in-mat-file.patch
+0140-Bug-845246-Partial-fix-for-out-of-bound-access-of-mat-file.patch
I have prepared a ImageMagick (IM) security update. Considering the
large number of patches involved (17) and the ... fuzziness of the
patches, I would appreciate other eyes would review the work and test
the packages.
It's a bit tricky because a lot of the recent security issues with IM
have been found with fuzzers, which means the test cases are arbitrary
binary files that are in arbitrary places. They are not part of the test
suite. Furthermore, tracking the actual issues is fairly hard: upstream
has less than adequate commit logs[1] when they have any at all.
[1]: https://github.com/ImageMagick/ImageMagick/commit/58cf5bf4fade82e3b510e8f3463a967278a3e410
Also, 10 out of the 17 vulnerabilities patched don't have a CVE
assigned. I have asked the previous uploader to see if he has asked for
CVEs or if we should ask for those identifiers in the relevant bug
reports.
There is also an extra patch (0161-Do-not-ignore-SetImageBias-bias-value.patch)
from Jessie that I included in the upload because it supposedly fixes a
DOS attack. That one doesn't even have a bug number assigned so it
actually doesn't show up in the security tracker. I have no idea what to
do with that extra patch.
I have *tried* to review the patchset from jessie to make sure we have
all the factored patches there. While I am here, I must applaud Bastien
Roucaries for the work he did in jessie: he reviewed the upstream
changelog to cherry-pick security issues, as upstream seems to have
completely abandoned the CVE process and instead just push fixes in git
and tarballs without any clear disclosure process.
So I may be missing some upstream issues. I also haven't reviewed the
"no-dsa" issues - i leave that for a future upload that has, say, less
than 10 issues to patch. :)
I have done a basic smoke test of the package: it installs and basic
functionality works. I have tested an arbitrary vulnerability POC to see
if it is fixed (CVE-2016-9556) and it *seems* to work.
I will upload this tuesday if I hear only silence or positive reviews.
Thanks!
A.
--
Je viens d'un pays où engagé veut dire que tu t'es trouvé une job.
- Patrice Desbiens
Reply to: