On Thu, Oct 27, 2016 at 10:28:17PM -0400, Roberto C. Sánchez wrote: > > I have some questions about how to handle this issue: > > https://security-tracker.debian.org/tracker/TEMP-0836171-53B142 > https://bugs.debian.org/836171 > <SNIP questions on this issue> So, I have another similar issue on which I would like some confirmation: https://security-tracker.debian.org/tracker/TEMP-0833743-7EB594 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833743 Relevant commit: https://github.com/ImageMagick/ImageMagick/commit/3e9165285eda6e1bb71172031d3048b51bb443a4 Full diff: if (image->rows < (image->rows*number_planes_filled*sizeof(*pixels))) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); pixel_info=AcquireVirtualMemory(image->columns,image->rows* - number_planes_filled*sizeof(*pixels)); + MagickMax(number_planes_filled,4)*sizeof(*pixels)); if (pixel_info == (MemoryInfo *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - pixel_info_length=image->columns*image->rows*number_planes_filled; + pixel_info_length=image->columns*image->rows* + MagickMax(number_planes_filled,4); pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); if ((flags & 0x01) && !(flags & 0x02)) Current coders/rle.c code in wheezy: if (image->matte != MagickFalse) number_planes++; number_pixels=(MagickSizeType) image->columns*image->rows; if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes)) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4); rle_pixels=(unsigned char *) AcquireQuantumMemory(pixel_info_length, sizeof(*rle_pixels)); if (rle_pixels == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); if ((flags & 0x01) && !(flags & 0x02)) It appears to me that the upstream diff is ensuring that the allocated memory area is not too small, hence the change of "number_planes_filled" to "MagickMax(number_planes_filled,4)" in two places. However, in the code currently in wheezy, "pixel_info_length" is already calculated to include the product of "MagickMax(number_planes,4)". Based on this, it would seem that the ImageMagick in wheezy will not encounter the same RLE segfault that was addressed by the upstream commit. Based on this analysis (hi Raphael :-), I am inclined to consider wheezy unaffected by this. Would anyone else out there care to look over this and agree/disagree with me? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature