On Thu, Oct 27, 2016 at 10:28:17PM -0400, Roberto C. Sánchez wrote:
>
> I have some questions about how to handle this issue:
>
> https://security-tracker.debian.org/tracker/TEMP-0836171-53B142
> https://bugs.debian.org/836171
>
<SNIP questions on this issue>
So, I have another similar issue on which I would like some
confirmation:
https://security-tracker.debian.org/tracker/TEMP-0833743-7EB594
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833743
Relevant commit:
https://github.com/ImageMagick/ImageMagick/commit/3e9165285eda6e1bb71172031d3048b51bb443a4
Full diff:
if (image->rows < (image->rows*number_planes_filled*sizeof(*pixels)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
pixel_info=AcquireVirtualMemory(image->columns,image->rows*
- number_planes_filled*sizeof(*pixels));
+ MagickMax(number_planes_filled,4)*sizeof(*pixels));
if (pixel_info == (MemoryInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- pixel_info_length=image->columns*image->rows*number_planes_filled;
+ pixel_info_length=image->columns*image->rows*
+ MagickMax(number_planes_filled,4);
pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
if ((flags & 0x01) && !(flags & 0x02))
Current coders/rle.c code in wheezy:
if (image->matte != MagickFalse)
number_planes++;
number_pixels=(MagickSizeType) image->columns*image->rows;
if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4);
rle_pixels=(unsigned char *) AcquireQuantumMemory(pixel_info_length,
sizeof(*rle_pixels));
if (rle_pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
if ((flags & 0x01) && !(flags & 0x02))
It appears to me that the upstream diff is ensuring that the allocated
memory area is not too small, hence the change of "number_planes_filled"
to "MagickMax(number_planes_filled,4)" in two places. However, in the
code currently in wheezy, "pixel_info_length" is already calculated to
include the product of "MagickMax(number_planes,4)". Based on this, it
would seem that the ImageMagick in wheezy will not encounter the same
RLE segfault that was addressed by the upstream commit.
Based on this analysis (hi Raphael :-), I am inclined to consider wheezy
unaffected by this. Would anyone else out there care to look over this
and agree/disagree with me?
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature