Mageia Bugzilla – Attachment 7739 Details for
Bug 17714
graphicsmagick new security issues CVE-2015-8808, CVE-2016-2317, CVE-2016-2318, CVE-2016-5118, CVE-2016-524[01]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
Patch for CVE-2016-2317 that applies to Mga5 and Cauldron
GraphicsMagick-1.3.20-CVE-2016-2317.patch (text/plain), 4.68 KB, created by
Nicolas Salguero
on 2016-05-04 15:05:46 CEST
(
hide
)
Description:
Patch for CVE-2016-2317 that applies to Mga5 and Cauldron
Filename:
MIME Type:
Creator:
Nicolas Salguero
Created:
2016-05-04 15:05:46 CEST
Size:
4.68 KB
patch
obsolete
># HG changeset patch ># User Bob Friesenhahn <bfriesen@GraphicsMagick.org> ># Date 1461539977 18000 ># Sun Apr 24 18:19:37 2016 -0500 ># Node ID 98394eb235a6dc5d6b4d445023ae1c70189a7667 ># Parent 45ee571d38f5e131207fd62eaa8a1bb85886b019 >Fix segmentation violation when reading aaphrbkwwe.svg.-1114777018469422437 from CVE-2016-2317 test cases. > >diff -r 45ee571d38f5 -r 98394eb235a6 magick/render.c >--- a/magick/render.c Sat Apr 23 15:15:02 2016 -0500 >+++ b/magick/render.c Sun Apr 24 18:19:37 2016 -0500 >@@ -1738,6 +1738,8 @@ > return(MagickFail); > primitive_extent=strlen(primitive); > (void) SetImageAttribute(image,"[MVG]",primitive); >+ if (getenv("MAGICK_SKIP_RENDERING") != NULL) >+ return MagickPass; > n=0; > /* > Allocate primitive info memory. >@@ -2751,12 +2753,24 @@ > } > case RoundRectanglePrimitive: > { >- length*=8*BezierQuantum+5; >+ /* >+ Round rectangle is rectangle plus elipse >+ */ >+ double >+ alpha, >+ beta, >+ radius; >+ >+ alpha=bounds.x2-bounds.x1; >+ beta=bounds.y2-bounds.y1; >+ radius=hypot((double) alpha,(double) beta); >+ length*=5; >+ length+=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; > break; > } > case BezierPrimitive: > { >- if (primitive_info[j].coordinates > 109) >+ if (primitive_info[j].coordinates > 107) > (void) ThrowException(&image->exception,DrawError, > TooManyCoordinates,token); > length=primitive_info[j].coordinates*BezierQuantum; >@@ -2806,7 +2820,6 @@ > default: > break; > } >- > if ((size_t) (i+length) >= number_points) > { > number_points+=length+1; >@@ -2850,25 +2863,74 @@ > } > case RectanglePrimitive: > { >+ /* >+ Rectangle requires 2 primitives. >+ */ > if (primitive_info[j].coordinates != 2) > { > status=MagickFail; > break; > } >- TraceRectangle(primitive_info+j,primitive_info[j].point, >+ /* >+ Negative width is an error >+ */ >+ if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0) >+ { >+ status=MagickFail; >+ break; >+ } >+ /* >+ Negative height is an error >+ */ >+ if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0) >+ { >+ status=MagickFail; >+ break; >+ } >+ TraceRectangle(/*start*/primitive_info+j, >+ /*end*/primitive_info[j].point, > primitive_info[j+1].point); > i=(long) (j+primitive_info[j].coordinates); > break; > } > case RoundRectanglePrimitive: > { >+ /* >+ Round rectangle requires 3 primitives. >+ */ > if (primitive_info[j].coordinates != 3) > { > status=MagickFail; > break; > } >- TraceRoundRectangle(primitive_info+j,primitive_info[j].point, >- primitive_info[j+1].point,primitive_info[j+2].point); >+ /* >+ Negative radius values are an error. >+ */ >+ if ((primitive_info[j+2].point.x < 0.0) || (primitive_info[j+2].point.y < 0.0)) >+ { >+ status=MagickFail; >+ break; >+ } >+ /* >+ Negative width is an error >+ */ >+ if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0) >+ { >+ status=MagickFail; >+ break; >+ } >+ /* >+ Negative height is an error >+ */ >+ if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0) >+ { >+ status=MagickFail; >+ break; >+ } >+ TraceRoundRectangle(primitive_info+j, >+ /*start*/primitive_info[j].point, >+ /*end*/primitive_info[j+1].point, >+ /*arc*/primitive_info[j+2].point); > i=(long) (j+primitive_info[j].coordinates); > break; > } >@@ -5024,8 +5086,8 @@ > } > if (strchr("CcSs",last_attribute) == (char *) NULL) > { >- points[0]=points[2]; >- points[1]=points[3]; >+ points[0]=point; >+ points[1]=point; > } > for (i=0; i < 4; i++) > (q+i)->point=points[i]; >@@ -5062,8 +5124,8 @@ > } > if (strchr("QqTt",last_attribute) == (char *) NULL) > { >- points[0]=points[2]; >- points[1]=points[3]; >+ points[0]=point; >+ points[1]=point; > } > for (i=0; i < 3; i++) > (q+i)->point=points[i];
# HG changeset patch # User Bob Friesenhahn <bfriesen@GraphicsMagick.org> # Date 1461539977 18000 # Sun Apr 24 18:19:37 2016 -0500 # Node ID 98394eb235a6dc5d6b4d445023ae1c70189a7667 # Parent 45ee571d38f5e131207fd62eaa8a1bb85886b019 Fix segmentation violation when reading aaphrbkwwe.svg.-1114777018469422437 from CVE-2016-2317 test cases. diff -r 45ee571d38f5 -r 98394eb235a6 magick/render.c --- a/magick/render.c Sat Apr 23 15:15:02 2016 -0500 +++ b/magick/render.c Sun Apr 24 18:19:37 2016 -0500 @@ -1738,6 +1738,8 @@ return(MagickFail); primitive_extent=strlen(primitive); (void) SetImageAttribute(image,"[MVG]",primitive); + if (getenv("MAGICK_SKIP_RENDERING") != NULL) + return MagickPass; n=0; /* Allocate primitive info memory. @@ -2751,12 +2753,24 @@ } case RoundRectanglePrimitive: { - length*=8*BezierQuantum+5; + /* + Round rectangle is rectangle plus elipse + */ + double + alpha, + beta, + radius; + + alpha=bounds.x2-bounds.x1; + beta=bounds.y2-bounds.y1; + radius=hypot((double) alpha,(double) beta); + length*=5; + length+=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; break; } case BezierPrimitive: { - if (primitive_info[j].coordinates > 109) + if (primitive_info[j].coordinates > 107) (void) ThrowException(&image->exception,DrawError, TooManyCoordinates,token); length=primitive_info[j].coordinates*BezierQuantum; @@ -2806,7 +2820,6 @@ default: break; } - if ((size_t) (i+length) >= number_points) { number_points+=length+1; @@ -2850,25 +2863,74 @@ } case RectanglePrimitive: { + /* + Rectangle requires 2 primitives. + */ if (primitive_info[j].coordinates != 2) { status=MagickFail; break; } - TraceRectangle(primitive_info+j,primitive_info[j].point, + /* + Negative width is an error + */ + if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0) + { + status=MagickFail; + break; + } + /* + Negative height is an error + */ + if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0) + { + status=MagickFail; + break; + } + TraceRectangle(/*start*/primitive_info+j, + /*end*/primitive_info[j].point, primitive_info[j+1].point); i=(long) (j+primitive_info[j].coordinates); break; } case RoundRectanglePrimitive: { + /* + Round rectangle requires 3 primitives. + */ if (primitive_info[j].coordinates != 3) { status=MagickFail; break; } - TraceRoundRectangle(primitive_info+j,primitive_info[j].point, - primitive_info[j+1].point,primitive_info[j+2].point); + /* + Negative radius values are an error. + */ + if ((primitive_info[j+2].point.x < 0.0) || (primitive_info[j+2].point.y < 0.0)) + { + status=MagickFail; + break; + } + /* + Negative width is an error + */ + if ((primitive_info[j+1].point.x - primitive_info[j].point.x) < 0.0) + { + status=MagickFail; + break; + } + /* + Negative height is an error + */ + if ((primitive_info[j+1].point.y - primitive_info[j].point.y) < 0.0) + { + status=MagickFail; + break; + } + TraceRoundRectangle(primitive_info+j, + /*start*/primitive_info[j].point, + /*end*/primitive_info[j+1].point, + /*arc*/primitive_info[j+2].point); i=(long) (j+primitive_info[j].coordinates); break; } @@ -5024,8 +5086,8 @@ } if (strchr("CcSs",last_attribute) == (char *) NULL) { - points[0]=points[2]; - points[1]=points[3]; + points[0]=point; + points[1]=point; } for (i=0; i < 4; i++) (q+i)->point=points[i]; @@ -5062,8 +5124,8 @@ } if (strchr("QqTt",last_attribute) == (char *) NULL) { - points[0]=points[2]; - points[1]=points[3]; + points[0]=point; + points[1]=point; } for (i=0; i < 3; i++) (q+i)->point=points[i];
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 17714
: 7739 |
7740
|
7741
|
7898
|
7899
|
7900
|
7901
|
7902
|
7903
|
7904
|
7905
|
8052