18331784 problem in UTILITY/IMAGEMAGICK s11-update
authorJohn Beck <John.Beck@Oracle.COM>
Wed, 12 Mar 2014 10:08:26 -0700
branchs11-update
changeset 2985 8d0f13e7dd0c
parent 2983 7e65e1db2593
child 2986 eb4911976ff2
18331784 problem in UTILITY/IMAGEMAGICK
components/imagemagick/patches/CVE-2014-1958.patch
components/imagemagick/patches/CVE-2014-2030.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/imagemagick/patches/CVE-2014-1958.patch	Wed Mar 12 10:08:26 2014 -0700
@@ -0,0 +1,31 @@
+# This comes from upstream:
+# http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=25128
+
+--- ImageMagick-6.8.3/coders/psd.c	2013-01-23 15:50:19.000000000 -0800
++++ ImageMagick-6.8.3/coders/psd.c	2014-03-03 07:53:58.415170102 -0800
[email protected]@ -269,13 +269,15 @@
+   packets=(ssize_t) number_compact_pixels;
+   for (i=0; (packets > 1) && (i < (ssize_t) number_pixels); )
+   {
+-    length=(*compact_pixels++);
++    length=(size_t) (*compact_pixels++);
+     packets--;
+     if (length == 128)
+       continue;
+     if (length > 128)
+       {
+         length=256-length+1;
++        if ((ssize_t) length + i > (ssize_t) number_pixels) 
++          length=number_pixels-(size_t) i; 
+         pixel=(*compact_pixels++);
+         packets--;
+         for (j=0; j < (ssize_t) length; j++)
[email protected]@ -322,6 +324,8 @@
+         continue;
+       }
+     length++;
++    if ((ssize_t) length + i > (ssize_t) number_pixels) 
++      length=number_pixels-(size_t) i; 
+     for (j=0; j < (ssize_t) length; j++)
+     {
+       switch (depth)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/imagemagick/patches/CVE-2014-2030.patch	Wed Mar 12 10:08:26 2014 -0700
@@ -0,0 +1,36 @@
+# This comes from upstream:
+# http://trac.imagemagick.org/changeset/13736
+# linked from:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1064098
+
+--- ImagMagick-6.8.3/coders/psd.c	2014-03-03 07:57:25.334035665 -0800
++++ ImagMagick-6.8.3/coders/psd.c	2014-03-03 08:02:05.371109695 -0800
[email protected]@ -2107,9 +2107,6 @@
+   StringInfo
+     *bim_profile;
+ 
+-  unsigned char
+-    layer_name[4];
+-
+   /*
+     Open image file.
+   */
[email protected]@ -2367,12 +2364,15 @@
+         property=(const char *) GetImageProperty(next_image,"label");
+         if (property == (const char *) NULL)
+           {
++            char
++              layer_name[MaxTextExtent];
++
+             (void) WriteBlobMSBLong(image,16);
+             (void) WriteBlobMSBLong(image,0);
+             (void) WriteBlobMSBLong(image,0);
+-            (void) FormatLocaleString((char *) layer_name,MaxTextExtent,
+-              "L%06ld",(long) layer_count++);
+-            WritePascalString( image, (char*)layer_name, 4 );
++            (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)
++              layer_count++);
++            WritePascalString(image,layer_name,4);
+           }
+         else
+           {