From d8650f4297d7f84b1861c4ad077e1b4e3417139c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 11 Apr 2012 11:02:18 +0200
Subject: [PATCH] Fix CVE-2012-1185 / CVE-2012-1186 assignment notification

The original fixes for the ImageMagick issues CVE-2012-0247 and
CVE-2012-0248 are incomplete.

The original fix for CVE-2012-0247 failed to check for the possibility
of an integer overflow when computing the sum of "number_bytes" and
"offset". This resulted in a wrap around into a value smaller than
"length", making original CVE-2012-0247 introduced "length" check still
to be possible to bypass, leading to memory corruption.

This was backported from svn revision 6998 aka git
28b3ba177e797d2b9a0ac0b44de187264e99493e

Origin: upstream
Applied-Upstream: 6.7.5-9
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665007
---
 magick/profile.c  | 15 +++++++++++++--
 magick/property.c |  2 ++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/magick/profile.c b/magick/profile.c
index 85c6fa9..92e56f4 100644
--- a/magick/profile.c
+++ b/magick/profile.c
@@ -1761,6 +1761,9 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
   size_t
     length;
 
+  SplayTreeInfo
+    *exif_resources;
+
   ssize_t
     offset;
 
@@ -1824,6 +1827,8 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
   directory=exif+offset;
   level=0;
   entry=0;
+  exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL,
+     (void *(*)(void *)) NULL,(void *(*)(void *)) NULL);
   do
   {
     if (level > 0)
@@ -1851,6 +1856,9 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
         number_bytes;
 
       q=(unsigned char *) (directory+2+(12*entry));
+      if (GetValueFromSplayTree(exif_resources,q) == q)
+	break;
+      (void) AddValueToSplayTree(exif_resources,q,q);
       tag_value=(long) ReadProfileShort(endian,q);
       format=(long) ReadProfileShort(endian,q+2);
       if ((format-1) >= EXIF_NUM_FORMATS)
@@ -1861,13 +1869,15 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
         p=q+8;
       else
         {
-          ssize_t
+          size_t
             offset;
 
           /*
             The directory entry contains an offset.
           */
-          offset=(ssize_t) ReadProfileLong(endian,q+8);
+          offset=(size_t) ((int)ReadProfileLong(endian,q+8));
+	  if ((offset+number_bytes) < offset)
+            continue;  /* prevent overflow */
           if ((size_t) (offset+number_bytes) > length)
             continue;
           p=(unsigned char *) (exif+offset);
@@ -1934,5 +1944,6 @@ MagickExport MagickBooleanType SyncImageProfiles(Image *image)
         }
     }
   } while (level > 0);
+  exif_resources=DestroySplayTree(exif_resources);
   return(MagickTrue);
 }
diff --git a/magick/property.c b/magick/property.c
index b8580b3..6c6d12f 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1318,6 +1318,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
             The directory entry contains an offset.
           */
           offset=(ssize_t) ReadPropertyLong(endian,q+8);
+          if ((offset+number_bytes) < offset)
+            continue;  /* prevent overflow */
           if ((size_t) (offset+number_bytes) > length)
             continue;
           p=(unsigned char *) (exif+offset);
-- 
2.1.4