From e94938873522cbb3d3240123616414ebf48e57c5 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Tue, 21 Oct 2014 13:58:29 +0000
Subject: [PATCH] Don't clone a 0x0 image

Passing 0x0 image to imagemagick will lead to divide by zero and other kind of error.
Usually entry point of imagemagick does not allow this kind of error.

However cloning 0x0 image was allowed and thus could trigger this kind of error.
This bug may be remotly exploitable and could lead to controlable buffer overflow.

Moreover fix the same kind of error in resize.

This is fix for TEMP-0000000-1800A5 aka CVE-2014-8354

forwarded: yes
Bug-debian: http://bugs.debian.org/767240
Applied-Upstream: 6.8.9.9
---
 magick/image.c  | 5 +++++
 magick/resize.c | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/magick/image.c b/magick/image.c
index 8759d63..787030b 100644
--- a/magick/image.c
+++ b/magick/image.c
@@ -821,6 +821,11 @@ MagickExport Image *CloneImage(const Image *image,const unsigned long columns,
     (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
   assert(exception != (ExceptionInfo *) NULL);
   assert(exception->signature == MagickSignature);
+  if ((image->columns == 0) || (image->rows == 0))
+    {
+      ThrowBinaryException(ImageError,"NegativeOrZeroImageSize",image->filename);
+      return((Image *) NULL);
+    }
   clone_image=(Image *) AcquireAlignedMemory(1,sizeof(*clone_image));
   if (clone_image == (Image *) NULL)
     ThrowImageException(ResourceLimitError,"MemoryAllocationFailed");
diff --git a/magick/resize.c b/magick/resize.c
index 96168ef..9ef64b8 100644
--- a/magick/resize.c
+++ b/magick/resize.c
@@ -1822,6 +1822,8 @@ static MagickBooleanType HorizontalFilter(const ResizeFilter *resize_filter,
         ((MagickRealType) (start+n)-center+0.5));
       density+=contribution[n].weight;
     }
+    if (n == 0)
+      continue;
     if ((density != 0.0) && (density != 1.0))
       {
         register long
@@ -2064,6 +2066,8 @@ static MagickBooleanType VerticalFilter(const ResizeFilter *resize_filter,
         ((MagickRealType) (start+n)-center+0.5));
       density+=contribution[n].weight;
     }
+    if (n == 0)
+      continue;
     if ((density != 0.0) && (density != 1.0))
       {
         register long
-- 
2.1.4