magick/configure.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] 
 directory for  the "installed" version of ImageMagick.  Patch pulled from
 upstream svn  https://www.imagemagick.org/subversion/ImageMagick/trunk 
 revision 3022.

magick/property.c | 116 71 + 45 - 0 !
1 file changed, 71 insertions(+), 45 deletions(-)

 [patch] imagemagick invalid validation and denial of service

This patch fix two security bug
*    [CVE-2012-0247] When parsing a maliciously crafted image with incorrect offset and count in the ResolutionUnit tag in EXIF IFD0, ImageMagick copies two bytes into an invalid address.
*    [CVE-2012-0248] When parsing a maliciously crafted image with an IFD whose all IOP tags' value offsets point to the beginning of the IFD itself. As a result, ImageMagick parses the IFD structure indefinitely, causing a denial of service.

Thanks goes to the Mr Joonas Kuorilehto & Mr Aleksis Kauppinen from Codenomicon CROSS project for discovering the vulnerabilities and providing a test case file.
Also to the Finnish Communications Regulatory Authority (CERT-FI) for alerting us to these vulnerabilities.

(cherry picked from commit cb8dd0b021332238efa17bf88877723c8a960964)

magick/profile.c | 15 13 + 2 - 0 !
magick/property.c | 2 2 + 0 - 0 !
2 files changed, 15 insertions(+), 2 deletions(-)

 [patch] fix cve-2012-1185 / cve-2012-1186 assignment notification

The original fixes for the ImageMagick issues CVE-2012-0247 and
CVE-2012-0248 are incomplete.

The original fix for CVE-2012-0247 failed to check for the possibility
of an integer overflow when computing the sum of "number_bytes" and
"offset". This resulted in a wrap around into a value smaller than
"length", making original CVE-2012-0247 introduced "length" check still
to be possible to bypass, leading to memory corruption.

This was backported from svn revision 6998 aka git
28b3ba177e797d2b9a0ac0b44de187264e99493e

coders/jpeg.c | 8 7 + 1 - 0 !
coders/tiff.c | 7 4 + 3 - 0 !
magick/property.c | 4 4 + 0 - 0 !
3 files changed, 15 insertions(+), 4 deletions(-)

 [patch] fix security holes jpeg/exif/tiff

An out-of heap-based buffer read flaw was found in the way ImageMagick,
retrieved Exchangeable image file format (Exif) header tag information
from certain JPEG files.

A remote attacker could provide a JPEG image file, with EXIF header
containing specially-crafted tag values, which once opened in some ImageMagick
tool would lead to the crash of that tool (denial of service).

Fix:
* [CVE-2012-0259] JPEG EXIF tag crash.
* [CVE-2012-0260] Excessive memory use with JPEG restart markers.
* [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD.

magick/profile.c | 7 5 + 2 - 0 !
magick/property.c | 4 2 + 2 - 0 !
2 files changed, 7 insertions(+), 4 deletions(-)

 [patch] fix security bug for special crafted exif properties

The original patch for CVE-2012-0259 turned out to be insufficient.

The problem is an integer overflow error in the "GetEXIFProperty()"
function (magick/property.c, around line 1288):

number_bytes=(size_t) components*tag_bytes[format];

When processing EXIF directory entries with tags of e.g. format 5
EXIF_FMT_URATIONAL) and a large components count, the calculation can
overflow and e.g. lead to "number_bytes" being 0. If that's the case,
subsequent checks can be bypassed, resulting in the loop in the
"EXIFMultipleFractions" macro to iterate through a large number of
"components". This leads to out-of-bound reads until eventually causing
a segmentation fault when trying to read beyond the limits of heap memory.

CVE-2012-1610 has been assigned to this issue.

Note: The initial patch for this issue is still necessary to prevent
access of uninitialized/incorrect memory when e.g. processing specially
crafted EXIF tags with a component count of 0.

coders/psd.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 [patch] cve-2014-1947: fix buffer overrun

magick/locale.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 [patch] prevent buffer overflow in messaging system (cve: 2014-1947)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1067276
Bug-debian: http://bugs.debian.org/740250
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@14900 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
Signed-off-by: Bastien ROUCARIS <roucaries.bastien@gmail.com>

magick/property.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] avoid crash and dos with special crafted jpeg file

Some special crafted JPEG file could lead to dos due to missing check in
embeded EXIF properties (EXIF directory offsets must be greater than 0).

Fix CVE-2014-8716.

coders/png.c | 44 36 + 8 - 0 !
1 file changed, 36 insertions(+), 8 deletions(-)

 [patch] fix cve-2012-3437 imagemagick: magick_png_malloc() size
 argument

Tom Lane (tgl@redhat.com) found an issue in ImageMagick. Basically
CVE-2011-3026 deals with libpng memory allocation, limitations have been
added so that a bad PNG can't cause the system to allocate a lot of
memory causing a denial of service. However on further investigation of
ImageMagick Tom Lane found that PNG malloc function (Magick_png_malloc)
in turn calls AcquireMagickMemory with an improper size argument:

static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size)
{
  (void) png_ptr;
  return((png_voidp) AcquireMagickMemory((size_t) size));
}

This is incorrect, the size argument should be declared png_alloc_size_t
according to 1.5, or png_size_t according to 1.2.

"As this function stands, it invisibly does the wrong thing for any request
over 4GB.  On big-endian architectures it very possibly will do the wrong
thing even for requests less than that. So the reason why the hard-wired 4GB
limit prevents a core dump is that it masks the ABI mismatch here."

So basically we have memory allocations problems that can probably lead to a
denial of service.

Backported from 81157cd61667708831e489dd90aa64847c94735a

coders/jpeg.c | 16 8 + 8 - 0 !
coders/png.c | 4 2 + 2 - 0 !
2 files changed, 10 insertions(+), 10 deletions(-)

 [patch] memory leak: after setjmp used variable need to be volatile

According to POSIX setjmp manpage:
  All accessible objects have values as of the time longjmp() was called,
  except that the values of objects of automatic storage duration which are
  local to the function containing the invocation of the corresponding
  setjmp() which do not have volatile-qualified type and
  which are changed between the setjmp() invocation and longjmp() call are indeterminate.

Previous code was not safe according to this specification and could lead to memory
leak.

If the setjmp handler is called after reading a corrupted png, ping_pixels may
be null and thus lead to a memory leak.

Mark this kind of variable as volatile.

git-svn-id: https://www.imagemagick.org/subversion/ImageMagick/trunk@9558 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

Cherry picked rom svn revision 9558

Magick++/lib/Image.cpp | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 [patch] magick++ fix a memory leak

Original code leak memory in case of corrupted image. When image->exception is thrown, the following DestroyExceptionInfo will not be executed, thus lead to a leak.

Fix it by adding  (void) DestroyExceptionInfo( &exceptionInfo ) before throwing.

coders/dcm.c | 23 13 + 10 - 0 !
1 file changed, 13 insertions(+), 10 deletions(-)

 [patch] fix last value in dicom_info and added missing != null check.

Fix a buffer overflow in dcm reader by checking the dcm file.
This problem was discovered by fuzzing some dcm file.

This is fix for the dcm format for TEMP-0000000-77B6EF aka CVE-2014-8562.

coders/pcx.c | 28 15 + 13 - 0 !
1 file changed, 15 insertions(+), 13 deletions(-)

 [patch] fixed buffer overflow in pcx reader.

Fix a buffer overflow in pcx reader by checking the pcx file.
This problem was discovered by fuzzing some pcx file.

This is fix for the pcx format for TEMP-0000000-77B6EF aka CVE-2014-8355

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16774 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

magick/image.c | 5 5 + 0 - 0 !
magick/resize.c | 4 4 + 0 - 0 !
2 files changed, 9 insertions(+)

 [patch] don't clone a 0x0 image

Passing 0x0 image to imagemagick will lead to divide by zero and other kind of error.
Usually entry point of imagemagick does not allow this kind of error.

However cloning 0x0 image was allowed and thus could trigger this kind of error.
This bug may be remotly exploitable and could lead to controlable buffer overflow.

Moreover fix the same kind of error in resize.

This is fix for TEMP-0000000-1800A5 aka CVE-2014-8354

coders/pnm.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] quit earlier in case of corrupted pnm image

Do not try to read a corrupted pnm file. Bail early.

Fix a segv and thus a DOS

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16867 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pict.c | 47 29 + 18 - 0 !
1 file changed, 29 insertions(+), 18 deletions(-)

 [patch] prepare next patch by using inline function instead of macro

This patch fix a crash in case of malformed pict file and prepare next patch.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@15704 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pict.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] do not crash in case of corrupted pict image

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@15769 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/dcm.c | 22 13 + 9 - 0 !
coders/dot.c | 5 4 + 1 - 0 !
coders/exr.c | 10 9 + 1 - 0 !
coders/pict.c | 4 4 + 0 - 0 !
coders/pwp.c | 6 5 + 1 - 0 !
5 files changed, 35 insertions(+), 12 deletions(-)

 [patch] added missing calls to relinquishuniquefileresource.

Avoid to leak fd in case of error.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@16971 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pdb.c | 27 13 + 14 - 0 !
1 file changed, 13 insertions(+), 14 deletions(-)

 [patch] fix a double free in pdb coder

Fix a double free and thus a DOS in pdb coder

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17080 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/dpx.c | 2 2 + 0 - 0 !
coders/xwd.c | 11 8 + 3 - 0 !
2 files changed, 10 insertions(+), 3 deletions(-)

 [patch] fix handling of corrupted dpc and xwd image

Avoid a segv thus a DOS.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17092 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/dpx.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 [patch] bail out early in case of malformed dpx file

Avoid a SEGV.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17112 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/xwd.c | 87 70 + 17 - 0 !
1 file changed, 70 insertions(+), 17 deletions(-)

 [patch] avoid segv in malformed xwd file

Check the malformed xwd file.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17114 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/ps.c | 13 8 + 5 - 0 !
1 file changed, 8 insertions(+), 5 deletions(-)

 [patch] avoid a null dereference in ps handling

GetStringInfoDatum(NULL) will likely crash. Avoid it.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17117 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/xwd.c | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 [patch] avoid out of bound access in xwd file handling

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17119 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/viff.c | 36 19 + 17 - 0 !
1 file changed, 19 insertions(+), 17 deletions(-)

 [patch] fix a segv with corrupted viff image

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17110 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/wpg.c | 92 58 + 34 - 0 !
1 file changed, 58 insertions(+), 34 deletions(-)

 [patch] fix a null pointer dereference in wpg file handling

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17126 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/wpg.c | 29 15 + 14 - 0 !
1 file changed, 15 insertions(+), 14 deletions(-)

 [patch] do not continue on corrupted wpg file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17127 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/viff.c | 30 18 + 12 - 0 !
1 file changed, 18 insertions(+), 12 deletions(-)

 [patch] avoid a out of bound acess in viff image

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17131 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pdb.c | 8 3 + 5 - 0 !
1 file changed, 3 insertions(+), 5 deletions(-)

 [patch] avoid a heap buffer overflow in pdb file handling

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17132 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/sun.c | 28 22 + 6 - 0 !
1 file changed, 22 insertions(+), 6 deletions(-)

 [patch] avoid an out of bound acess on malformed sun file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17137 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pnm.c | 97 55 + 42 - 0 !
1 file changed, 55 insertions(+), 42 deletions(-)

 [patch] prepare security fix

This is a least concern bug from a security point of view. It avoid to loop over comment in pnm file.

However next patch need it in order to apply and it is safer to get it.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@12347 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/palm.c | 48 24 + 24 - 0 !
coders/pnm.c | 2 1 + 1 - 0 !
coders/xpm.c | 49 27 + 22 - 0 !
3 files changed, 52 insertions(+), 47 deletions(-)

 [patch] avoid heap overflow in palm, pnm and xpm files

Commit backported from christy's commit

coders/palm.c | 2 1 + 1 - 0 !
coders/psd.c | 2 1 + 1 - 0 !
magick/quantum.c | 13 8 + 5 - 0 !
3 files changed, 10 insertions(+), 7 deletions(-)

 [patch] fix heap overflow in quantum.c, palm image handling and psd
 image handling.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17142 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/sun.c | 16 9 + 7 - 0 !
1 file changed, 9 insertions(+), 7 deletions(-)

 [patch] do not try to read corrupted sun image

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17146 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/psd.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch] fix corrupted (too many colors) psd file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17151 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/sun.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [patch] fix out of bound access in sun image handling

It the merge of rev 17153 and rev 17155

coders/sun.c | 2 2 + 0 - 0 !
coders/wpg.c | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 [patch] fix handling of corrupted sun and wpg file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17165 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pcx.c | 8 7 + 1 - 0 !
coders/pict.c | 3 2 + 1 - 0 !
coders/sun.c | 2 2 + 0 - 0 !
coders/wpg.c | 2 1 + 1 - 0 !
coders/xpm.c | 2 2 + 0 - 0 !
5 files changed, 14 insertions(+), 3 deletions(-)

 [patch] fix heap overflow in pcx file, psd, pict and wpf files and
 DOS in xpm file

The rest of the upstream patch is only whitespace change. Do not commit it.

Psd change file is ignored due to huge rewrite

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17166 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pnm.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 [patch] additional pnm sanity checks

bug: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26682
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17200 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pnm.c | 8 3 + 5 - 0 !
coders/xbm.c | 48 27 + 21 - 0 !
2 files changed, 30 insertions(+), 26 deletions(-)

 [patch] robustify xmp and pnm reader

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17240 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

magick/cache.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] detect allocation error earlier

Avoid a segv due to NULL pointer dereference

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17243 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/rle.c | 27 21 + 6 - 0 !
1 file changed, 21 insertions(+), 6 deletions(-)

 [patch] avoid a crash in coders/rle.c

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17255 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

magick/colormap-private.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] avoid an overflow in constraincolormapindex

ConstrainColormapIndex is used like array[ConstrainColormapIndex]. Test if cast to ssize_t render it negative and thus crash later

coders/palm.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] avoid an out of bound access in palm file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17291 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/pnm.c | 2 1 + 1 - 0 !
coders/xpm.c | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch] fix another crash in pnm and xpm parser

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17297 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/rle.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch] fix another out of bound problem in rle file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17336 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/dib.c | 41 39 + 2 - 0 !
1 file changed, 39 insertions(+), 2 deletions(-)

 [patch] fix crash due to corrupted dib file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17343 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/rle.c | 37 28 + 9 - 0 !
1 file changed, 28 insertions(+), 9 deletions(-)

 [patch] added checks to prevent overflow in rle file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17348 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/png.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 [patch] impose a limit of 10 million columns or rows in an input png.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17368 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

tests/validate.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch] be a little bit fuzzy in test suite

Avoid a test failure due to 1e-6 dispersion.

coders/rle.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] avoid heap overflow in rle file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17372 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/png.c | 9 1 + 8 - 0 !
1 file changed, 1 insertion(+), 8 deletions(-)

 [patch] don't try to handle a "previous" image in the jng decoder.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17078 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
http://trac.imagemagick.org/changeset/17078

coders/fits.c | 2 1 + 1 - 0 !
coders/pnm.c | 10 6 + 4 - 0 !
2 files changed, 7 insertions(+), 5 deletions(-)

 [patch] avoid heap overflow

Avoid to allocate too much memory

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17210 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

magick/colormap-private.h | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 [patch] create isvalidcolormapindex function

This function will be used to avoid a memory leak in rle.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17379 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/rle.c | 32 27 + 5 - 0 !
1 file changed, 27 insertions(+), 5 deletions(-)

 [patch] replaced calls to constraincolormapindex with
 IsValidColormapIndex.

Avoid a memory leak.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17385 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/tiff.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [patch] during identification of image do not fill memory

This create a security risk (DOS) by filling all memory during identification of image.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17413 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/xpm.c | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 [patch] fix correctly the xpm crash problem

The xpm crash was fixed but the xpm result was not correct (xpm file was destroyed).

Fix correctly.

Bug-Debian: https://bugs.debian.org/773980

magick/quantum.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch] avoid a memory leak in quantum management

Note that upstream magick/colormap-private.h patch is buggy and already applied in the patch queue.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17207 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74

coders/icon.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 fix buffer overflow in icon parsing code
 This patch backports a small extract of a larger upstream
 commit that addresses this specific issue.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747