coders/psd.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix improper cast that could cause an overflow as
 demonstrated in #347.

Fix CVE-2017-5511

coders/psd.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix memory corruption heap overflow in psb file

Fix CVE-2017-5510

Bug: https://github.com/ImageMagick/ImageMagick/issues/348

coders/tiff.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] detect write error in readgroup4image

Fix CVE-2016-10062

bug: https://github.com/ImageMagick/ImageMagick/issues/352
bug-debian: https://bugs.debian.org/849439

coders/tga.c | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 [patch] fix an assertion faillure in tga

bug: https://github.com/ImageMagick/ImageMagick/pull/359
bug-debian: https://bugs.debian.org/856878

coders/sun.c | 13 10 + 3 - 0 !
1 file changed, 10 insertions(+), 3 deletions(-)

 [patch] fix an out of bound error in sun file handling

bug: https://github.com/ImageMagick/ImageMagick/issues/375
bug: https://github.com/ImageMagick/ImageMagick/issues/376
bug-debian: https://bugs.debian.org/856879

Magick++/lib/Exception.cpp | 14 10 + 4 - 0 !
1 file changed, 10 insertions(+), 4 deletions(-)

 [patch] fixed memory leak when creating nested exceptions in
 Magick++.

bug: : https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634
bug-debian: https://bugs.debian.org/856880

magick/option.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] fixed memory leak in isoptionmember.

bug-debian: https://bugs.debian.org/857426
bug-ubuntu: https://bugs.launchpad.net/bugs/1671630

magick/morphology.c | 41 20 + 21 - 0 !
1 file changed, 20 insertions(+), 21 deletions(-)

 [patch] fix convert -sharpen with cmyk images

coders/svg.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] fixed leak reported in svg file

Fix CVE-2017-7943
bug: https://github.com/ImageMagick/ImageMagick/issues/427
bug-debian: https://bugs.debian.org/860736

coders/sgi.c | 40 31 + 9 - 0 !
1 file changed, 31 insertions(+), 9 deletions(-)

 [patch] fixed memory leak reported in sgi files

Fix a leak in avs file and CVE-2017-7941

magick/memory.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix memleak in acquirevirtualmemory

The memleak is introduced by the Debian patch "0095-Fix-multiple-out-of-bound-problem.patch" that is applied on top of the original ImageMagick source:

https://sources.debian.net/patches/imagemagick/8:6.8.9.9-5%2Bdeb8u8/0095-Fix-multiple-out-of-bound-problem.patch/

The patch - according to its name and its commit message - fixes some OOB problems, but unfortunately also modifies other behaviour,
in constrast to the original commit that it refers to:

https://github.com/ImageMagick/ImageMagick/commit/2174484dfa68a594e2f9ad17f46217b6120db18d

The memleak happens in the function "AcquireVirtualMemory" in "/magick/memory.c":

https://sources.debian.net/src/imagemagick/8:6.8.9.9-5%2Bdeb8u8/magick/memory.c/#L589

coders/rle.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] fix cve-2017-7606

coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of representable values of type unsigned char" undefined behavior issue,
which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted file

bug: https://github.com/ImageMagick/ImageMagick/issues/415

magick/enhance.c | 54 9 + 45 - 0 !
1 file changed, 9 insertions(+), 45 deletions(-)

 [patch] fix cve-2017-7619

In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms.

This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.

coders/aai.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] fix cve-2017-8343

The ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file.

Fix it by detecting the corruption

bug: https://github.com/ImageMagick/ImageMagick/issues/444
bug-debian: https://bugs.debian.org/862572

coders/pcx.c | 54 36 + 18 - 0 !
1 file changed, 36 insertions(+), 18 deletions(-)

 [patch] cve-2017-8344

The ReadPCXImage function in pcx.c allows
attackers to cause a denial of service (memory leak) via a crafted
file.

Detect this kind of files

bug: https://github.com/ImageMagick/ImageMagick/issues/446
bug-debian: https://bugs.debian.org/862574

coders/png.c | 81 30 + 51 - 0 !
1 file changed, 30 insertions(+), 51 deletions(-)

 [patch] [1/2] prepare fix for cve-2017-8345

Refactored MngInfoFreeStruct in order to apply check only once

bug: https://github.com/ImageMagick/ImageMagick/issues/442

coders/png.c | 105 62 + 43 - 0 !
1 file changed, 62 insertions(+), 43 deletions(-)

 [patch] [2/2] refactored readmngimage to fix memory leak reported in
 #442

The ReadMNGImage function in png.c allows
attackers to cause a denial of service (memory leak) via a crafted
file.

bug: https://github.com/ImageMagick/ImageMagick/issues/442

coders/dcm.c | 34 22 + 12 - 0 !
1 file changed, 22 insertions(+), 12 deletions(-)

 [patch] cve-2017-8346

The ReadDCMImage function in dcm.c allows
attackers to cause a denial of service (memory leak) via a crafted
file.

bug: https://github.com/ImageMagick/ImageMagick/issues/440

coders/exr.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] cve-2017-8347

The ReadEXRImage function in exr.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/441

coders/mat.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] cve-2017-8348

The ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/445

coders/sfw.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] cve-2017-8349

The ReadSFWImage function in sfw.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/443
bug-debian: https://bugs.debian.org/862579

coders/png.c | 17 12 + 5 - 0 !
1 file changed, 12 insertions(+), 5 deletions(-)

 [patch] [1/3] cve-2017-8350 fixed more memory leaks.

(cherry picked from commit 8b7af6e1e7163d62fc98add772da73b2f88b31d7)

coders/png.c | 24 20 + 4 - 0 !
1 file changed, 20 insertions(+), 4 deletions(-)

 [patch] [3/3] cve-2017-8350 fixed various leaks in readonejngimage
 reported in #447

coders/pcd.c | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 [patch] cve-2017-8351

The ReadPCDImage function in pcd.c allows attackers to cause a denial
of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/448

coders/xwd.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 [patch] [1/2] cve-2017-8352

The ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/452
bug-debian: https://bugs.debian.org/862590

coders/pict.c | 43 32 + 11 - 0 !
1 file changed, 32 insertions(+), 11 deletions(-)

 [patch] cve-2017-8353

The ReadPICTImage function in pict.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/454
bug-debian: https://bugs.debian.org/862632

coders/bmp.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

 [patch] cve-2017-8354

the ReadBMPImage function in bmp.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/451
bug-debian: https://bugs.debian.org/862633

coders/mtv.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] cve-2017-8355

the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file

bug: https://github.com/ImageMagick/ImageMagick/issues/450

coders/sun.c | 17 13 + 4 - 0 !
1 file changed, 13 insertions(+), 4 deletions(-)

 [patch] cve-2017-8356

The ReadSUNImage function in sun.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/449
bug-debian: https://bugs.debian.org/862635

coders/ept.c | 24 19 + 5 - 0 !
1 file changed, 19 insertions(+), 5 deletions(-)

 [patch] cve-2017-8357

The ReadEPTImage function in ept.c allows attackers to cause a denial of service (memory leak) via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/453

coders/icon.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] cve-2017-8765

The function named ReadICONImage in coders\icon.c in ImageMagick has a memory leak vulnerability which can cause memory exhaustion via a crafted ICON file.

Added extra check that was reported in #466.

(cherry picked from commit b3299a3f2ec597172b092e9f7b71d2c9e75287c7)

coders/bmp.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] cve-2017-8830

The ReadBMPImage function in bmp.c:1379 allows attackers to cause a denial of service (memory leak) via a crafted file.

Replace image in list to fix issue reported in #467.

(cherry picked from commit ff2431d8f17d4a7c906438042a649b04aec93558)

bug: https://github.com/ImageMagick/ImageMagick/issues/467
bug-debian: https://bugs.debian.org/862637

coders/rle.c | 89 67 + 22 - 0 !
1 file changed, 67 insertions(+), 22 deletions(-)

 [patch] check for eof conditions for rle image format

This fix crash with specially crafted file

coders/png.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch] fixed incorrect call to writeblob reported in #490.

A crafted file revealed an assertion failure in blob.c.

coders/dds.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [patch] added check to prevent image being 0x0 (reported in #489).

A crafted file revealed an assertion failure in profile.c.

magick: MagickCore/profile.c:1303: ResetImageProfileIterator: Assertion `image != (Image *) ((void *)0)' failed.

coders/art.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] fixed memory leak reported in #456.

Specially crafted arts file could lead to memory leak

coders/rle.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] cve-2017-9098: use of uninitialized memory in rle decoder

Reset memory for RLE decoder (patch provided by scarybeasts)

bug: https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862967

coders/png.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] cve-2017-9261: memory leak in the readmngimage function

In ImageMagic, the ReadMNGImage function in coders/png.c
allows attackers to cause a denial of service (memory leak) via a
crafted file.

bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863833
bug: https://github.com/ImageMagick/ImageMagick/issues/476

coders/png.c | 21 17 + 4 - 0 !
1 file changed, 17 insertions(+), 4 deletions(-)

 [patch] cve-2017-9262: memory leak in the readjngimage function

In ImageMagick, the ReadJNGImage function in coders/png.c
allows attackers to cause a denial of service (memory leak) via a
crafted file.

bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863834
bug: https://github.com/ImageMagick/ImageMagick/issues/475

coders/mpc.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 [patch] cve-2017-9409: the readmpcimage function in mpc.c allows
 attackers to cause a denial of service (memory leak) via a crafted file.

coders/palm.c | 14 12 + 2 - 0 !
1 file changed, 12 insertions(+), 2 deletions(-)

 [patch] cve-2017-9407: the readpalmimage function in palm.c allows
 attackers to cause a denial of service (memory leak) via a crafted file.

Fixed memory leak reported in #459.

coders/icon.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 [patch] cve-2017-9405: the readiconimage function in icon.c:452
 allows attackers to cause a denial of service (memory leak) via a crafted
 file.

Fixed memory leak reported in #457.

bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864087
bug: https://github.com/ImageMagick/ImageMagick/issues/457

coders/pdb.c | 19 14 + 5 - 0 !
1 file changed, 14 insertions(+), 5 deletions(-)

 [patch] cve-2017-9439

A memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/460

coders/psd.c | 16 9 + 7 - 0 !
1 file changed, 9 insertions(+), 7 deletions(-)

 [patch] cve-2017-9440

A memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/462
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864273

magick/token.c | 28 20 + 8 - 0 !
1 file changed, 20 insertions(+), 8 deletions(-)

 [patch] ensure token does not overflow

This prepare fix for CVE-2017-10928

origin; https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4
bug: https://github.com/ImageMagick/ImageMagick/issues/539
bug-debian: https://bugs.debian.org/867367

(cherry picked from commit 4b85d29608d5bc0ab641f49e80b6cf8965928fb4)

magick/token.c | 16 8 + 8 - 0 !
1 file changed, 8 insertions(+), 8 deletions(-)

 [patch] fix off by one error when checking token length

This prepare fix for CVE-2017-10928

bug: https://github.com/ImageMagick/ImageMagick/issues/539
bug-debian: https://bugs.debian.org/867367

magick/token.c | 16 8 + 8 - 0 !
1 file changed, 8 insertions(+), 8 deletions(-)

 [patch] use proper cast

This prepare fix for CVE-2017-10928

bug: https://github.com/ImageMagick/ImageMagick/issues/539
bug-debian: https://bugs.debian.org/867367

magick/token.c | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 [patch] cve-2017-10928

A heap-based buffer over-read in the GetNextToken function in token.c allows remote attackers to obtain
sensitive information from process memory or possibly have unspecified other impact
via a crafted SVG document that is mishandled in the GetUserSpaceCoordinateValue function in coders/svg.c.

coders/mpc.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] [1/2] enable heap overflow check for stdin for mpc files

Enabling seekable streams is required to ensure checking the blob size
works when an image is streamed on stdin.

coders/dpx.c | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 [patch] [1/2] cpu exhaustion in readdpximage

Because dpx.file.image_offset is a unsigned int, it can be controlled
as large as 4294967295.
This will cause ImageMagick spend a lot of time to process a crafted
DPX imagefile, even if the imagefile is very small.

coders/dpx.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] [1/2] cpu exhaustion in readdpximage

Because dpx.file.image_offset is a unsigned int, it can be controlled
as large as 4294967295.
This will cause ImageMagick spend a lot of time to process a crafted
DPX imagefile, even if the imagefile is very small.

coders/rle.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 [patch] cpu exhaustion in readrleimage

A corrupted rle file could trigger a DOS

bug: https://github.com/ImageMagick/ImageMagick/issues/518
bug-debian: https://bugs.debian.org/867808

coders/cin.c | 3 3 + 0 - 0 !
coders/rle.c | 2 1 + 1 - 0 !
2 files changed, 4 insertions(+), 1 deletion(-)

 [patch] memory exhaustion in readcinimage

When identify CIN file that contains User defined data, imagemagick will allocate memory to store the
data in function ReadCINImage in coders\inc.c

There is a security checking in the function SetImageExtent,
but it after memory allocation, so IM can not control the memory usage

bug: https://github.com/ImageMagick/ImageMagick/issues/519
bug-debian: https://bugs.debian.org/867810

coders/dib.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 [patch] memory leak in readdibimage in dib.c

The ReadDIBImage function in dib.c allows attackers to cause a denial of service (memory leak)
via a small crafted dib file.

bug: https://github.com/ImageMagick/ImageMagick/issues/522
bug-debian: https://bugs.debian.org/867811

coders/dpx.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [patch] memory exhaustion in readdpximage in dpx.c

When identify DPX file that contains user header data, imagemagick will allocate memory to store the data in function ReadDPXImage in coders\dpx.c

There is a security checking in the function SetImageExtent, but it is too late, so IM can not control the memory usage

bug: https://github.com/ImageMagick/ImageMagick/issues/523
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867812

magick/blob.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] assertion failed in writeblob

On version: ImageMagick 7.0.5-10 , a crafted file revealed an
assertion failure in blob.c.

bug: https://github.com/ImageMagick/ImageMagick/issues/506
bug-debian: https://bugs.debian.org/867798

coders/ept.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] memory exhaustion in readeptimage in ept.c

When identify EPT file , imagemagick will allocate memory to store the data.
There is a security checking in the function SetImageExtent, but it is not used in
the allocation function, so IM can not control the memory usage

bug: https://github.com/ImageMagick/ImageMagick/issues/524
bug-debian: https://bugs.debian.org/867821

coders/mat.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] cve-2017-11141 memory exhaustion in readmatimage

When identify MAT file, imagemagick will allocate memory to store data in function ReadMATImage in coders\mat.c, line 1094

modifying MAT's MATLAB_HDR can cause ImageMagick to allocate a anysize amount of memory, this may cause a memory exhaustion

This is CVE-2017-11141

bug: https://github.com/ImageMagick/ImageMagick/issues/469
bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868264

coders/tga.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] cve-2017-11170 memory exhaustion in readtgaimage

When identify VST file, imagemagick will allocate memory to store data in function ReadTGAImage in coders\tga.c
using tga_info.bits_per_pixel field diretly from VST file without checking in tga.c
By review the founction code, tga_info.bits_per_pixel max valid value is 32.
On 32bit os, size_t one will be 32bit, so image->colors can be overflow to 0.
On 64bit os, size_t one will be 64bit, so image->colors can be large as 0x100000000(64GB).

Original patch was edited to remove magick/image.c modifications that lead to compile error
(reverted in 87664f06ef49a1635cf83ab19981800fc655b746)

bug: CVE-2017-11170 memory exhaustion in ReadTGAImage

magick/image.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] [1/3] cve-2017-9501 fixed incorrect call to destroyimage
 reported in #491.

an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file.

bug: https://github.com/ImageMagick/ImageMagick/issues/491
bug-debian: https://bugs.debian.org/867721