1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
From 3f0a0b70bf7e8682bc89ed8f6a90d9dcce52c36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 2 May 2012 12:37:36 +0200
Subject: [PATCH] Fix security holes JPEG/EXIF/TIFF
An out-of heap-based buffer read flaw was found in the way ImageMagick,
retrieved Exchangeable image file format (Exif) header tag information
from certain JPEG files.
A remote attacker could provide a JPEG image file, with EXIF header
containing specially-crafted tag values, which once opened in some ImageMagick
tool would lead to the crash of that tool (denial of service).
Fix:
* [CVE-2012-0259] JPEG EXIF tag crash.
* [CVE-2012-0260] Excessive memory use with JPEG restart markers.
* [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD.
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259
Applied-Upstream: 6.7.6-3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
coders/jpeg.c | 8 +++++++-
coders/tiff.c | 7 ++++---
magick/property.c | 4 ++++
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/coders/jpeg.c b/coders/jpeg.c
index d28d458..1803e92 100644
--- a/coders/jpeg.c
+++ b/coders/jpeg.c
@@ -142,6 +142,9 @@ typedef struct _SourceManager
static MagickBooleanType
WriteJPEGImage(const ImageInfo *,Image *);
#endif
+static void
+ JPEGErrorHandler(j_common_ptr);
+
�
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -222,11 +225,12 @@ static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level)
image=error_manager->image;
if (level < 0)
{
+ if (jpeg_info->err->num_warnings++ > 1000) /* 1000 = JPEGEcessiveWarnings */
+ JPEGErrorHandler(jpeg_info);
if ((jpeg_info->err->num_warnings == 0) ||
(jpeg_info->err->trace_level >= 3))
ThrowBinaryException(CorruptImageWarning,(char *) message,
image->filename);
- jpeg_info->err->num_warnings++;
}
else
if (jpeg_info->err->trace_level >= level)
@@ -305,6 +309,8 @@ static void JPEGErrorHandler(j_common_ptr jpeg_info)
static boolean ReadComment(j_decompress_ptr jpeg_info)
{
+ #define JPEGExcessiveWarnings 1000
+
char
*comment;
diff --git a/coders/tiff.c b/coders/tiff.c
index 807c127..8d8f2c8 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -589,10 +589,11 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image)
case TIFF_ASCII:
{
char
- *ascii;
+ *ascii= NULL;
- if (TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0)
- (void) CopyMagickMemory(value,ascii,MaxTextExtent);
+ if ((TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0) &&
+ (ascii != (char *) NULL) && (*ascii != '\0'))
+ (void) CopyMagickString(value,ascii,MaxTextExtent);
break;
}
case TIFF_SHORT:
diff --git a/magick/property.c b/magick/property.c
index 6c6d12f..9bde6f3 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1307,6 +1307,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
break;
components=(long) ReadPropertyLong(endian,q+4);
number_bytes=(size_t) components*tag_bytes[format];
+ if (number_bytes < components)
+ break; /* prevent overflow */
if (number_bytes <= 4)
p=q+8;
else
@@ -1330,6 +1332,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
buffer[MaxTextExtent],
*value;
+ value=(char *) NULL;
+ *buffer='\0';
switch (format)
{
case EXIF_FMT_BYTE:
--
1.7.10
|
