File: 0058-CVE-2023-1906.patch

package info (click to toggle)
imagemagick 8%3A6.9.11.60%2Bdfsg-1.6%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 76,816 kB
  • sloc: ansic: 349,503; cpp: 21,804; xml: 11,029; perl: 6,417; sh: 5,877; makefile: 3,042; tcl: 459
file content (50 lines) | stat: -rw-r--r-- 2,359 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 1 Apr 2023 07:32:01 -0400
Subject: CVE-2023-1906

A heap-based buffer overflow issue was discovered in ImageMagick's
ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c.
An attacker could pass specially crafted file to convert, triggering
an out-of-bounds read error, allowing an application to crash, resulting in a denial of service.

origin: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d
---
 coders/tiff.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/coders/tiff.c b/coders/tiff.c
index f545c4e..9b06c24 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -1870,7 +1870,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         /*
           Convert stripped TIFF image.
         */
-        extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
+        extent=MagickMax(sizeof(uint32),(samples_per_pixel+extra_samples)*
+          (image->depth+7)/8)*image->columns*rows_per_strip;
 #if defined(TIFF_VERSION_BIG)
         extent+=image->columns*sizeof(uint64);
 #else
@@ -1970,7 +1971,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         number_pixels=(MagickSizeType) columns*rows;
         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
-        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
+        extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+          TIFFTileSize(tiff));
 #if defined(TIFF_VERSION_BIG)
         extent+=image->columns*sizeof(uint64);
 #else
@@ -2071,11 +2073,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
         if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
         number_pixels=(MagickSizeType) image->columns*image->rows;
-#if defined(TIFF_VERSION_BIG)
-        number_pixels+=image->columns*sizeof(uint64);
-#else
-        number_pixels+=image->columns*sizeof(uint32);
-#endif
         generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels));
         if (generic_info == (MemoryInfo *) NULL)
           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");