File: 0069-CVE-2023-34151.patch

package info (click to toggle)
imagemagick 8%3A6.9.11.60%2Bdfsg-1.6%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 76,816 kB
  • sloc: ansic: 349,503; cpp: 21,804; xml: 11,029; perl: 6,417; sh: 5,877; makefile: 3,042; tcl: 459
file content (102 lines) | stat: -rw-r--r-- 2,883 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 19 Apr 2024 13:39:44 -0400
Subject: CVE-2023-34151

improved range checking (https://github.com/ImageMagick/ImageMagick/issues/6341)

origin: https://github.com/ImageMagick/ImageMagick6/commit/75ebd9975f6ba8106ec15a6b3e6ba95f4c14e117.patch
---
 coders/mvg.c           |  4 ++--
 magick/image-private.h | 46 +++++++++++++++++++++++++++++++++-------------
 2 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/coders/mvg.c b/coders/mvg.c
index d8e793e..d17de75 100644
--- a/coders/mvg.c
+++ b/coders/mvg.c
@@ -177,8 +177,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
           continue;
         (void) sscanf(p,"viewbox %lf %lf %lf %lf",&bounds.x1,&bounds.y1,
           &bounds.x2,&bounds.y2);
-        image->columns=(size_t) floor((bounds.x2-bounds.x1)+0.5);
-        image->rows=(size_t) floor((bounds.y2-bounds.y1)+0.5);
+        image->columns=CastDoubleToUnsigned(floor((bounds.x2-bounds.x1)+0.5));
+        image->rows=CastDoubleToUnsigned(floor((bounds.y2-bounds.y1)+0.5));
         break;
       }
     }
diff --git a/magick/image-private.h b/magick/image-private.h
index fc7d4b4..57c5159 100644
--- a/magick/image-private.h
+++ b/magick/image-private.h
@@ -53,30 +53,25 @@ extern "C" {
 #define UndefinedCompressionQuality  0UL
 #define UndefinedTicksPerSecond  100L
 
-static inline ssize_t CastDoubleToLong(const double value)
+static inline size_t CastDoubleToLong(const double x)
 {
-  if (IsNaN(value) != 0)
-    return(0);
-  if (value > (double) MAGICK_SSIZE_MAX)
-    return((ssize_t) MAGICK_SSIZE_MAX);
-  if (value < (double) MAGICK_SSIZE_MIN)
-    return((ssize_t) MAGICK_SSIZE_MIN);
-  return((ssize_t) value);
-}
+  double
+    value;
 
-static inline size_t CastDoubleToUnsigned(const double x)
-{
   if (IsNaN(x) != 0)
     {
       errno=ERANGE;
       return(0);
     }
-  if (floor(x) > ((double) MAGICK_SSIZE_MAX-1))
+  value=floor(x);
+  if (value > ((double) MAGICK_SSIZE_MAX-1))
     {
       errno=ERANGE;
       return((size_t) MAGICK_SIZE_MAX);
     }
-  if (ceil(x) < 0.0)
+
+  value=ceil(x);
+  if (value < ((double) MAGICK_SSIZE_MIN+1))
     {
       errno=ERANGE;
       return(0);
@@ -95,6 +90,31 @@ static inline QuantumAny CastDoubleToQuantumAny(const double x)
   return((QuantumAny) (x+0.5));
 }
 
+static inline size_t CastDoubleToUnsigned(const double x)
+{
+  double
+    value;
+
+  if (IsNaN(x) != 0)
+    {
+      errno=ERANGE;
+      return(0);
+    }
+  value=floor(x);
+  if (value > ((double) MAGICK_SIZE_MAX-1))
+    {
+      errno=ERANGE;
+      return((size_t) MAGICK_SIZE_MAX);
+    }
+  value=ceil(x);
+  if (ceil(x) < 0.0)
+    {
+      errno=ERANGE;
+      return(0);
+    }
+  return((size_t) x);
+}
+
 static inline double DegreesToRadians(const double degrees)
 {
   return((double) (MagickPI*degrees/180.0));