1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 19 Apr 2024 14:33:05 -0400
Subject: check for value < 0, ceil() not required
This patch addresses CVE-2023-34151, not a recurring bug of CVE-2022-32546.
Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
bug: https://github.com/ImageMagick/ImageMagick/issues/6341
origin: https://github.com/ImageMagick/ImageMagick6/commit/b72508c8fce196cd031856574c202490be830649.patch
---
magick/image-private.h | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/magick/image-private.h b/magick/image-private.h
index 57c5159..bfc0265 100644
--- a/magick/image-private.h
+++ b/magick/image-private.h
@@ -67,16 +67,14 @@ static inline size_t CastDoubleToLong(const double x)
if (value > ((double) MAGICK_SSIZE_MAX-1))
{
errno=ERANGE;
- return((size_t) MAGICK_SIZE_MAX);
- }
-
- value=ceil(x);
+ return((ssize_t) MAGICK_SSIZE_MAX);
+ } value=ceil(x);
if (value < ((double) MAGICK_SSIZE_MIN+1))
{
errno=ERANGE;
return(0);
}
- return((size_t) x);
+ return((ssize_t) value);
}
static inline QuantumAny CastDoubleToQuantumAny(const double x)
@@ -106,13 +104,12 @@ static inline size_t CastDoubleToUnsigned(const double x)
errno=ERANGE;
return((size_t) MAGICK_SIZE_MAX);
}
- value=ceil(x);
- if (ceil(x) < 0.0)
+ if (value < 0.0)
{
errno=ERANGE;
return(0);
}
- return((size_t) x);
+ return((size_t) value);
}
static inline double DegreesToRadians(const double degrees)
|
