1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 19 Apr 2024 19:38:56 -0400
Subject: fix undefined behaviors when casting double to size_t
This is needed for fixing CVE-2023-34151
Cast from double to integer is hard to correctly and was fixed by a few patches upstream.
bug: https://github.com/ImageMagick/ImageMagick/issues/6341
origin: https://github.com/ImageMagick/ImageMagick6/commit/88789966667b748f14a904f8c9122274810e8a3e
---
magick/image-private.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/magick/image-private.h b/magick/image-private.h
index bfc0265..839ed72 100644
--- a/magick/image-private.h
+++ b/magick/image-private.h
@@ -64,12 +64,12 @@ static inline size_t CastDoubleToLong(const double x)
return(0);
}
value=floor(x);
- if (value > ((double) MAGICK_SSIZE_MAX-1))
+ if (value > ((double) MAGICK_SSIZE_MAX))
{
errno=ERANGE;
return((ssize_t) MAGICK_SSIZE_MAX);
} value=ceil(x);
- if (value < ((double) MAGICK_SSIZE_MIN+1))
+ if (value < ((double) MAGICK_SSIZE_MIN))
{
errno=ERANGE;
return(0);
@@ -99,7 +99,7 @@ static inline size_t CastDoubleToUnsigned(const double x)
return(0);
}
value=floor(x);
- if (value > ((double) MAGICK_SIZE_MAX-1))
+ if (value > ((double) MAGICK_SIZE_MAX))
{
errno=ERANGE;
return((size_t) MAGICK_SIZE_MAX);
|
