File: 0075-improved-fix-for-possible-DoS-for-certain-SVG-constr.patch

package info (click to toggle)
imagemagick 8%3A6.9.11.60%2Bdfsg-1.6%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 76,816 kB
  • sloc: ansic: 349,503; cpp: 21,804; xml: 11,029; perl: 6,417; sh: 5,877; makefile: 3,042; tcl: 459
file content (60 lines) | stat: -rw-r--r-- 2,854 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Thu, 23 Dec 2021 06:46:46 -0500
Subject: improved fix for possible DoS for certain SVG constructs

This is partial fix CVE-2023-1289

origin: https://github.com/ImageMagick/ImageMagick6/commit/84ec30550c3146f525383f18a786a6bbd5028a93.patch
---
 magick/draw.c | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/magick/draw.c b/magick/draw.c
index c27cb9a..bab9b47 100644
--- a/magick/draw.c
+++ b/magick/draw.c
@@ -5459,19 +5459,33 @@ MagickExport MagickBooleanType DrawPrimitive(Image *image,
       else
         if (*primitive_info->text != '\0')
           {
+            MagickBooleanType
+              status;
+
+            struct stat
+              attributes;
+
+            (void) CopyMagickString(clone_info->filename,primitive_info->text,
+              MagickPathExtent);
             (void) CopyMagickString(clone_info->filename,primitive_info->text,
               MagickPathExtent);
-            status&=SetImageInfo(clone_info,1,exception);
-            if (clone_info->size != (char *) NULL)
-              clone_info->size=DestroyString(clone_info->size);
-            if (clone_info->extract != (char *) NULL)
-              clone_info->extract=DestroyString(clone_info->extract);
-            if ((LocaleNCompare(clone_info->magick,"http",4) == 0) ||
-                (LocaleCompare(clone_info->magick,"mpri") == 0))
-              (void) CopyMagickString(clone_info->filename,primitive_info->text,
-                MagickPathExtent);
-            if (*clone_info->filename != '\0')
-              composite_images=ReadImage(clone_info,exception);
+            status=GetPathAttributes(clone_info->filename,&attributes);
+            if ((status != MagickFalse) && (S_ISCHR(attributes.st_mode) == 0))
+              {
+                status&=SetImageInfo(clone_info,1,exception);
+                (void) CopyMagickString(clone_info->filename,
+                  primitive_info->text,MagickPathExtent);
+                if (clone_info->size != (char *) NULL)
+                  clone_info->size=DestroyString(clone_info->size);
+                if (clone_info->extract != (char *) NULL)
+                  clone_info->extract=DestroyString(clone_info->extract);
+                if ((LocaleCompare(clone_info->magick,"file") == 0) ||
+                    (LocaleCompare(clone_info->magick,"https") == 0) ||
+                    (LocaleCompare(clone_info->magick,"http") == 0) ||
+                    (LocaleCompare(clone_info->magick,"mpri") == 0) ||
+                    (IsPathAccessible(clone_info->filename) != MagickFalse))
+                  composite_images=ReadImage(clone_info,exception);
+              }
           }
       clone_info=DestroyImageInfo(clone_info);
       if (composite_images == (Image *) NULL)