11 files changed, 2 insertions(+), 966 deletions(-)
M gnu/local.mk
M gnu/packages/imagemagick.scm
D gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch
D gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch
M gnu/local.mk => gnu/local.mk +0 -9
@@ 704,15 704,6 @@ dist_patch_DATA = \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-12935.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-12936.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-12937.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-13775.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-14042.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-14165.patch \
- %D%/packages/patches/graphicsmagick-CVE-2017-14649.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
%D%/packages/patches/grep-gnulib-lock.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
M gnu/packages/imagemagick.scm => gnu/packages/imagemagick.scm +2 -12
@@ 164,7 164,7 @@ script.")
(define-public graphicsmagick
(package
(name "graphicsmagick")
- (version "1.3.26")
+ (version "1.3.27")
(source (origin
(method url-fetch)
(uri
@@ 176,17 176,7 @@ script.")
"/GraphicsMagick-" version ".tar.xz")))
(sha256
(base32
- "122zgs96dqrys62mnh8x5yvfff6km4d3yrnvaxzg3mg5sprib87v"))
- (patches
- (search-patches "graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch"
- "graphicsmagick-CVE-2017-12935.patch"
- "graphicsmagick-CVE-2017-12936.patch"
- "graphicsmagick-CVE-2017-12937.patch"
- "graphicsmagick-CVE-2017-13775.patch"
- "graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch"
- "graphicsmagick-CVE-2017-14042.patch"
- "graphicsmagick-CVE-2017-14165.patch"
- "graphicsmagick-CVE-2017-14649.patch"))))
+ "0rq35p3rml10cxz2z4s7xcfsilhhk19mmy094g3ivz0fg797hcnh"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
D gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch => gnu/packages/patches/graphicsmagick-CVE-2017-11403+CVE-2017-14103.patch +0 -137
@@ 1,137 0,0 @@
-http://www.openwall.com/lists/oss-security/2017/09/01/6
-
-CVE-2017-11403:
-http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37
-
-CVE-2017-14103:
-http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1503875721 14400
-# Node ID 98721124e51fd5ec0c6fba64bce2e218869632d2
-# Parent f0f2ea85a2930f3b6dcd72352719adb9660f2aad
-Attempt to fix Issue 440.
-
-diff -ru a/coders/png.c b/coders/png.c
---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
-+++ b/coders/png.c 2017-09-10 11:31:56.543194173 -0400
-@@ -3106,7 +3106,9 @@
- if (length > PNG_MAX_UINT || count == 0)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,CorruptImage,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "chunk length (%lu) > PNG_MAX_UINT",length);
-+ return ((Image*)NULL);
- }
-
- chunk=(unsigned char *) NULL;
-@@ -3117,13 +3119,16 @@
- if (chunk == (unsigned char *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-- image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Could not allocate chunk memory");
-+ return ((Image*)NULL);
- }
- if (ReadBlob(image,length,chunk) < length)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,CorruptImage,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " chunk reading was incomplete");
-+ return ((Image*)NULL);
- }
- p=chunk;
- }
-@@ -3198,7 +3203,7 @@
- jng_width, jng_height);
- MagickFreeMemory(chunk);
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ return ((Image *)NULL);
- }
-
- /* Temporarily set width and height resources to match JHDR */
-@@ -3233,8 +3238,9 @@
- if (color_image == (Image *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-- image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not open color_image blob");
-+ return ((Image *)NULL);
- }
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-@@ -3245,7 +3251,9 @@
- if (status == MagickFalse)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(CoderError,UnableToOpenBlob,color_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not open color_image blob");
-+ return ((Image *)NULL);
- }
-
- if (!image_info->ping && jng_color_type >= 12)
-@@ -3255,17 +3263,18 @@
- if (alpha_image_info == (ImageInfo *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,
-- MemoryAllocationFailed, image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image_info",length);
-+ return ((Image *)NULL);
- }
- GetImageInfo(alpha_image_info);
- alpha_image=AllocateImage(alpha_image_info);
- if (alpha_image == (Image *) NULL)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- ThrowReaderException(ResourceLimitError,
-- MemoryAllocationFailed,
-- alpha_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image");
-+ return ((Image *)NULL);
- }
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-@@ -3277,7 +3286,9 @@
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
- DestroyImage(alpha_image);
-- ThrowReaderException(CoderError,UnableToOpenBlob,image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " could not allocate alpha_image blob");
-+ return ((Image *)NULL);
- }
- if (jng_alpha_compression_method == 0)
- {
-@@ -3613,6 +3624,8 @@
- alpha_image = (Image *)NULL;
- DestroyImageInfo(alpha_image_info);
- alpha_image_info = (ImageInfo *)NULL;
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Destroy the JNG image");
- DestroyImage(jng_image);
- jng_image = (Image *)NULL;
- }
-@@ -5146,8 +5159,8 @@
-
- if (image == (Image *) NULL)
- {
-- DestroyImageList(previous);
- CloseBlob(previous);
-+ DestroyImageList(previous);
- MngInfoFreeStruct(mng_info,&have_mng_structure);
- return((Image *) NULL);
- }
D gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch => gnu/packages/patches/graphicsmagick-CVE-2017-12935.patch +0 -28
@@ 1,28 0,0 @@
-This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188.
-
-diff -ur a/coders/png.c b/coders/png.c
---- a/coders/png.c 2017-07-04 17:32:08.000000000 -0400
-+++ b/coders/png.c 2017-08-19 11:16:20.933969362 -0400
-@@ -4101,11 +4101,17 @@
- mng_info->image=image;
- }
-
-- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
-- > 65535L))
-- (void) ThrowException(&image->exception,ImageError,
-- WidthOrHeightExceedsLimit,
-- image->filename);
-+ if ((mng_info->mng_width > 65535L) ||
-+ (mng_info->mng_height > 65535L))
-+ {
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " MNG width or height is too large: %lu, %lu",
-+ mng_info->mng_width,mng_info->mng_height);
-+ MagickFreeMemory(chunk);
-+ ThrowReaderException(CorruptImageError,
-+ ImproperImageHeader,image);
-+ }
-+
- FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
- mng_info->mng_height);
- mng_info->frame.left=0;
D gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch => gnu/packages/patches/graphicsmagick-CVE-2017-12936.patch +0 -16
@@ 1,16 0,0 @@
-This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd.
-
-diff -ur a/coders/wmf.c b/coders/wmf.c
---- a/coders/wmf.c 2016-09-05 15:20:23.000000000 -0400
-+++ b/coders/wmf.c 2017-08-19 10:38:08.984187264 -0400
-@@ -2719,8 +2719,8 @@
- if(image->exception.severity != UndefinedException)
- ThrowException2(exception,
- CoderWarning,
-- ddata->image->exception.reason,
-- ddata->image->exception.description);
-+ image->exception.reason,
-+ image->exception.description);
-
- if(logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"leave ReadWMFImage()");
D gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch => gnu/packages/patches/graphicsmagick-CVE-2017-12937.patch +0 -28
@@ 1,28 0,0 @@
-This patch comes from http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978.
-
-diff -ur a/coders/sun.c b/coders/sun.c
---- a/coders/sun.c 2016-05-30 13:19:54.000000000 -0400
-+++ b/coders/sun.c 2017-08-18 18:00:00.191023610 -0400
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2003-2015 GraphicsMagick Group
-+% Copyright (C) 2003-2017 GraphicsMagick Group
- % Copyright (C) 2002 ImageMagick Studio
- % Copyright 1991-1999 E. I. du Pont de Nemours and Company
- %
-@@ -577,6 +577,7 @@
- for (bit=7; bit >= 0; bit--)
- {
- index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
-+ VerifyColormapIndex(image,index);
- indexes[x+7-bit]=index;
- q[x+7-bit]=image->colormap[index];
- }
-@@ -587,6 +588,7 @@
- for (bit=7; bit >= (long) (8-(image->columns % 8)); bit--)
- {
- index=((*p) & (0x01 << bit) ? 0x01 : 0x00);
-+ VerifyColormapIndex(image,index);
- indexes[x+7-bit]=index;
- q[x+7-bit]=image->colormap[index];
- }
D gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch => gnu/packages/patches/graphicsmagick-CVE-2017-13775.patch +0 -195
@@ 1,195 0,0 @@
-http://openwall.com/lists/oss-security/2017/08/31/3
-http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/b037d79b6ccd
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503774853 18000
-# Node ID b037d79b6ccd0cfba7ba9ce09b454ed46d688036
-# Parent 198ea602ea7cc767dc3022bbcf887bcd4534158d
-JNX: Fix DOS issues
-
-diff -r 198ea602ea7c -r b037d79b6ccd coders/jnx.c
---- a/coders/jnx.c Tue Aug 22 08:08:30 2017 -0500
-+++ b/coders/jnx.c Sat Aug 26 14:14:13 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2012-2015 GraphicsMagick Group
-+% Copyright (C) 2012-2017 GraphicsMagick Group
- %
- % This program is covered by multiple licenses, which are described in
- % Copyright.txt. You should have received a copy of Copyright.txt with this
-@@ -100,6 +100,7 @@
-
- char img_label_str[MaxTextExtent];
-
-+
- alloc_size = TileInfo->PicSize + 2;
-
- if (image->logging)
-@@ -242,6 +243,9 @@
- total_tiles,
- current_tile;
-
-+ magick_off_t
-+ file_size;
-+
- /* Open image file. */
- assert(image_info != (const ImageInfo *) NULL);
- assert(image_info->signature == MagickSignature);
-@@ -254,9 +258,8 @@
- if (status == False)
- ThrowReaderException(FileOpenError, UnableToOpenFile, image);
-
-- memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
--
- /* Read JNX image header. */
-+ (void) memset(&JNXHeader, 0, sizeof(JNXHeader));
- JNXHeader.Version = ReadBlobLSBLong(image);
- if (JNXHeader.Version > 4)
- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
-@@ -266,8 +269,6 @@
- JNXHeader.MapBounds.SouthWest.lat = ReadBlobLSBLong(image);
- JNXHeader.MapBounds.SouthWest.lon = ReadBlobLSBLong(image);
- JNXHeader.Levels = ReadBlobLSBLong(image);
-- if (JNXHeader.Levels > 20)
-- ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
- JNXHeader.Expiration = ReadBlobLSBLong(image);
- JNXHeader.ProductID = ReadBlobLSBLong(image);
- JNXHeader.CRC = ReadBlobLSBLong(image);
-@@ -279,7 +280,41 @@
- if (EOFBlob(image))
- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-
-+ file_size = GetBlobSize(image);
-+
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "JNX Header:\n"
-+ " Version: %u\n"
-+ " DeviceSN: %u\n"
-+ " MapBounds:\n"
-+ " NorthEast: lat = %u, lon = %u\n"
-+ " SouthWest: lat = %u, lon = %u\n"
-+ " Levels: %u\n"
-+ " Expiration: %u\n"
-+ " ProductID: %u\n"
-+ " CRC: %u\n"
-+ " SigVersion: %u\n"
-+ " SigOffset: %u\n"
-+ " ZOrder: %u",
-+ JNXHeader.Version,
-+ JNXHeader.DeviceSN,
-+ JNXHeader.MapBounds.NorthEast.lat,
-+ JNXHeader.MapBounds.NorthEast.lon,
-+ JNXHeader.MapBounds.SouthWest.lat,
-+ JNXHeader.MapBounds.SouthWest.lon,
-+ JNXHeader.Levels,
-+ JNXHeader.Expiration,
-+ JNXHeader.ProductID,
-+ JNXHeader.CRC,
-+ JNXHeader.SigVersion,
-+ JNXHeader.SigOffset,
-+ JNXHeader.ZOrder);
-+
-+ if (JNXHeader.Levels > 20)
-+ ThrowReaderException(CorruptImageError, ImproperImageHeader, image);
-+
- /* Read JNX image level info. */
-+ memset(JNXLevelInfo, 0, sizeof(JNXLevelInfo));
- total_tiles = 0;
- current_tile = 0;
- for (i = 0; i < JNXHeader.Levels; i++)
-@@ -302,11 +337,23 @@
- {
- JNXLevelInfo[i].Copyright = NULL;
- }
-+
-+ if (EOFBlob(image))
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+
-+ if (image->logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "Level[%u] Info:"
-+ " TileCount: %4u"
-+ " TilesOffset: %6u"
-+ " Scale: %04u",
-+ i,
-+ JNXLevelInfo[i].TileCount,
-+ JNXLevelInfo[i].TilesOffset,
-+ JNXLevelInfo[i].Scale
-+ );
- }
-
-- if (EOFBlob(image))
-- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
--
- /* Get the current limit */
- SaveLimit = GetMagickResourceLimit(MapResource);
-
-@@ -316,11 +363,32 @@
- /* Read JNX image data. */
- for (i = 0; i < JNXHeader.Levels; i++)
- {
-+ /*
-+ Validate TileCount against remaining file data
-+ */
-+ const magick_off_t current_offset = TellBlob(image);
-+ const size_t pos_list_entry_size =
-+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t) + sizeof(magick_uint32_t) +
-+ sizeof(magick_uint32_t) + sizeof(magick_uint16_t) + sizeof(magick_uint16_t) +
-+ sizeof(magick_uint32_t) + sizeof(magick_uint32_t);
-+ const magick_off_t remaining = file_size-current_offset;
-+ const size_t needed = MagickArraySize(pos_list_entry_size,JNXLevelInfo[i].TileCount);
-+
-+ if ((needed == 0U) || (remaining <= 0) || (remaining < (magick_off_t) needed))
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
-+
- PositionList = MagickAllocateArray(TJNXTileInfo *,
- JNXLevelInfo[i].TileCount,
- sizeof(TJNXTileInfo));
- if (PositionList == NULL)
-- continue;
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,
-+ image);
-+ }
-
- (void) SeekBlob(image, JNXLevelInfo[i].TilesOffset, SEEK_SET);
- for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
-@@ -333,12 +401,15 @@
- PositionList[j].PicHeight = ReadBlobLSBShort(image);
- PositionList[j].PicSize = ReadBlobLSBLong(image);
- PositionList[j].PicOffset = ReadBlobLSBLong(image);
-- }
-
-- if (EOFBlob(image))
-- {
-- MagickFreeMemory(PositionList);
-- ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ if (EOFBlob(image) ||
-+ ((magick_off_t) PositionList[j].PicOffset +
-+ PositionList[j].PicSize > file_size))
-+ {
-+ (void) SetMagickResourceLimit(MapResource, SaveLimit);
-+ MagickFreeMemory(PositionList);
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
- }
-
- for (j = 0; j < JNXLevelInfo[i].TileCount; j++)
-@@ -351,6 +422,9 @@
- image = ExtractTileJPG(image, image_info, PositionList+j, exception);
- (void) SetMonitorHandler(previous_handler);
-
-+ if (exception->severity >= ErrorException)
-+ break;
-+
- current_tile++;
- if (QuantumTick(current_tile,total_tiles))
- if (!MagickMonitorFormatted(current_tile,total_tiles,exception,
-
D gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch => gnu/packages/patches/graphicsmagick-CVE-2017-13776+CVE-2017-13777.patch +0 -179
@@ 1,179 0,0 @@
-http://openwall.com/lists/oss-security/2017/08/31/1
-http://openwall.com/lists/oss-security/2017/08/31/2
-http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/233a720bfd5e
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503779175 18000
-# Node ID 233a720bfd5efd378f133a776507ed41230da617
-# Parent b037d79b6ccd0cfba7ba9ce09b454ed46d688036
-XBM: Fix DOS issues.
-
-diff -r b037d79b6ccd -r 233a720bfd5e coders/xbm.c
---- a/coders/xbm.c Sat Aug 26 14:14:13 2017 -0500
-+++ b/coders/xbm.c Sat Aug 26 15:26:15 2017 -0500
-@@ -1,5 +1,5 @@
- /*
--% Copyright (C) 2003 -2012 GraphicsMagick Group
-+% Copyright (C) 2003-2017 GraphicsMagick Group
- % Copyright (C) 2002 ImageMagick Studio
- % Copyright 1991-1999 E. I. du Pont de Nemours and Company
- %
-@@ -121,13 +121,15 @@
-
- static int XBMInteger(Image *image,short int *hex_digits)
- {
-+ unsigned int
-+ flag;
-+
- int
- c,
-- flag,
- value;
-
- value=0;
-- flag=0;
-+ flag=0U;
- for ( ; ; )
- {
- c=ReadBlobByte(image);
-@@ -158,18 +160,14 @@
- Image
- *image;
-
-- int
-- bit;
--
-- long
-- y;
--
- register IndexPacket
- *indexes;
-
-- register long
-+ register size_t
-+ bytes_per_line,
- i,
-- x;
-+ x,
-+ y;
-
- register PixelPacket
- *q;
-@@ -177,22 +175,24 @@
- register unsigned char
- *p;
-
-- short int
-- hex_digits[256];
--
- unsigned char
- *data;
-
- unsigned int
-+ bit,
-+ byte,
-+ padding,
-+ version;
-+
-+ int
-+ value;
-+
-+ short int
-+ hex_digits[256];
-+
-+ MagickPassFail
- status;
-
-- unsigned long
-- byte,
-- bytes_per_line,
-- padding,
-- value,
-- version;
--
- /*
- Open image file.
- */
-@@ -207,6 +207,8 @@
- /*
- Read X bitmap header.
- */
-+ (void) memset(buffer,0,sizeof(buffer));
-+ name[0]='\0';
- while (ReadBlobString(image,buffer) != (char *) NULL)
- if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
- if ((strlen(name) >= 6) &&
-@@ -278,6 +280,8 @@
- /*
- Initialize hex values.
- */
-+ for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
-+ hex_digits[i]=(-1);
- hex_digits['0']=0;
- hex_digits['1']=1;
- hex_digits['2']=2;
-@@ -311,40 +315,50 @@
- */
- p=data;
- if (version == 10)
-- for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
-+ for (i=0; i < (bytes_per_line*image->rows); (i+=2))
- {
- value=XBMInteger(image,hex_digits);
-+ if (value < 0)
-+ {
-+ MagickFreeMemory(data);
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
- *p++=(unsigned char) value;
- if (!padding || ((i+2) % bytes_per_line))
- *p++=(unsigned char) (value >> 8);
- }
- else
-- for (i=0; i < (long) (bytes_per_line*image->rows); i++)
-+ for (i=0; i < (bytes_per_line*image->rows); i++)
- {
- value=XBMInteger(image,hex_digits);
-+ if (value < 0)
-+ {
-+ MagickFreeMemory(data);
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
- *p++=(unsigned char) value;
- }
- /*
- Convert X bitmap image to pixel packets.
- */
- p=data;
-- for (y=0; y < (long) image->rows; y++)
-+ for (y=0; y < image->rows; y++)
- {
- q=SetImagePixels(image,0,y,image->columns,1);
- if (q == (PixelPacket *) NULL)
- break;
- indexes=AccessMutableIndexes(image);
-- bit=0;
-- byte=0;
-- for (x=0; x < (long) image->columns; x++)
-+ bit=0U;
-+ byte=0U;
-+ for (x=0; x < image->columns; x++)
- {
-- if (bit == 0)
-+ if (bit == 0U)
- byte=(*p++);
- indexes[x]=byte & 0x01 ? 0x01 : 0x00;
- bit++;
-- byte>>=1;
-- if (bit == 8)
-- bit=0;
-+ byte>>=1U;
-+ if (bit == 8U)
-+ bit=0U;
- }
- if (!SyncImagePixels(image))
- break;
-
D gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch => gnu/packages/patches/graphicsmagick-CVE-2017-14042.patch +0 -80
@@ 1,80 0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/5
-http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503268616 18000
-# Node ID 3bbf7a13643df3be76b0e19088a6cc632eea2072
-# Parent 83a5b946180835f260bcb91e3d06327a8e2577e3
-PNM: For binary formats, verify sufficient backing file data before memory request.
-
-diff -r 83a5b9461808 -r 3bbf7a13643d coders/pnm.c
---- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
-+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
-@@ -569,7 +569,7 @@
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
- image->colors);
- }
-- number_pixels=image->columns*image->rows;
-+ number_pixels=MagickArraySize(image->columns,image->rows);
- if (number_pixels == 0)
- ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
- if (image->storage_class == PseudoClass)
-@@ -858,14 +858,14 @@
- if (1 == bits_per_sample)
- {
- /* PBM */
-- bytes_per_row=((image->columns+7) >> 3);
-+ bytes_per_row=((image->columns+7U) >> 3);
- import_options.grayscale_miniswhite=MagickTrue;
- quantum_type=GrayQuantum;
- }
- else
- {
- /* PGM & XV_332 */
-- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
-+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
- if (XV_332_Format == format)
- {
- quantum_type=IndexQuantum;
-@@ -878,7 +878,8 @@
- }
- else
- {
-- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
-+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
-+ image->columns);
- if (3 == samples_per_pixel)
- {
- /* PPM */
-@@ -915,6 +916,28 @@
- is_monochrome=MagickFalse;
- }
- }
-+
-+ /* Validate file size before allocating memory */
-+ if (BlobIsSeekable(image))
-+ {
-+ const magick_off_t file_size = GetBlobSize(image);
-+ const magick_off_t current_offset = TellBlob(image);
-+ if ((file_size > 0) &&
-+ (current_offset > 0) &&
-+ (file_size > current_offset))
-+ {
-+ const magick_off_t remaining = file_size-current_offset;
-+ const magick_off_t needed = (magick_off_t) image->rows *
-+ (magick_off_t) bytes_per_row;
-+ if ((remaining < (magick_off_t) bytes_per_row) ||
-+ (remaining < needed))
-+ {
-+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
-+ image->filename);
-+ break;
-+ }
-+ }
-+ }
-
- scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
- if (scanline_set == (ThreadViewDataSet *) NULL)
D gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch => gnu/packages/patches/graphicsmagick-CVE-2017-14165.patch +0 -72
@@ 1,72 0,0 @@
-http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa
-http://openwall.com/lists/oss-security/2017/09/06/4
-
-some changes were made to make the patch apply
-
-# HG changeset patch
-# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
-# Date 1503257388 18000
-# Node ID 493da54370aa42cb430c52a69eb75db0001a5589
-# Parent f8724674907902b7bc37c04f252fe30fbdd88e6f
-SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
-
-diff -r f87246749079 -r 493da54370aa coders/sun.c
---- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
-+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
-@@ -498,6 +498,12 @@
- if (sun_info.depth < 8)
- image->depth=sun_info.depth;
-
-+ if (image_info->ping)
-+ {
-+ CloseBlob(image);
-+ return(image);
-+ }
-+
- /*
- Compute bytes per line and bytes per image for an unencoded
- image.
-@@ -522,15 +528,37 @@
- if (bytes_per_image > sun_info.length)
- ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-
-- if (image_info->ping)
-- {
-- CloseBlob(image);
-- return(image);
-- }
- if (sun_info.type == RT_ENCODED)
- sun_data_length=(size_t) sun_info.length;
- else
- sun_data_length=bytes_per_image;
-+
-+ /*
-+ Verify that data length claimed by header is supported by file size
-+ */
-+ if (sun_info.type == RT_ENCODED)
-+ {
-+ if (sun_data_length < bytes_per_image/255U)
-+ {
-+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
-+ }
-+ }
-+ if (BlobIsSeekable(image))
-+ {
-+ const magick_off_t file_size = GetBlobSize(image);
-+ const magick_off_t current_offset = TellBlob(image);
-+ if ((file_size > 0) &&
-+ (current_offset > 0) &&
-+ (file_size > current_offset))
-+ {
-+ const magick_off_t remaining = file_size-current_offset;
-+ if (remaining < (magick_off_t) sun_data_length)
-+ {
-+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
-+ }
-+ }
-+ }
-+
- sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
- if (sun_data == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
-
D gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch => gnu/packages/patches/graphicsmagick-CVE-2017-14649.patch +0 -210
@@ 1,210 0,0 @@
-http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
-http://www.openwall.com/lists/oss-security/2017/09/22/2
-
-Some changes were made to make the patch apply.
-
-Notably, the DestroyJNG() function in the upstream diff has been replaced by
-its equivalent, a series of calls to MagickFreeMemory(), DestroyImageInfo(),
-and DestroyImage(). See
-http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5.
-
-# HG changeset patch
-# User Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
-# Date 1504014487 14400
-# Node ID 358608a46f0a9c55e9bb8b37d09bf1ac9bc87f06
-# Parent 38c362f0ae5e7a914c3fe822284c6953f8e6eee2
-Fix Issue 439
-
-diff -ru a/coders/png.c b/coders/png.c
---- a/coders/png.c 1969-12-31 19:00:00.000000000 -0500
-+++ b/coders/png.c 2017-09-30 08:20:16.218944991 -0400
-@@ -1176,15 +1176,15 @@
- /* allocate space */
- if (length == 0)
- {
-- (void) ThrowException2(&image->exception,CoderWarning,
-- "invalid profile length",(char *) NULL);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "invalid profile length");
- return (MagickFail);
- }
- info=MagickAllocateMemory(unsigned char *,length);
- if (info == (unsigned char *) NULL)
- {
-- (void) ThrowException2(&image->exception,CoderWarning,
-- "unable to copy profile",(char *) NULL);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "Unable to copy profile");
- return (MagickFail);
- }
- /* copy profile, skipping white space and column 1 "=" signs */
-@@ -1197,8 +1197,8 @@
- if (*sp == '\0')
- {
- MagickFreeMemory(info);
-- (void) ThrowException2(&image->exception,CoderWarning,
-- "ran out of profile data",(char *) NULL);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "ran out of profile data");
- return (MagickFail);
- }
- sp++;
-@@ -1234,8 +1234,9 @@
- if(SetImageProfile(image,profile_name,info,length) == MagickFail)
- {
- MagickFreeMemory(info);
-- (void) ThrowException(&image->exception,ResourceLimitError,
-- MemoryAllocationFailed,"unable to copy profile");
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ "unable to copy profile");
-+ return MagickFail;
- }
- MagickFreeMemory(info);
- return MagickTrue;
-@@ -3285,7 +3286,6 @@
- if (status == MagickFalse)
- {
- DestroyJNGInfo(color_image_info,alpha_image_info);
-- DestroyImage(alpha_image);
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " could not allocate alpha_image blob");
- return ((Image *)NULL);
-@@ -3534,7 +3534,7 @@
- CloseBlob(color_image);
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Reading jng_image from color_blob.");
-+ " Reading jng_image from color_blob.");
-
- FormatString(color_image_info->filename,"%.1024s",color_image->filename);
-
-@@ -3558,13 +3558,18 @@
-
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Copying jng_image pixels to main image.");
-+ " Copying jng_image pixels to main image.");
- image->rows=jng_height;
- image->columns=jng_width;
- length=image->columns*sizeof(PixelPacket);
-+ if ((jng_height == 0 || jng_width == 0) && logging)
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " jng_width=%lu jng_height=%lu",
-+ (unsigned long)jng_width,(unsigned long)jng_height);
- for (y=0; y < (long) image->rows; y++)
- {
-- s=AcquireImagePixels(jng_image,0,y,image->columns,1,&image->exception);
-+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-+ &image->exception);
- q=SetImagePixels(image,0,y,image->columns,1);
- (void) memcpy(q,s,length);
- if (!SyncImagePixels(image))
-@@ -3589,45 +3594,79 @@
- CloseBlob(alpha_image);
- if (logging)
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Reading opacity from alpha_blob.");
-+ " Reading opacity from alpha_blob.");
-
- FormatString(alpha_image_info->filename,"%.1024s",
- alpha_image->filename);
-
- jng_image=ReadImage(alpha_image_info,exception);
-
-- for (y=0; y < (long) image->rows; y++)
-+ if (jng_image == (Image *)NULL)
- {
-- s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-- &image->exception);
-- if (image->matte)
-- {
-- q=SetImagePixels(image,0,y,image->columns,1);
-- for (x=(long) image->columns; x > 0; x--,q++,s++)
-- q->opacity=(Quantum) MaxRGB-s->red;
-- }
-- else
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " jng_image is NULL.");
-+ if (color_image_info)
-+ DestroyImageInfo(color_image_info);
-+ if (alpha_image_info)
-+ DestroyImageInfo(alpha_image_info);
-+ if (color_image)
-+ DestroyImage(color_image);
-+ if (alpha_image)
-+ DestroyImage(alpha_image);
-+ }
-+ else
-+ {
-+
-+ if (logging)
- {
-- q=SetImagePixels(image,0,y,image->columns,1);
-- for (x=(long) image->columns; x > 0; x--,q++,s++)
-- {
-- q->opacity=(Quantum) MaxRGB-s->red;
-- if (q->opacity != OpaqueOpacity)
-- image->matte=MagickTrue;
-- }
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Read jng_image.");
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " jng_image->width=%lu, jng_image->height=%lu",
-+ (unsigned long)jng_width,(unsigned long)jng_height);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " image->rows=%lu, image->columns=%lu",
-+ (unsigned long)image->rows,
-+ (unsigned long)image->columns);
- }
-- if (!SyncImagePixels(image))
-- break;
-- }
-- (void) LiberateUniqueFileResource(alpha_image->filename);
-- DestroyImage(alpha_image);
-- alpha_image = (Image *)NULL;
-- DestroyImageInfo(alpha_image_info);
-- alpha_image_info = (ImageInfo *)NULL;
-- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-- " Destroy the JNG image");
-- DestroyImage(jng_image);
-- jng_image = (Image *)NULL;
-+
-+ for (y=0; y < (long) image->rows; y++)
-+ {
-+ s=AcquireImagePixels(jng_image,0,y,image->columns,1,
-+ &image->exception);
-+ if (image->matte)
-+ {
-+ q=SetImagePixels(image,0,y,image->columns,1);
-+ for (x=(long) image->columns; x > 0; x--,q++,s++)
-+ q->opacity=(Quantum) MaxRGB-s->red;
-+ }
-+ else
-+ {
-+ q=SetImagePixels(image,0,y,image->columns,1);
-+ for (x=(long) image->columns; x > 0; x--,q++,s++)
-+ {
-+ q->opacity=(Quantum) MaxRGB-s->red;
-+ if (q->opacity != OpaqueOpacity)
-+ image->matte=MagickTrue;
-+ }
-+ }
-+ if (!SyncImagePixels(image))
-+ break;
-+ }
-+ (void) LiberateUniqueFileResource(alpha_image->filename);
-+ if (color_image_info)
-+ DestroyImageInfo(color_image_info);
-+ if (alpha_image_info)
-+ DestroyImageInfo(alpha_image_info);
-+ if (color_image)
-+ DestroyImage(color_image);
-+ if (alpha_image)
-+ DestroyImage(alpha_image);
-+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-+ " Destroy the JNG image");
-+ DestroyImage(jng_image);
-+ jng_image = (Image *)NULL;
-+ }
- }
- }