Date: Wed, 31 May 2017 09:00:31 +0000 (UTC) From: Koop Mast <kwm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r442142 - in branches/2017Q2/graphics/ImageMagick: . files Message-ID: <201705310900.v4V90VCd028530@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kwm Date: Wed May 31 09:00:30 2017 New Revision: 442142 URL: https://svnweb.freebsd.org/changeset/ports/442142 Log: Manualy backport CVE patches, due to shared library bump in ImageMagick. PR: 219497 Approved by: ports-secteam@ (feld@) Security: 50776801-4183-11e7-b291-b499baebfeaf Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5506 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5507 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5508 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5509 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5510 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5511 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6497 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6498 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6499 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6500 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6501 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6502 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7275 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7606 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7619 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7941 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7942 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7943 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8343 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8344 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8345 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8346 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8347 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8348 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8349 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8350 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8351 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8352 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8353 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8354 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8355 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8356 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8357 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8765 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8830 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9141 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9142 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9143 (contents, props changed) branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-9144 (contents, props changed) Modified: branches/2017Q2/graphics/ImageMagick/Makefile Modified: branches/2017Q2/graphics/ImageMagick/Makefile ============================================================================== --- branches/2017Q2/graphics/ImageMagick/Makefile Wed May 31 08:22:54 2017 (r442141) +++ branches/2017Q2/graphics/ImageMagick/Makefile Wed May 31 09:00:30 2017 (r442142) @@ -2,7 +2,7 @@ PORTNAME= ImageMagick DISTVERSION= 6.9.6-4 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= graphics perl5 MASTER_SITES= http://www.imagemagick.org/download/ \ Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5506 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5506 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,27 @@ +From 6235f1f7a9f7b0f83b197f6cd0073dbb6602d0fb Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Thu, 12 Jan 2017 12:51:14 -0500 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/354 + +--- + magick/profile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/magick/profile.c b/magick/profile.c +index 7c12a1c933..6313388a2b 100644 +--- magick/profile.c ++++ magick/profile.c +@@ -2071,10 +2071,10 @@ static MagickBooleanType SyncExifProfile(Image *image, StringInfo *profile) + The directory entry contains an offset. + */ + offset=(ssize_t) ReadProfileLong(endian,q+8); +- if ((ssize_t) (offset+number_bytes) < offset) +- continue; /* prevent overflow */ +- if ((size_t) (offset+number_bytes) > length) ++ if ((offset < 0) || ((size_t) (offset+number_bytes) > length)) + continue; ++ if (~length < number_bytes) ++ continue; /* prevent overflow */ + p=(unsigned char *) (exif+offset); + } + switch (tag_value) Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5507 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5507 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,49 @@ +From 4493d9ca1124564da17f9b628ef9d0f1a6be9738 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Tue, 10 Jan 2017 20:14:38 -0500 +Subject: [PATCH] ... + + * Recognize XML policy closing tags (reference + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31182). + * Fix memory leak in MPC image format. + + +diff --git a/coders/mpc.c b/coders/mpc.c +index eda0c36cb2..89fead527f 100644 +--- coders/mpc.c ++++ coders/mpc.c +@@ -67,6 +67,7 @@ + #include "magick/profile.h" + #include "magick/property.h" + #include "magick/quantum-private.h" ++#include "magick/resource_.h" + #include "magick/static.h" + #include "magick/statistic.h" + #include "magick/string_.h" +@@ -841,7 +842,9 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) + /* + Create image colormap. + */ +- if (AcquireImageColormap(image,image->colors) == MagickFalse) ++ image->colormap=(PixelPacket *) AcquireQuantumMemory(image->colors+1, ++ sizeof(*image->colormap)); ++ if (image->colormap == (PixelPacket *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + if (image->colors != 0) + { +@@ -930,12 +933,9 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) + if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) + if (image->scene >= (image_info->scene+image_info->number_scenes-1)) + break; +- status=SetImageExtent(image,image->columns,image->rows); +- if (status == MagickFalse) +- { +- InheritException(exception,&image->exception); +- return(DestroyImageList(image)); +- } ++ if ((AcquireMagickResource(WidthResource,image->columns) == MagickFalse) || ++ (AcquireMagickResource(HeightResource,image->rows) == MagickFalse)) ++ ThrowReaderException(ImageError,"WidthOrHeightExceedsLimit"); + /* + Attach persistent pixel cache. + */ Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5508 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5508 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,230 @@ +From e5dc6d628a1c6049dc95adcea5e49aaa7ef2c778 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Fri, 2 Dec 2016 11:07:56 -0500 +Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS + +--- + coders/tiff.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/coders/tiff.c b/coders/tiff.c +index f18e210127..c6c6f60afb 100644 +--- coders/tiff.c ++++ coders/tiff.c +@@ -1581,9 +1581,9 @@ RestoreMSCWarning + rows_per_strip); + (void) SetImageProperty(image,"tiff:rows-per-strip",value); + } +- if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_CONTIG)) ++ if ((samples_per_pixel >= 3) && (interlace == PLANARCONFIG_CONTIG)) + method=ReadRGBAMethod; +- if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_SEPARATE)) ++ if ((samples_per_pixel >= 4) && (interlace == PLANARCONFIG_SEPARATE)) + method=ReadCMYKAMethod; + if ((photometric != PHOTOMETRIC_RGB) && + (photometric != PHOTOMETRIC_CIELAB) && + + +From fde5f55af94f189f16958535a9c22b439d71ac93 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Thu, 1 Dec 2016 20:05:59 -0500 +Subject: [PATCH] Fix possible buffer overflow when writing compressed TIFFS + +--- + ChangeLog | 4 ++++ + coders/tiff.c | 38 +++++++++++++++++++++----------------- + 2 files changed, 25 insertions(+), 17 deletions(-) + +2016-12-02 6.9.6-7 Cristy <quetzlzacatenango@image...> + * Fix possible buffer overflow when writing compressed TIFFS (vulnerability + report from Cisco Talos, CVE-2016-8707). + +diff --git a/coders/tiff.c b/coders/tiff.c +index 35a14b6882..f18e210127 100644 +--- coders/tiff.c ++++ coders/tiff.c +@@ -1154,7 +1154,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + width; + + unsigned char +- *pixels; ++ *tiff_pixels; + + /* + Open image. +@@ -1606,7 +1606,13 @@ RestoreMSCWarning + method=ReadTileMethod; + quantum_info->endian=LSBEndian; + quantum_type=RGBQuantum; +- pixels=GetQuantumPixels(quantum_info); ++ tiff_pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+ ++ sizeof(uint32)); ++ if (tiff_pixels == (unsigned char *) NULL) ++ { ++ TIFFClose(tiff); ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ } + switch (method) + { + case ReadSingleSampleMethod: +@@ -1643,7 +1649,6 @@ RestoreMSCWarning + TIFFClose(tiff); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } +- pixels=GetQuantumPixels(quantum_info); + for (y=0; y < (ssize_t) image->rows; y++) + { + int +@@ -1652,14 +1657,14 @@ RestoreMSCWarning + register PixelPacket + *magick_restrict q; + +- status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels); ++ status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels); + if (status == -1) + break; + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); + if (q == (PixelPacket *) NULL) + break; + (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, +- quantum_type,pixels,exception); ++ quantum_type,tiff_pixels,exception); + if (SyncAuthenticPixels(image,exception) == MagickFalse) + break; + if (image->previous == (Image *) NULL) +@@ -1700,7 +1705,6 @@ RestoreMSCWarning + TIFFClose(tiff); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } +- pixels=GetQuantumPixels(quantum_info); + for (y=0; y < (ssize_t) image->rows; y++) + { + int +@@ -1709,14 +1713,14 @@ RestoreMSCWarning + register PixelPacket + *magick_restrict q; + +- status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels); ++ status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels); + if (status == -1) + break; + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); + if (q == (PixelPacket *) NULL) + break; + (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, +- quantum_type,pixels,exception); ++ quantum_type,tiff_pixels,exception); + if (SyncAuthenticPixels(image,exception) == MagickFalse) + break; + if (image->previous == (Image *) NULL) +@@ -1745,7 +1749,7 @@ RestoreMSCWarning + status; + + status=TIFFReadPixels(tiff,bits_per_sample,(tsample_t) i,y,(char *) +- pixels); ++ tiff_pixels); + if (status == -1) + break; + q=GetAuthenticPixels(image,0,y,image->columns,1,exception); +@@ -1771,7 +1775,7 @@ RestoreMSCWarning + default: quantum_type=UndefinedQuantum; break; + } + (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, +- quantum_type,pixels,exception); ++ quantum_type,tiff_pixels,exception); + if (SyncAuthenticPixels(image,exception) == MagickFalse) + break; + } +@@ -1787,7 +1791,6 @@ RestoreMSCWarning + } + case ReadYCCKMethod: + { +- pixels=GetQuantumPixels(quantum_info); + for (y=0; y < (ssize_t) image->rows; y++) + { + int +@@ -1805,14 +1808,14 @@ RestoreMSCWarning + unsigned char + *p; + +- status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels); ++ status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels); + if (status == -1) + break; + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); + if (q == (PixelPacket *) NULL) + break; + indexes=GetAuthenticIndexQueue(image); +- p=pixels; ++ p=tiff_pixels; + for (x=0; x < (ssize_t) image->columns; x++) + { + SetPixelCyan(q,ScaleCharToQuantum(ClampYCC((double) *p+ +@@ -1861,13 +1864,13 @@ RestoreMSCWarning + break; + if (i == 0) + { +- if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) pixels) == 0) ++ if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) tiff_pixels) == 0) + break; + i=(ssize_t) MagickMin((ssize_t) rows_per_strip,(ssize_t) + image->rows-y); + } + i--; +- p=((uint32 *) pixels)+image->columns*i; ++ p=((uint32 *) tiff_pixels)+image->columns*i; + for (x=0; x < (ssize_t) image->columns; x++) + { + SetPixelRed(q,ScaleCharToQuantum((unsigned char) +@@ -1920,8 +1923,8 @@ RestoreMSCWarning + TIFFClose(tiff); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } +- tile_pixels=(uint32 *) AcquireQuantumMemory(columns, +- rows*sizeof(*tile_pixels)); ++ tile_pixels=(uint32 *) AcquireQuantumMemory(columns,rows* ++ sizeof(*tile_pixels)); + if (tile_pixels == (uint32 *) NULL) + { + TIFFClose(tiff); +@@ -2078,6 +2081,7 @@ RestoreMSCWarning + break; + } + } ++ tiff_pixels=(unsigned char *) RelinquishMagickMemory(tiff_pixels); + SetQuantumImageType(image,quantum_type); + next_tiff_frame: + if (quantum_info != (QuantumInfo *) NULL) + + +From c073a7712d82476b5fbee74856c46b88af9c3175 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Thu, 5 Jan 2017 12:07:59 -0500 +Subject: [PATCH] + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161 + +--- + ChangeLog | 4 ++++ + coders/tiff.c | 5 +++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +2017-01-04 6.9.7-3 Cristy <quetzlzacatenango@image...> + * Increase memory allocation for TIFF pixels (reference + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161). + +diff --git a/coders/tiff.c b/coders/tiff.c +index 55a6683f71..6304b397fe 100644 +--- coders/tiff.c ++++ coders/tiff.c +@@ -1606,8 +1606,9 @@ RestoreMSCWarning + method=ReadTileMethod; + quantum_info->endian=LSBEndian; + quantum_type=RGBQuantum; +- tiff_pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+ +- sizeof(uint32)); ++ tiff_pixels=(unsigned char *) AcquireMagickMemory(MagickMax( ++ TIFFScanlineSize(tiff),(size_t) (image->columns*samples_per_pixel* ++ pow(2.0,ceil(log(bits_per_sample)/log(2.0)))))); + if (tiff_pixels == (unsigned char *) NULL) + { + TIFFClose(tiff); Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5509 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5509 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,22 @@ +From 37a1710e2dab6ed91128ea648d654a22fbe2a6af Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Tue, 10 Jan 2017 09:04:04 -0500 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/350 + +--- + coders/psd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/psd.c b/coders/psd.c +index 58496fd96d..14e375b9ed 100644 +--- coders/psd.c ++++ coders/psd.c +@@ -2606,7 +2606,7 @@ static ssize_t WritePSDChannels(const PSDInfo *psd_info, + compact_pixels=(unsigned char *) NULL; + if (next_image->compression == RLECompression) + { +- compact_pixels=AcquireCompactPixels(image); ++ compact_pixels=AcquireCompactPixels(next_image); + if (compact_pixels == (unsigned char *) NULL) + return(0); + } Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5510 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5510 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,22 @@ +From e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Sun, 8 Jan 2017 08:40:43 -0500 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/348 + +--- + coders/psd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/psd.c b/coders/psd.c +index a6f7ec4b0b..58496fd96d 100644 +--- coders/psd.c ++++ coders/psd.c +@@ -2486,7 +2486,7 @@ static size_t WritePSDChannel(const PSDInfo *psd_info, + next_image->depth=16; + monochrome=IsMonochromeImage(image,&image->exception) && (image->depth == 1) + ? MagickTrue : MagickFalse; +- quantum_info=AcquireQuantumInfo(image_info,image); ++ quantum_info=AcquireQuantumInfo(image_info,next_image); + if (quantum_info == (QuantumInfo *) NULL) + return(0); + pixels=GetQuantumPixels(quantum_info); Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5511 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-5511 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,23 @@ +From 7d65a814ac76bd04760072c33e452371692ee790 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Sat, 7 Jan 2017 16:56:30 +0100 +Subject: [PATCH] Fix improper cast that could cause an overflow as + demonstrated in #347. + +--- + coders/psd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/psd.c b/coders/psd.c +index 1f15d65b1b..a6f7ec4b0b 100644 +--- coders/psd.c ++++ coders/psd.c +@@ -1671,7 +1671,7 @@ ModuleExport MagickBooleanType ReadPSDLayers(Image *image, + /* + Layer name. + */ +- length=(MagickSizeType) ReadBlobByte(image); ++ length=(MagickSizeType) (unsigned char) ReadBlobByte(image); + combined_length+=length+1; + if (length > 0) + (void) ReadBlob(image,(size_t) length++,layer_info[i].name); Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6497 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6497 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,27 @@ +From 7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Sat, 11 Feb 2017 10:31:39 +0100 +Subject: [PATCH] Added missing null check. + +--- + coders/psd.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/coders/psd.c b/coders/psd.c +index 14e375b9ed..fb93c57dd1 100644 +--- coders/psd.c ++++ coders/psd.c +@@ -1284,8 +1284,11 @@ static MagickBooleanType ReadPSDChannel(Image *image, + } + mask=CloneImage(image,layer_info->mask.page.width, + layer_info->mask.page.height,MagickFalse,exception); +- mask->matte=MagickFalse; +- channel_image=mask; ++ if (mask != (Image *) NULL) ++ { ++ mask->matte=MagickFalse; ++ channel_image=mask; ++ } + } + + offset=TellBlob(image); Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6498 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6498 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,43 @@ +From 65f75a32a93ae4044c528a987a68366ecd4b46b9 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Thu, 19 Jan 2017 19:30:48 -0500 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/pull/359 + +--- + coders/tga.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/coders/tga.c b/coders/tga.c +index d8adc52f7b..7b87278ef5 100644 +--- coders/tga.c ++++ coders/tga.c +@@ -710,6 +710,7 @@ static MagickBooleanType WriteTGAImage(const ImageInfo *image_info,Image *image) + compression; + + const char ++ *comment, + *value; + + const double +@@ -766,9 +767,9 @@ static MagickBooleanType WriteTGAImage(const ImageInfo *image_info,Image *image) + compression=image_info->compression; + range=GetQuantumRange(5UL); + tga_info.id_length=0; +- value=GetImageProperty(image,"comment"); +- if (value != (const char *) NULL) +- tga_info.id_length=(unsigned char) MagickMin(strlen(value),255); ++ comment=GetImageProperty(image,"comment"); ++ if (comment != (const char *) NULL) ++ tga_info.id_length=(unsigned char) MagickMin(strlen(comment),255); + tga_info.colormap_type=0; + tga_info.colormap_index=0; + tga_info.colormap_length=0; +@@ -852,7 +853,7 @@ static MagickBooleanType WriteTGAImage(const ImageInfo *image_info,Image *image) + (void) WriteBlobByte(image,tga_info.bits_per_pixel); + (void) WriteBlobByte(image,tga_info.attributes); + if (tga_info.id_length != 0) +- (void) WriteBlob(image,tga_info.id_length,(unsigned char *) value); ++ (void) WriteBlob(image,tga_info.id_length,(unsigned char *) comment); + if (tga_info.colormap_type != 0) + { + unsigned char Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6499 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6499 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,37 @@ +From 3358f060fc182551822576b2c0a8850faab5d543 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Thu, 9 Feb 2017 21:53:23 +0100 +Subject: [PATCH] Fixed memory leak when creating nested exceptions in + Magick++. + + 2017-02-09 6.9.7-8 Dirk Lemstra <dirk@lem.....org> + * Fixed memory leak when creating nested exceptions in Magick++ (reference + https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634) + +diff --git a/Magick++/lib/Exception.cpp b/Magick++/lib/Exception.cpp +index 92ca629707..8ef34bc0a0 100644 +--- Magick++/lib/Exception.cpp ++++ Magick++/lib/Exception.cpp +@@ -852,12 +852,18 @@ MagickPPExport void Magick::throwException(ExceptionInfo *exception_, + exception_->description) != 0)) + { + if (nestedException == (Exception *) NULL) +- nestedException=createException(p); ++ { ++ nestedException=createException(p); ++ q=nestedException; ++ } + else + { +- q=createException(p); +- nestedException->nested(q); +- nestedException=q; ++ Exception ++ *r; ++ ++ r=createException(p); ++ q->nested(r); ++ q=r; + } + } + } Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6500 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6500 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,23 @@ +From 3007531bfd326c5c1e29cd41d2cd80c166de8528 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Wed, 8 Feb 2017 13:38:04 -0500 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/375 + https://github.com/ImageMagick/ImageMagick/issues/376 + +--- + coders/sun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/sun.c b/coders/sun.c +index 150f3357fd..c11a33c62b 100644 +--- coders/sun.c ++++ coders/sun.c +@@ -458,7 +458,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } + pixels_length=height*bytes_per_line; +- sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length, ++ sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length+image->rows, + sizeof(*sun_pixels)); + if (sun_pixels == (unsigned char *) NULL) + { Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6501 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6501 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,29 @@ +From d31fec57e9dfb0516deead2053a856e3c71e9751 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Thu, 9 Feb 2017 18:13:47 -0500 +Subject: [PATCH] =?UTF-8?q?Check=20for=20image=20list=20before=20we=20dest?= + =?UTF-8?q?roy=20the=20last=20image=20in=20XCF=20coder=20(patch=20sent=20p?= + =?UTF-8?q?rivately=20by=20=D0=90=D0=BD=D0=B4=D1=80=D0=B5=D0=B9=20=D0=A7?= + =?UTF-8?q?=D0=B5=D1=80=D0=BD=D1=8B=D0=B9)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + coders/xcf.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/xcf.c b/coders/xcf.c +index 083f217ca0..2feef82ff1 100644 +--- coders/xcf.c ++++ coders/xcf.c +@@ -1445,7 +1445,8 @@ static Image *ReadXCFImage(const ImageInfo *image_info,ExceptionInfo *exception) + } + + (void) CloseBlob(image); +- DestroyImage(RemoveFirstImageFromList(&image)); ++ if (GetNextImageInList(image) != (Image *) NULL) ++ DestroyImage(RemoveFirstImageFromList(&image)); + if (image_type == GIMP_GRAY) + image->type=GrayscaleType; + return(GetFirstImageInList(image)); Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6502 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-6502 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,25 @@ +From 126c7c98ea788241922c30df4a5633ea692cf8df Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Sat, 18 Feb 2017 11:24:41 +0100 +Subject: [PATCH] Fixed fd leak for webp coder (patch from #382) + +--- + ChangeLog | 4 ++++ + coders/webp.c | 1 + + 2 files changed, 5 insertions(+) + + 2017-02-18 6.9.7-9 Dirk Lemstra <dirk@lem.....org> + * Fixed fd leak for webp coder (reference + https://github.com/ImageMagick/ImageMagick/pull/382) +diff --git a/coders/webp.c b/coders/webp.c +index 811b3d4336..11703f85af 100644 +--- coders/webp.c ++++ coders/webp.c +@@ -368,6 +368,7 @@ static Image *ReadWEBPImage(const ImageInfo *image_info, + } + WebPFreeDecBuffer(webp_image); + stream=(unsigned char*) RelinquishMagickMemory(stream); ++ (void) CloseBlob(image); + return(image); + } + #endif Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7275 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7275 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,22 @@ +From d94d85622f120f82240921ae7a83a72afcb79ddf Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Mon, 21 Nov 2016 20:54:14 +0100 +Subject: [PATCH] Lowered max map_length to prevent an overflow (#271). + +--- + coders/rle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/rle.c b/coders/rle.c +index 117bde8d51..a14fafa6c1 100644 +--- coders/rle.c ++++ coders/rle.c +@@ -227,7 +227,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + bits_per_pixel=(size_t) ReadBlobByte(image); + number_colormaps=(size_t) ReadBlobByte(image); + map_length=(unsigned char) ReadBlobByte(image); +- if (map_length >= 32) ++ if (map_length >= 22) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + one=1; + map_length=one << map_length; Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7606 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7606 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,23 @@ +From b2b0aa6bb0d110f8560fe2091671a27d78877f22 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Fri, 31 Mar 2017 15:23:42 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/415 + +--- + coders/rle.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/coders/rle.c b/coders/rle.c +index 18a3ef5c60..d1ccffd7dc 100644 +--- coders/rle.c ++++ coders/rle.c +@@ -274,7 +274,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) + p=colormap; + for (i=0; i < (ssize_t) number_colormaps; i++) + for (x=0; x < (ssize_t) map_length; x++) +- *p++=(unsigned char) ScaleShortToQuantum(ReadBlobLSBShort(image)); ++ *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum( ++ ReadBlobLSBShort(image))); + } + if ((flags & 0x08) != 0) + { Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7619 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7619 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,121 @@ +diff --git a/magick/enhance.c b/magick/enhance.c +index bbcbd85..010fba7 100644 +--- magick/enhance.c ++++ magick/enhance.c +@@ -3474,11 +3474,7 @@ static inline void ModulateHCL(const double percent_hue, + Increase or decrease color luma, chroma, or hue. + */ + ConvertRGBToHCL(*red,*green,*blue,&hue,&chroma,&luma); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue > 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + chroma*=0.01*percent_chroma; + luma*=0.01*percent_luma; + ConvertHCLToRGB(hue,chroma,luma,red,green,blue); +@@ -3497,11 +3493,7 @@ static inline void ModulateHCLp(const double percent_hue, + Increase or decrease color luma, chroma, or hue. + */ + ConvertRGBToHCLp(*red,*green,*blue,&hue,&chroma,&luma); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue > 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + chroma*=0.01*percent_chroma; + luma*=0.01*percent_luma; + ConvertHCLpToRGB(hue,chroma,luma,red,green,blue); +@@ -3520,11 +3512,7 @@ static inline void ModulateHSB(const double percent_hue, + Increase or decrease color brightness, saturation, or hue. + */ + ConvertRGBToHSB(*red,*green,*blue,&hue,&saturation,&brightness); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue > 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + saturation*=0.01*percent_saturation; + brightness*=0.01*percent_brightness; + ConvertHSBToRGB(hue,saturation,brightness,red,green,blue); +@@ -3543,11 +3531,7 @@ static inline void ModulateHSI(const double percent_hue, + Increase or decrease color intensity, saturation, or hue. + */ + ConvertRGBToHSI(*red,*green,*blue,&hue,&saturation,&intensity); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue > 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + saturation*=0.01*percent_saturation; + intensity*=0.01*percent_intensity; + ConvertHSIToRGB(hue,saturation,intensity,red,green,blue); +@@ -3566,11 +3550,7 @@ static inline void ModulateHSL(const double percent_hue, + Increase or decrease color lightness, saturation, or hue. + */ + ConvertRGBToHSL(*red,*green,*blue,&hue,&saturation,&lightness); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue >= 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + saturation*=0.01*percent_saturation; + lightness*=0.01*percent_lightness; + ConvertHSLToRGB(hue,saturation,lightness,red,green,blue); +@@ -3589,11 +3569,7 @@ static inline void ModulateHSV(const double percent_hue, + Increase or decrease color value, saturation, or hue. + */ + ConvertRGBToHSV(*red,*green,*blue,&hue,&saturation,&value); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue >= 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + saturation*=0.01*percent_saturation; + value*=0.01*percent_value; + ConvertHSVToRGB(hue,saturation,value,red,green,blue); +@@ -3612,11 +3588,7 @@ static inline void ModulateHWB(const double percent_hue, + Increase or decrease color blackness, whiteness, or hue. + */ + ConvertRGBToHWB(*red,*green,*blue,&hue,&whiteness,&blackness); +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue >= 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + blackness*=0.01*percent_blackness; + whiteness*=0.01*percent_whiteness; + ConvertHWBToRGB(hue,whiteness,blackness,red,green,blue); +@@ -3637,11 +3609,7 @@ static inline void ModulateLCHab(const double percent_luma, + ConvertRGBToLCHab(*red,*green,*blue,&luma,&chroma,&hue); + luma*=0.01*percent_luma; + chroma*=0.01*percent_chroma; +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue >= 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + ConvertLCHabToRGB(luma,chroma,hue,red,green,blue); + } + +@@ -3660,11 +3628,7 @@ static inline void ModulateLCHuv(const double percent_luma, + ConvertRGBToLCHuv(*red,*green,*blue,&luma,&chroma,&hue); + luma*=0.01*percent_luma; + chroma*=0.01*percent_chroma; +- hue+=0.5*(0.01*percent_hue-1.0); +- while (hue < 0.0) +- hue+=1.0; +- while (hue >= 1.0) +- hue-=1.0; ++ hue+=fmod((percent_hue-100.0),200.0)/200.0; + ConvertLCHuvToRGB(luma,chroma,hue,red,green,blue); + } + Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7941 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7941 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,89 @@ +From 721dc1305b2bfff92e5ca605dc1a47c61ce90b9f Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Mon, 17 Apr 2017 19:03:46 +0200 +Subject: [PATCH] Fixed memory leak reported in #428. + +--- + coders/sgi.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/coders/sgi.c b/coders/sgi.c +index 57932e8713..82f511415d 100644 +--- coders/sgi.c ++++ coders/sgi.c +@@ -403,7 +403,10 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) + scanline=(unsigned char *) AcquireQuantumMemory(iris_info.columns, + bytes_per_pixel*sizeof(*scanline)); + if (scanline == (unsigned char *) NULL) +- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ { ++ pixel_info=RelinquishVirtualMemory(pixel_info); ++ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ++ } + for (z=0; z < (ssize_t) iris_info.depth; z++) + { + p=pixels+bytes_per_pixel*z; +@@ -460,12 +463,11 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) + (runlength == (size_t *) NULL) || + (packet_info == (MemoryInfo *) NULL)) + { +- if (offsets == (ssize_t *) NULL) +- offsets=(ssize_t *) RelinquishMagickMemory(offsets); +- if (runlength == (size_t *) NULL) +- runlength=(size_t *) RelinquishMagickMemory(runlength); +- if (packet_info == (MemoryInfo *) NULL) ++ offsets=(ssize_t *) RelinquishMagickMemory(offsets); ++ runlength=(size_t *) RelinquishMagickMemory(runlength); ++ if (packet_info != (MemoryInfo *) NULL) + packet_info=RelinquishVirtualMemory(packet_info); ++ pixel_info=RelinquishVirtualMemory(pixel_info); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } + packets=(unsigned char *) GetVirtualMemoryBlob(packet_info); +@@ -475,7 +477,13 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + runlength[i]=ReadBlobMSBLong(image); + if (runlength[i] > (4*(size_t) iris_info.columns+10)) +- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ { ++ offsets=(ssize_t *) RelinquishMagickMemory(offsets); ++ runlength=(size_t *) RelinquishMagickMemory(runlength); ++ packet_info=RelinquishVirtualMemory(packet_info); ++ pixel_info=RelinquishVirtualMemory(pixel_info); ++ ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ } + } + /* + Check data order. +@@ -512,7 +520,14 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) + (runlength[y+z*iris_info.rows]/bytes_per_pixel),packets, + (ssize_t) iris_info.columns,p+bytes_per_pixel*z); + if (status == MagickFalse) +- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ { ++ offsets=(ssize_t *) RelinquishMagickMemory(offsets); ++ runlength=(size_t *) RelinquishMagickMemory(runlength); ++ packet_info=RelinquishVirtualMemory(packet_info); ++ pixel_info=RelinquishVirtualMemory(pixel_info); ++ ThrowReaderException(CorruptImageError, ++ "ImproperImageHeader"); ++ } + p+=(iris_info.columns*4*bytes_per_pixel); + } + } +@@ -543,7 +558,14 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) + (runlength[y+z*iris_info.rows]/bytes_per_pixel),packets, + (ssize_t) iris_info.columns,p+bytes_per_pixel*z); + if (status == MagickFalse) +- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ { ++ offsets=(ssize_t *) RelinquishMagickMemory(offsets); ++ runlength=(size_t *) RelinquishMagickMemory(runlength); ++ packet_info=RelinquishVirtualMemory(packet_info); ++ pixel_info=RelinquishVirtualMemory(pixel_info); ++ ThrowReaderException(CorruptImageError, ++ "ImproperImageHeader"); ++ } + } + p+=(iris_info.columns*4*bytes_per_pixel); + } Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7942 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7942 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,25 @@ +From fd84a5e8028778fd88772775361a2ee2b4bb6c47 Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Mon, 17 Apr 2017 18:52:51 +0200 +Subject: [PATCH] Fixed memory leak reported in #429 + +--- + coders/avs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/avs.c b/coders/avs.c +index a368732ff7..50cf05f18a 100644 +--- coders/avs.c ++++ coders/avs.c +@@ -178,7 +178,10 @@ static Image *ReadAVSImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + count=ReadBlob(image,length,pixels); + if (count != length) +- ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ { ++ pixel_info=RelinquishVirtualMemory(pixel_info); ++ ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ } + p=pixels; + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); + if (q == (PixelPacket *) NULL) Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7943 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-7943 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,22 @@ +From 2e3410d0a07c3e30a42c9626c00e180870907a6b Mon Sep 17 00:00:00 2001 +From: Dirk Lemstra <dirk@git.imagemagick.org> +Date: Mon, 17 Apr 2017 18:08:02 +0200 +Subject: [PATCH] Fixed leak reported in: #427. + +--- + coders/svg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/coders/svg.c b/coders/svg.c +index bfa60db3d7..5c74114d62 100644 +--- coders/svg.c ++++ coders/svg.c +@@ -3265,6 +3265,8 @@ static Image *ReadSVGImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->rows=svg_info->height; + if (exception->severity >= ErrorException) + { ++ svg_info=DestroySVGInfo(svg_info); ++ (void) RelinquishUniqueFileResource(filename); + image=DestroyImage(image); + return((Image *) NULL); + } Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8343 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8343 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,25 @@ +From c52b177e0cb11c896b8cc9525a3184c5c0f322c3 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Wed, 26 Apr 2017 16:21:23 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/444 + +--- + coders/aai.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/coders/aai.c b/coders/aai.c +index 5384064154..d3e5b69460 100644 +--- coders/aai.c ++++ coders/aai.c +@@ -173,7 +173,10 @@ static Image *ReadAAIImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + count=ReadBlob(image,length,pixels); + if ((size_t) count != length) +- ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ { ++ pixels=(unsigned char *) RelinquishMagickMemory(pixels); ++ ThrowReaderException(CorruptImageError,"UnableToReadImageData"); ++ } + p=pixels; + q=QueueAuthenticPixels(image,0,y,image->columns,1,exception); + if (q == (PixelPacket *) NULL) Added: branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8344 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2017Q2/graphics/ImageMagick/files/patch-CVE-2017-8344 Wed May 31 09:00:30 2017 (r442142) @@ -0,0 +1,144 @@ +From 4c6289b2f39a47a430ce27b61d3e3967201e77e8 Mon Sep 17 00:00:00 2001 +From: Cristy <urban-warrior@imagemagick.org> +Date: Wed, 26 Apr 2017 16:58:26 -0400 +Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/446 + +--- + coders/pcx.c | 42 ++++++++++++++++++++++++------------------ + 1 file changed, 24 insertions(+), 18 deletions(-) + +--- coders/pcx.c.orig 2016-11-08 13:30:03.000000000 +0100 ++++ coders/pcx.c 2017-05-29 14:14:11.583378000 +0200 +@@ -203,11 +203,15 @@ static MagickBooleanType IsPCX(const unsigned char *ma + static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception) + { + #define ThrowPCXException(severity,tag) \ +- { \ ++{ \ ++ if (scanline != (unsigned char *) NULL) \ + scanline=(unsigned char *) RelinquishMagickMemory(scanline); \ ++ if (pixel_info != (MemoryInfo *) NULL) \ + pixel_info=RelinquishVirtualMemory(pixel_info); \ +- ThrowReaderException(severity,tag); \ +- } ++ if (page_table != (MagickOffsetType *) NULL) \ ++ page_table=(MagickOffsetType *) RelinquishMagickMemory(page_table); \ ++ ThrowReaderException(severity,tag); \ ++} + + Image + *image; +@@ -281,6 +285,8 @@ static Image *ReadPCXImage(const ImageInfo *image_info + Determine if this a PCX file. + */ + page_table=(MagickOffsetType *) NULL; ++ scanline=(unsigned char *) NULL; ++ pixel_info=(MemoryInfo *) NULL; + if (LocaleCompare(image_info->magick,"DCX") == 0) + { + size_t +@@ -291,11 +297,11 @@ static Image *ReadPCXImage(const ImageInfo *image_info + */ + magic=ReadBlobLSBLong(image); + if (magic != 987654321) +- ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ++ ThrowPCXException(CorruptImageError,"ImproperImageHeader"); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201705310900.v4V90VCd028530>