imagemagick (8:6.6.0.4-3+squeeze3) 0004-Fix-security-holes-JPEG-EXIF-TIFF.patch

Summary

 coders/jpeg.c     |    8 +++++++-
 coders/tiff.c     |    7 ++++---
 magick/property.c |    4 ++++
 3 files changed, 15 insertions(+), 4 deletions(-)

    
download this patch

Patch contents

From 3f0a0b70bf7e8682bc89ed8f6a90d9dcce52c36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Wed, 2 May 2012 12:37:36 +0200
Subject: [PATCH] Fix security holes JPEG/EXIF/TIFF

An out-of heap-based buffer read flaw was found in the way ImageMagick,
retrieved Exchangeable image file format (Exif) header tag information
from certain JPEG files.

A remote attacker could provide a JPEG image file, with EXIF header
containing specially-crafted tag values, which once opened in some ImageMagick
tool would lead to the crash of that tool (denial of service).

Fix:
* [CVE-2012-0259] JPEG EXIF tag crash.
* [CVE-2012-0260] Excessive memory use with JPEG restart markers.
* [CVE-2012-1798] Copying of invalid memory when reading TIFF EXIF IFD.

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259
Applied-Upstream: 6.7.6-3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667635
---
 coders/jpeg.c     |    8 +++++++-
 coders/tiff.c     |    7 ++++---
 magick/property.c |    4 ++++
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/coders/jpeg.c b/coders/jpeg.c
index d28d458..1803e92 100644
--- a/coders/jpeg.c
+++ b/coders/jpeg.c
@@ -142,6 +142,9 @@ typedef struct _SourceManager
 static MagickBooleanType
   WriteJPEGImage(const ImageInfo *,Image *);
 #endif
+static void 
+  JPEGErrorHandler(j_common_ptr);
+
 
 /*
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -222,11 +225,12 @@ static MagickBooleanType EmitMessage(j_common_ptr jpeg_info,int level)
   image=error_manager->image;
   if (level < 0)
     {
+      if (jpeg_info->err->num_warnings++ > 1000) /* 1000 = JPEGEcessiveWarnings */
+	JPEGErrorHandler(jpeg_info);
       if ((jpeg_info->err->num_warnings == 0) ||
           (jpeg_info->err->trace_level >= 3))
         ThrowBinaryException(CorruptImageWarning,(char *) message,
           image->filename);
-      jpeg_info->err->num_warnings++;
     }
   else
     if (jpeg_info->err->trace_level >= level)
@@ -305,6 +309,8 @@ static void JPEGErrorHandler(j_common_ptr jpeg_info)
 
 static boolean ReadComment(j_decompress_ptr jpeg_info)
 {
+  #define JPEGExcessiveWarnings  1000
+
   char
     *comment;
 
diff --git a/coders/tiff.c b/coders/tiff.c
index 807c127..8d8f2c8 100644
--- a/coders/tiff.c
+++ b/coders/tiff.c
@@ -589,10 +589,11 @@ static void TIFFGetEXIFProperties(TIFF *tiff,Image *image)
       case TIFF_ASCII:
       {
         char
-          *ascii;
+          *ascii= NULL;
 
-        if (TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0)
-          (void) CopyMagickMemory(value,ascii,MaxTextExtent);
+        if ((TIFFGetField(tiff,exif_info[i].tag,&ascii) != 0) &&
+	    (ascii != (char *) NULL) && (*ascii != '\0'))
+          (void) CopyMagickString(value,ascii,MaxTextExtent);
         break;
       }
       case TIFF_SHORT:
diff --git a/magick/property.c b/magick/property.c
index 6c6d12f..9bde6f3 100644
--- a/magick/property.c
+++ b/magick/property.c
@@ -1307,6 +1307,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
         break;
       components=(long) ReadPropertyLong(endian,q+4);
       number_bytes=(size_t) components*tag_bytes[format];
+      if (number_bytes < components)
+        break;  /* prevent overflow */
       if (number_bytes <= 4)
         p=q+8;
       else
@@ -1330,6 +1332,8 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
             buffer[MaxTextExtent],
             *value;
 
+          value=(char *) NULL;
+          *buffer='\0';
           switch (format)
           {
             case EXIF_FMT_BYTE:
-- 
1.7.10