From 90930a610a300a4b5ba0ed79d9b1140adfad41fc Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@fedoraproject.org>
Date: Aug 23 2006 07:05:22 +0000
Subject: fix several vulnerabilities


---

diff --git a/ImageMagick-6.2.8-cve-2006-3743.patch b/ImageMagick-6.2.8-cve-2006-3743.patch
new file mode 100644
index 0000000..139eef1
--- /dev/null
+++ b/ImageMagick-6.2.8-cve-2006-3743.patch
@@ -0,0 +1,112 @@
+--- ImageMagick-6.2.2/coders/xcf.c.ormandy	2006-08-23 01:39:53.000000000 -0400
++++ ImageMagick-6.2.2/coders/xcf.c	2006-08-23 01:40:09.000000000 -0400
+@@ -268,7 +268,7 @@
+ %
+ %
+ */
+-static char *ReadBlobStringWithLongSize(Image *image,char *string)
++static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
+ {
+   int
+     c;
+@@ -284,7 +284,7 @@
+   if (image->debug != MagickFalse)
+     (void) LogMagickEvent(TraceEvent,GetMagickModule(),image->filename);
+   length = ReadBlobMSBLong(image);
+-  for (i=0; i < (long) length; i++)
++  for (i=0; i < (long) Min(length, max); i++)
+   {
+     c=ReadBlobByte(image);
+     if (c == EOF)
+@@ -693,7 +693,7 @@
+   outLayer->width = ReadBlobMSBLong(image);
+   outLayer->height = ReadBlobMSBLong(image);
+   outLayer->type = ReadBlobMSBLong(image);
+-  (void) ReadBlobStringWithLongSize(image, outLayer->name);
++  (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
+ 
+   /* allocate the image for this layer */
+   outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
+@@ -1099,7 +1099,7 @@
+         /*float  factor = (float) */ (void) ReadBlobMSBLong(image);
+         /* unsigned long digits =  */ (void) ReadBlobMSBLong(image);
+         for (i=0; i<5; i++)
+-         (void) ReadBlobStringWithLongSize(image, unit_string);
++         (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
+       }
+      break;
+ 
+--- ImageMagick-6.2.2/coders/sun.c.ormandy	2006-08-23 01:39:58.000000000 -0400
++++ ImageMagick-6.2.2/coders/sun.c	2006-08-23 01:40:09.000000000 -0400
+@@ -133,10 +133,10 @@
+ %
+ */
+ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
+-  const size_t length,unsigned char *pixels)
++  const size_t length,unsigned char *pixels,size_t maxpixels)
+ {
+   register const unsigned char
+-    *p;
++    *p, *l;
+ 
+   register unsigned char
+     *q;
+@@ -152,7 +152,8 @@
+   assert(pixels != (unsigned char *) NULL);
+   p=compressed_pixels;
+   q=pixels;
+-  while ((size_t) (p-compressed_pixels) < length)
++  l=q+maxpixels;
++  while ((size_t) (p-compressed_pixels) < length && q < l)
+   {
+     byte=(*p++);
+     if (byte != 128U)
+@@ -165,7 +166,7 @@
+         count=(ssize_t) (*p++);
+         if (count > 0)
+           byte=(*p++);
+-        while (count >= 0)
++        while (count >= 0 && q < l)
+         {
+           *q++=byte;
+           count--;
+@@ -376,6 +377,8 @@
+         CloseBlob(image);
+         return(GetFirstImageInList(image));
+       }
++    if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
++        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+     sun_data=(unsigned char *)
+       AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
+     if (sun_data == (unsigned char *) NULL)
+@@ -393,11 +396,28 @@
+           Read run-length encoded raster pixels.
+         */
+         height=sun_info.height;
+-        bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
++
++        /* calculate bytes per line, verifying no overflow occurs */
++        bytes_per_line=sun_info.width*sun_info.depth;
++        if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
++            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++
++        if ((ULONG_MAX - bytes_per_line) < 15)
++            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++
++        bytes_per_line += 15;
++        bytes_per_line <<= 1;
++        if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
++            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++
++        bytes_per_line >>= 4;
++        if ((bytes_per_line * height) / height != bytes_per_line)
++            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
++
+         sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
+         if (sun_pixels == (unsigned char *) NULL)
+           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+-        (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
++        (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
+         sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+       }
+     /*
diff --git a/ImageMagick-6.2.8-cve-2006-4144.patch b/ImageMagick-6.2.8-cve-2006-4144.patch
new file mode 100644
index 0000000..45620c2
--- /dev/null
+++ b/ImageMagick-6.2.8-cve-2006-4144.patch
@@ -0,0 +1,14 @@
+--- ImageMagick-6.2.8/coders/sgi.c.cve-2006-4144	2006-02-07 22:52:54.000000000 -0500
++++ ImageMagick-6.2.8/coders/sgi.c	2006-08-23 02:05:52.000000000 -0400
+@@ -410,7 +410,11 @@
+         for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
+           offsets[i]=(ssize_t) ReadBlobMSBLong(image);
+         for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
++        {
+           runlength[i]=ReadBlobMSBLong(image);
++          if (runlength[i] >= (4*(size_t) iris_info.columns+10))
++            ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++        }
+         /*
+           Check data order.
+         */
diff --git a/ImageMagick.spec b/ImageMagick.spec
index 6b8fa8e..f545c6c 100644
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@ -9,7 +9,7 @@ Version: %{VER}.%{Patchlevel}
 %else
 Version: %{VER}
 %endif
-Release: 2
+Release: 3%{?dist}
 License: freeware
 Group: Applications/Multimedia
 %if "%{Patchlevel}" != ""
@@ -20,6 +20,11 @@ Source: ftp://ftp.ImageMagick.org/pub/ImageMagick/ImageMagick-%{version}.tar.bz2
 Source1: magick_small.png
 Patch1: ImageMagick-6.2.1-local_doc.patch
 Patch2: ImageMagick-6.2.8-multilib.patch
+# 202193
+Patch3: ImageMagick-6.2.8-cve-2006-3743.patch
+# 202771
+Patch4: ImageMagick-6.2.8-cve-2006-4144.patch
+
 
 Url: http://www.imagemagick.org/
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@@ -116,6 +121,8 @@ however.
 %setup -q -n %{name}-%{VER}
 %patch1 -p1 -b .local_doc
 %patch2 -p1 -b .multilib
+%patch3 -p1 -b .cve-2006-3743
+%patch4 -p1 -b .cve-2006-4144
 
 %build
 %configure --enable-shared \
@@ -251,6 +258,10 @@ rm -rf $RPM_BUILD_ROOT
 %doc PerlMagick/demo/ PerlMagick/Changelog PerlMagick/README.txt
 
 %changelog
+* Wed Aug 23 2006 Matthias Clasen <mclasen@redhat.com> - 6.2.8.0-3.fc6
+- fix several integer and buffer overflows (#202193, CVE-2006-3743)
+- fix more integer overflows (#202771, CVE-2006-4144)
+
 * Mon Jul 24 2006 Matthias Clasen <mclasen@redhat.com> - 6.2.8.0-2
 - Add missing BRs