-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy path10306.diff
139 lines (124 loc) · 5.08 KB
/
10306.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
changeset: 15794:90ff9f04a465
user: Bob Friesenhahn <[email protected]>
date: Sat Sep 15 14:21:14 2018 -0500
summary: TraceEllipse(): Detect arithmetic overflow when computing the number of points to allocate for an ellipse. (Credit to OSS-Fuzz)
diff -r d2f645fad7c5 -r 90ff9f04a465 ChangeLog
--- a/ChangeLog Wed Sep 12 20:09:15 2018 -0500
+++ b/ChangeLog Sat Sep 15 14:21:14 2018 -0500
@@ -1,3 +1,10 @@
+2018-09-15 Bob Friesenhahn <[email protected]>
+
+ * magick/render.c (TraceEllipse): Detect arithmetic overflow when
+ computing the number of points to allocate for an ellipse. Fixes
+ oss-fuzz 10306 "graphicsmagick/coder_MVG_fuzzer:
+ Heap-buffer-overflow in TracePoint". (Credit to OSS-Fuzz)
+
2018-09-12 Bob Friesenhahn <[email protected]>
* magick/attribute.c (GenerateEXIFAttribute): Eliminate undefined
diff -r d2f645fad7c5 -r 90ff9f04a465 VisualMagick/installer/inc/version.isx
--- a/VisualMagick/installer/inc/version.isx Wed Sep 12 20:09:15 2018 -0500
+++ b/VisualMagick/installer/inc/version.isx Sat Sep 15 14:21:14 2018 -0500
@@ -10,5 +10,5 @@
#define public MagickPackageName "GraphicsMagick"
#define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020180912"
-#define public MagickPackageReleaseDate "snapshot-20180912"
+#define public MagickPackageVersionAddendum ".020180915"
+#define public MagickPackageReleaseDate "snapshot-20180915"
diff -r d2f645fad7c5 -r 90ff9f04a465 magick/render.c
--- a/magick/render.c Wed Sep 12 20:09:15 2018 -0500
+++ b/magick/render.c Sat Sep 15 14:21:14 2018 -0500
@@ -6215,8 +6215,10 @@
i,
j;
+ size_t
+ control_points;
+
unsigned long
- control_points,
quantum;
MagickPassFail
@@ -6242,7 +6244,7 @@
}
}
quantum=Min(quantum/number_coordinates,BezierQuantum);
- control_points=quantum*number_coordinates;
+ control_points=(size_t) quantum*number_coordinates;
/* make sure we have enough space */
if (PrimitiveInfoRealloc(p_PIMgr,control_points+1) == MagickFail)
@@ -6332,6 +6334,7 @@
{
double
delta,
+ points_length,
step,
y;
@@ -6346,9 +6349,6 @@
*primitive_info,
**pp_PrimitiveInfo;
- size_t
- Needed;
-
MagickPassFail
status = MagickPass;
@@ -6363,16 +6363,29 @@
delta=2.0/Max(stop.x,stop.y);
step=MagickPI/8.0;
if (delta < (MagickPI/8.0))
- step=MagickPI/(4*ceil(MagickPI/delta/2));
+ step=(MagickPI/4.0)/ceil(MagickPI/delta/2.0);
angle.x=DegreesToRadians(degrees.x);
y=degrees.y;
while (y < degrees.x)
y+=360.0;
angle.y=DegreesToRadians(y);
+ /* FIXME: The number of points could become arbitrarily large. It
+ would be good to add an algorithm which decreases ellipse drawing
+ quality when necessary in order to limit the number of points
+ required. */
+
/* make sure we have enough space */
- Needed = ((size_t)1) + (size_t) ceil((angle.y - angle.x) / step);
- if ((status=PrimitiveInfoRealloc(p_PIMgr,Needed)) == MagickFail)
+ points_length = ceil(1.0 + ceil((angle.y - angle.x) / step));
+ if ((size_t) points_length < points_length)
+ {
+ /* points_length too big to be represented as a size_t */
+ status=MagickFail;
+ ThrowException3(p_PIMgr->p_Exception,ResourceLimitError,
+ MemoryAllocationFailed,UnableToDrawOnImage);
+ goto trace_ellipse_done;
+ }
+ if ((status=PrimitiveInfoRealloc(p_PIMgr,(size_t) points_length)) == MagickFail)
goto trace_ellipse_done;
primitive_info = *pp_PrimitiveInfo + p_PIMgr->StoreStartingAt;
diff -r d2f645fad7c5 -r 90ff9f04a465 magick/version.h
--- a/magick/version.h Wed Sep 12 20:09:15 2018 -0500
+++ b/magick/version.h Sat Sep 15 14:21:14 2018 -0500
@@ -38,8 +38,8 @@
#define MagickLibVersion 0x211801
#define MagickLibVersionText "1.4"
#define MagickLibVersionNumber 21,18,1
-#define MagickChangeDate "20180912"
-#define MagickReleaseDate "snapshot-20180912"
+#define MagickChangeDate "20180915"
+#define MagickReleaseDate "snapshot-20180915"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff -r d2f645fad7c5 -r 90ff9f04a465 www/Changelog.html
--- a/www/Changelog.html Wed Sep 12 20:09:15 2018 -0500
+++ b/www/Changelog.html Sat Sep 15 14:21:14 2018 -0500
@@ -35,6 +35,15 @@
<div class="document">
+<p>2018-09-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+<blockquote>
+<ul class="simple">
+<li>magick/render.c (TraceEllipse): Detect arithmetic overflow when
+computing the number of points to allocate for an ellipse. Fixes
+oss-fuzz 10306 "graphicsmagick/coder_MVG_fuzzer:
+Heap-buffer-overflow in TracePoint". (Credit to OSS-Fuzz)</li>
+</ul>
+</blockquote>
<p>2018-09-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">