Security fix for CVE-2012-3438,

GraphicsMagick: png_IM_malloc() size argument ok brad (MAINTAINER)
2012-08-28 15:18:25 +00:00 · 2012-08-28 15:18:25 +00:00 · 5887dd2b1a
commit 5887dd2b1a
parent bcc1a73a93
2 changed files with 65 additions and 1 deletions
--- a/graphics/GraphicsMagick/Makefile
+++ b/graphics/GraphicsMagick/Makefile
@ -1,10 +1,11 @@
-# $OpenBSD: Makefile,v 1.25 2012/07/03 13:36:28 okan Exp $
+# $OpenBSD: Makefile,v 1.26 2012/08/28 15:18:25 jasper Exp $

 SHARED_ONLY=	Yes

 COMMENT=	image processing tools with stable ABI

 DISTNAME=	GraphicsMagick-1.3.15
+REVISION=	0
 CATEGORIES=	graphics devel
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=graphicsmagick/}
 EXTRACT_SUFX=	.tar.xz
--- a/graphics/GraphicsMagick/patches/patch-coders_png_c
+++ b/graphics/GraphicsMagick/patches/patch-coders_png_c
@ -0,0 +1,63 @@
+$OpenBSD: patch-coders_png_c,v 1.8 2012/08/28 15:18:25 jasper Exp $
+
+Security fix for CVE-2012-3438,
+GraphicsMagick: png_IM_malloc() size argument
+
+Patch from upstream hg: 
+http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
+
+--- coders/png.c.orig	Sat Apr 28 21:45:16 2012
+++ coders/png.c	Fri Aug 24 21:35:57 2012
+@@ -1360,7 +1360,11 @@ static void PNGWarningHandler(png_struct *ping,png_con
+ }
+ 
+ #ifdef PNG_USER_MEM_SUPPORTED
+-static png_voidp png_IM_malloc(png_structp png_ptr,png_uint_32 size)
+#if PNG_LIBPNG_VER >= 14000
+static png_voidp png_IM_malloc(png_structp png_ptr,png_alloc_size_t size)
+#else
+static png_voidp png_IM_malloc(png_structp png_ptr,png_size_t size)
+#endif
+ {
+   (void) png_ptr;
+   return MagickAllocateMemory(png_voidp,(size_t) size);
+@@ -6153,12 +6157,22 @@ png_write_raw_profile(const ImageInfo *image_info,png_
+       (void) printf("writing raw profile: type=%.1024s, length=%lu\n",
+                     profile_type, (unsigned long)length);
+     }
+-  text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
+#if PNG_LIBPNG_VER >= 14000
+  text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
+#else
+  text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
+#endif
+   description_length=strlen((const char *) profile_description);
+   allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
+                                   + description_length);
+-  text[0].text=(png_charp) png_malloc(ping,allocated_length);
+-  text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
+#if PNG_LIBPNG_VER >= 14000
+   text[0].text=(png_charp) png_malloc(ping,
+      (png_alloc_size_t) allocated_length);
+   text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
+#else
+   text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length);
+   text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80);
+#endif
+   text[0].key[0]='\0';
+   (void) strcat(text[0].key, "Raw profile type ");
+   (void) strncat(text[0].key, (const char *) profile_type, 61);
+@@ -7597,7 +7611,12 @@ static MagickPassFail WriteOnePNGImage(MngInfo *mng_in
+ 
+       if (*attribute->key == '[')
+         continue;
+-      text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
+#if PNG_LIBPNG_VER >= 14000
+            text=(png_textp) png_malloc(ping,
+                 (png_alloc_size_t) sizeof(png_text));
+#else
+            text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
+#endif
+       text[0].key=attribute->key;
+       text[0].text=attribute->value;
+       text[0].text_length=strlen(attribute->value);