72 lines
2.9 KiB
Plaintext
72 lines
2.9 KiB
Plaintext
$OpenBSD: patch-coders_png_c,v 1.11 2012/08/28 15:20:21 jasper Exp $
|
|
|
|
Security fix for CVE-2012-3437, ImageMagick: Magick_png_malloc() size argument
|
|
|
|
Patch from upstream svn:
|
|
http://trac.imagemagick.org/changeset/8733/ImageMagick/trunk/coders/png.c
|
|
|
|
--- coders/png.c.orig Thu Jun 7 13:50:28 2012
|
|
+++ coders/png.c Fri Aug 24 21:52:35 2012
|
|
@@ -1809,7 +1809,11 @@ static void MagickPNGWarningHandler(png_struct *ping,p
|
|
}
|
|
|
|
#ifdef PNG_USER_MEM_SUPPORTED
|
|
-static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size)
|
|
+#if PNG_LIBPNG_VER >= 14000
|
|
+static png_voidp Magick_png_malloc(png_structp png_ptr,png_alloc_size_t size)
|
|
+#else
|
|
+static png_voidp Magick_png_malloc(png_structp png_ptr,png_size_t size)
|
|
+#endif
|
|
{
|
|
(void) png_ptr;
|
|
return((png_voidp) AcquireMagickMemory((size_t) size));
|
|
@@ -2254,7 +2258,7 @@ static Image *ReadOnePNGImage(MngInfo *mng_info,
|
|
|
|
#if (PNG_LIBPNG_VER < 10400)
|
|
# if defined(PNG_USE_PNGGCCRD) && defined(PNG_ASSEMBLER_CODE_SUPPORTED) && \
|
|
- (PNG_LIBPNG_VER >= 10200) && (PNG_LIBPNG_VER < 10220) && defined(__i386__)
|
|
+ (PNG_LIBPNG_VER >= 10200) && (PNG_LIBPNG_VER < 10220) && defined(PNG_MMX_CODE_SUPPORTED)
|
|
/* Disable thread-unsafe features of pnggccrd */
|
|
if (png_access_version_number() >= 10200)
|
|
{
|
|
@@ -7341,12 +7345,22 @@ Magick_png_write_raw_profile(const ImageInfo *image_in
|
|
(char *) profile_type, (double) length);
|
|
}
|
|
|
|
- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
|
|
+#if PNG_LIBPNG_VER >= 14000
|
|
+ text=(png_textp) png_malloc(ping,(png_alloc_size_t) sizeof(png_text));
|
|
+#else
|
|
+ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
|
|
+#endif
|
|
description_length=(png_uint_32) strlen((const char *) profile_description);
|
|
allocated_length=(png_uint_32) (length*2 + (length >> 5) + 20
|
|
+ description_length);
|
|
- text[0].text=(png_charp) png_malloc(ping,allocated_length);
|
|
- text[0].key=(png_charp) png_malloc(ping, (png_uint_32) 80);
|
|
+#if PNG_LIBPNG_VER >= 14000
|
|
+ text[0].text=(png_charp) png_malloc(ping,
|
|
+ (png_alloc_size_t) allocated_length);
|
|
+ text[0].key=(png_charp) png_malloc(ping, (png_alloc_size_t) 80);
|
|
+#else
|
|
+ text[0].text=(png_charp) png_malloc(ping, (png_size_t) allocated_length);
|
|
+ text[0].key=(png_charp) png_malloc(ping, (png_size_t) 80);
|
|
+#endif
|
|
text[0].key[0]='\0';
|
|
(void) ConcatenateMagickString(text[0].key,
|
|
"Raw profile type ",MaxTextExtent);
|
|
@@ -10691,7 +10705,12 @@ static MagickBooleanType WriteOnePNGImage(MngInfo *mng
|
|
{
|
|
if (value != (const char *) NULL)
|
|
{
|
|
- text=(png_textp) png_malloc(ping,(png_uint_32) sizeof(png_text));
|
|
+#if PNG_LIBPNG_VER >= 14000
|
|
+ text=(png_textp) png_malloc(ping,
|
|
+ (png_alloc_size_t) sizeof(png_text));
|
|
+#else
|
|
+ text=(png_textp) png_malloc(ping,(png_size_t) sizeof(png_text));
|
|
+#endif
|
|
text[0].key=(char *) property;
|
|
text[0].text=(char *) value;
|
|
text[0].text_length=strlen(value);
|