From 7c276e8ebec9cd5e11f45121ac6c08dc5cf18fc1 Mon Sep 17 00:00:00 2001
From: houyingchao <1348375921@qq.com>
Date: Tue, 12 Jul 2022 10:41:27 +0800
Subject: [PATCH] fix CVE-2022-1270

(cherry picked from commit ba02c0676b7064ec32e34f6ffc17b7c0387c6773)
---
 CVE-2022-1270.patch | 89 +++++++++++++++++++++++++++++++++++++++++++++
 GraphicsMagick.spec |  6 ++-
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-1270.patch

diff --git a/CVE-2022-1270.patch b/CVE-2022-1270.patch
new file mode 100644
index 0000000..c836564
--- /dev/null
+++ b/CVE-2022-1270.patch
@@ -0,0 +1,89 @@
+
+# HG changeset patch
+# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
+# Date 1648301533 18000
+# Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12
+# Parent  07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0
+ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer.
+
+---
+ ChangeLog          |  7 +++++++
+ coders/miff.c      | 11 +++++++++++
+ magick/version.h   |  2 ++
+ www/Changelog.html |  7 +++++++
+ 4 files changed, 27 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index a89c828..5116ad0 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2022-03-26  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
++	* coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
++	row length prior to reading data into fixed size buffer.
++	Addresses SourceForge bug #664 "[bug]Heap buffer overflow when
++	parsing MIFF".  This severe bug only impacts builds with BZLIB
++	support.
++
+ 2019-04-17  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+ 	* coders/xwd.c (ReadXWDImage): Added even more XWD header
+ 	validation logic.  Addresses problems noted by email from Hongxu
+diff --git a/coders/miff.c b/coders/miff.c
+index 00813c4..9149a15 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -1674,9 +1674,20 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+                       else
+                         {
+                           length=ReadBlobMSBLong(image);
++			  if (image->logging)
++			    (void) LogMagickEvent(CoderEvent,GetMagickModule(),
++					    	  "length = %"MAGICK_SIZE_T_F"u",
++						  (MAGICK_SIZE_T) length);
++			  if ((length == 0) || (length > compressed_length))
++			    {
++			      (void) BZ2_bzDecompressEnd(&bzip_info);
++			      ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage,
++					      	       image);
++			    }
+                           bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in);
+                           if ((size_t) bzip_info.avail_in != length)
+                             {
++			      (void) BZ2_bzDecompressEnd(&bzip_info);
+                               ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+                                                    image);
+                             }
+diff --git a/magick/version.h b/magick/version.h
+index a9e0dca..1e17abc 100644
+--- a/magick/version.h
++++ b/magick/version.h
+@@ -40,6 +40,8 @@ extern "C" {
+ #define MagickLibVersionNumber 21,18,1
+ #define MagickChangeDate   "20190417"
+ #define MagickReleaseDate  "snapshot-20190417"
++#define MagickChangeDate   "20220326"
++#define MagickReleaseDate  "snapshot-20220326"
+ 	
+ /*
+   The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
+diff --git a/www/Changelog.html b/www/Changelog.html
+index e5a21da..5ec8096 100644
+--- a/www/Changelog.html
++++ b/www/Changelog.html
+@@ -34,6 +34,13 @@
+ </div>
+ <div class="document">
+ 
++<p>2022-03-26  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
++<blockquote>
++* coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
++row length prior to reading data into fixed size buffer.
++Addresses SourceForge bug #664 &quot;[bug]Heap buffer overflow when
++parsing MIFF&quot;.  This severe bug only impacts builds with BZLIB
++support.</blockquote>
+ <p>2019-04-17  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+ <blockquote>
+ <ul class="simple">
+-- 
+2.23.0
+
diff --git a/GraphicsMagick.spec b/GraphicsMagick.spec
index 4b8ff5d..ae22147 100644
--- a/GraphicsMagick.spec
+++ b/GraphicsMagick.spec
@@ -10,7 +10,7 @@
 
 Name:          GraphicsMagick
 Version:       1.3.30
-Release:       9
+Release:       10
 Summary:       Derived from ImageMagick, providing faster image generation speed and better quality
 License:       MIT
 Source0:       http://downloads.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-%{version}.tar.xz
@@ -32,6 +32,7 @@ Patch0012:     CVE-2019-12921.patch
 Patch0013:     CVE-2020-10938.patch
 Patch0014:     CVE-2020-12672.patch
 Patch0015:     CVE-2019-11473-CVE-2019-11474.patch
+Patch0016:     CVE-2022-1270.patch
 
 BuildRequires: bzip2-devel freetype-devel gcc-c++ giflib-devel lcms2-devel libjpeg-devel
 BuildRequires: libpng-devel librsvg2-devel libtiff-devel libtool-ltdl-devel libxml2-devel lpr
@@ -230,6 +231,9 @@ time %make_build check ||:
 
 
 %changelog
+* Tue Jul 12 2022 houyingchao <houyingchao@h-partners.com> - 1.3.30-10
+- fix CVE-2022-1270
+
 * Mon Dec 07 2020 caodongxia <caodongxia@huawei.com> - 1.3.30-9
 - fix CVE-2019-11473 CVE-2019-11474
 
-- 
Gitee