From 4f423bbedf6863849f1496c47427e6e8a14bc4d0 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Thu, 20 May 2021 09:18:59 +0800
Subject: [PATCH] Fix CVE-2021-20309 CVE-2021-20311 CVE-2021-20312
 CVE-2021-20313

(cherry picked from commit 250dbd05fded0f36e681aa1ca4d3ae71fbae6e1e)
---
 CVE-2021-20309.patch             |  25 +++++
 CVE-2021-20311-20312-20313.patch | 183 +++++++++++++++++++++++++++++++
 ImageMagick.spec                 |   7 +-
 3 files changed, 214 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-20309.patch
 create mode 100644 CVE-2021-20311-20312-20313.patch

diff --git a/CVE-2021-20309.patch b/CVE-2021-20309.patch
new file mode 100644
index 0000000..ee597c6
--- /dev/null
+++ b/CVE-2021-20309.patch
@@ -0,0 +1,25 @@
+From 946d0afdcc34f461c68396b4b377832bcdccf095 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Feb 2021 19:34:36 -0500
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/3296
+
+---
+ magick/fx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/magick/fx.c b/magick/fx.c
+index 5041de6..6fedf83 100644
+--- a/magick/fx.c
++++ b/magick/fx.c
+@@ -5702,7 +5702,7 @@ MagickExport Image *WaveImage(const Image *image,const double amplitude,
+     }
+   for (i=0; i < (ssize_t) wave_image->columns; i++)
+     sine_map[i]=(float) fabs(amplitude)+amplitude*sin((double)
+-      ((2.0*MagickPI*i)/wave_length));
++      ((2.0*MagickPI*i)*PerceptibleReciprocal(wave_length)));
+   /*
+     Wave image.
+   */
+-- 
+2.23.0
+
diff --git a/CVE-2021-20311-20312-20313.patch b/CVE-2021-20311-20312-20313.patch
new file mode 100644
index 0000000..a878884
--- /dev/null
+++ b/CVE-2021-20311-20312-20313.patch
@@ -0,0 +1,183 @@
+From 1e48a746b0b1c34b2bdc2ae8cfa094d69ce50aa3 Mon Sep 17 00:00:00 2001
+From: Cristy <mikayla-grace@urban-warrior.org>
+Date: Thu, 25 Feb 2021 17:03:18 -0500
+Subject: [PATCH] possible divide by zero + clear buffers
+
+---
+ coders/thumbnail.c  |  3 ++-
+ configure           |  2 +-
+ magick/cipher.c     | 12 ++++++------
+ magick/colorspace.c | 16 ++++++++--------
+ magick/memory.c     | 21 ++++++++++++++++-----
+ magick/signature.c  |  2 +-
+ 6 files changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/coders/thumbnail.c b/coders/thumbnail.c
+index 21895a9..73917fc 100644
+--- a/coders/thumbnail.c
++++ b/coders/thumbnail.c
+@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
+       break;
+     q++;
+   }
+-  if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
++  if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
++      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
+     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+   thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
+   if (thumbnail_image == (Image *) NULL)
+diff --git a/configure b/configure
+index 6f61a2f..65efc18 100755
+--- a/configure
++++ b/configure
+@@ -4573,7 +4573,7 @@ MAGICK_PATCHLEVEL_VERSION=67
+ 
+ MAGICK_VERSION=6.9.10-67
+ 
+-MAGICK_GIT_REVISION=14843:618d759:20190929
++MAGICK_GIT_REVISION=16484:c5e7a8bbe:20210225
+ 
+ 
+ # Substitute library versioning
+diff --git a/magick/cipher.c b/magick/cipher.c
+index da97378..6c74c51 100644
+--- a/magick/cipher.c
++++ b/magick/cipher.c
+@@ -483,8 +483,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext,
+     Reset registers.
+   */
+   alpha=0;
+-  (void) memset(key,0,sizeof(key));
+-  (void) memset(text,0,sizeof(text));
++  (void) ResetMagickMemory(key,0,sizeof(key));
++  (void) ResetMagickMemory(text,0,sizeof(text));
+ }
+ 
+ /*
+@@ -706,8 +706,8 @@ MagickExport MagickBooleanType PasskeyDecipherImage(Image *image,
+   */
+   quantum_info=DestroyQuantumInfo(quantum_info);
+   aes_info=DestroyAESInfo(aes_info);
+-  (void) memset(input_block,0,sizeof(input_block));
+-  (void) memset(output_block,0,sizeof(output_block));
++  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
++  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
+   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
+ }
+ 
+@@ -923,8 +923,8 @@ MagickExport MagickBooleanType PasskeyEncipherImage(Image *image,
+   */
+   quantum_info=DestroyQuantumInfo(quantum_info);
+   aes_info=DestroyAESInfo(aes_info);
+-  (void) memset(input_block,0,sizeof(input_block));
+-  (void) memset(output_block,0,sizeof(output_block));
++  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
++  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
+   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
+ }
+ 
+diff --git a/magick/colorspace.c b/magick/colorspace.c
+index 4e68c21..0a3e368 100644
+--- a/magick/colorspace.c
++++ b/magick/colorspace.c
+@@ -737,15 +737,15 @@ MagickExport MagickBooleanType RGBTransformImage(Image *image,
+       if (logmap == (Quantum *) NULL)
+         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+           image->filename);
+-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
+-        film_gamma);
++      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
++        PerceptibleReciprocal(film_gamma));
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+       #pragma omp parallel for schedule(static)
+ #endif
+       for (i=0; i <= (ssize_t) MaxMap; i++)
+         logmap[i]=ScaleMapToQuantum((MagickRealType) (MaxMap*(reference_white+
+-          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002/
+-          film_gamma))/1024.0));
++          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002*
++          PerceptibleReciprocal(film_gamma)))/1024.0));
+       image_view=AcquireAuthenticCacheView(image,exception);
+ #if defined(MAGICKCORE_OPENMP_SUPPORT)
+       #pragma omp parallel for schedule(static) shared(status) \
+@@ -2396,14 +2396,14 @@ MagickExport MagickBooleanType TransformRGBImage(Image *image,
+       if (logmap == (Quantum *) NULL)
+         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
+           image->filename);
+-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
+-        film_gamma);
++      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
++        PerceptibleReciprocal(film_gamma));
+       for (i=0; i <= (ssize_t) (reference_black*MaxMap/1024.0); i++)
+         logmap[i]=(Quantum) 0;
+       for ( ; i < (ssize_t) (reference_white*MaxMap/1024.0); i++)
+         logmap[i]=ClampToQuantum((MagickRealType) QuantumRange/(1.0-black)*
+-          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002/
+-          film_gamma)-black));
++          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002*
++          PerceptibleReciprocal(film_gamma))-black));
+       for ( ; i <= (ssize_t) MaxMap; i++)
+         logmap[i]=QuantumRange;
+       if (image->storage_class == PseudoClass)
+diff --git a/magick/memory.c b/magick/memory.c
+index 487eaa7..791c1a4 100644
+--- a/magick/memory.c
++++ b/magick/memory.c
+@@ -1190,25 +1190,36 @@ MagickExport MemoryInfo *RelinquishVirtualMemory(MemoryInfo *memory_info)
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ %
+ %  ResetMagickMemory() fills the first size bytes of the memory area pointed to
+-%  by memory with the constant byte c.
++%  by memory with the constant byte c.  We use a volatile pointer when
++%  updating the byte string.  Most compilers will avoid optimizing away access
++%  to a volatile pointer, even if the pointer appears to be unused after the
++%  call.
+ %
+ %  The format of the ResetMagickMemory method is:
+ %
+-%      void *ResetMagickMemory(void *memory,int byte,const size_t size)
++%      void *ResetMagickMemory(void *memory,int c,const size_t size)
+ %
+ %  A description of each parameter follows:
+ %
+ %    o memory: a pointer to a memory allocation.
+ %
+-%    o byte: set the memory to this value.
++%    o c: set the memory to this value.
+ %
+ %    o size: size of the memory to reset.
+ %
+ */
+-MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size)
++MagickExport void *ResetMagickMemory(void *memory,int c,const size_t size)
+ {
++  volatile unsigned char
++    *p = memory;
++
++  size_t
++    n = size;
++
+   assert(memory != (void *) NULL);
+-  return(memset(memory,byte,size));
++  while (n-- != 0)
++    *p++=(unsigned char) c;
++  return(memory);
+ }
+ 
+ /*
+diff --git a/magick/signature.c b/magick/signature.c
+index d8b100b..7edc295 100644
+--- a/magick/signature.c
++++ b/magick/signature.c
+@@ -720,7 +720,7 @@ RestoreMSCWarning
+   T=0;
+   T1=0;
+   T2=0;
+-  (void) memset(W,0,sizeof(W));
++  (void) ResetMagickMemory(W,0,sizeof(W));
+ }
+ 
+ /*
+-- 
+2.23.0
+
diff --git a/ImageMagick.spec b/ImageMagick.spec
index 29cc93b..b1c4014 100644
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        22
+Release:        23
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@@ -55,6 +55,8 @@ Patch0045:      CVE-2020-25675.patch
 Patch0046:      CVE-2020-27755.patch
 Patch0047:      CVE-2019-18853.patch
 Patch0048:      CVE-2020-27752.patch
+Patch0049:      CVE-2021-20309.patch
+Patch0050:      CVE-2021-20311-20312-20313.patch
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -212,6 +214,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 
 %changelog
+* Thu May 20 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-23
+- Fix CVE-2021-20309 CVE-2021-20311 CVE-2021-20312 CVE-2021-20313
+
 * Thu Apr 29 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-22
 - Fix CVE-2020-27752
 
-- 
Gitee