From 76ae566418148ff80dd136ad32f860aed3738c9d Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Thu, 3 Jun 2021 15:25:26 +0800
Subject: [PATCH] Fix CVE-2020-27756 CVE-2020-25667 CVE-2020-27753

(cherry picked from commit b0945eda099d377d68b6d59b4d93ba13a420779a)
---
 CVE-2020-25667.patch |  36 +++++++++
 CVE-2020-27753.patch | 170 +++++++++++++++++++++++++++++++++++++++++++
 CVE-2020-27756.patch |  31 ++++++++
 ImageMagick.spec     |   8 +-
 4 files changed, 244 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-25667.patch
 create mode 100644 CVE-2020-27753.patch
 create mode 100644 CVE-2020-27756.patch

diff --git a/CVE-2020-25667.patch b/CVE-2020-25667.patch
new file mode 100644
index 0000000..0c72e62
--- /dev/null
+++ b/CVE-2020-25667.patch
@@ -0,0 +1,36 @@
+From 14ba3e46a66c4799d643c7b959792e185c6599c7 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 13 Oct 2019 11:20:29 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1748
+
+---
+ coders/tiff.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index c21f546bce..e7e6b67aa0 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -648,9 +648,20 @@ static void TIFFGetProfiles(TIFF *tiff,Image *image)
+   if ((TIFFGetField(tiff,TIFFTAG_XMLPACKET,&length,&profile) == 1) &&
+       (profile != (unsigned char *) NULL))
+     {
++      StringInfo
++        *dng;
++
+       (void) ReadProfile(image,"xmp",profile,(ssize_t) length);
+-      if (strstr((char *) profile,"dc:format=\"image/dng\"") != (char *) NULL)
+-        (void) CopyMagickString(image->magick,"DNG",MagickPathExtent);
++      dng=BlobToStringInfo(profile,length);
++      if (dng != (StringInfo *) NULL)
++        {
++          const char
++            *target = "dc:format=\"image/dng\"";
++
++          if (strstr((char *) GetStringInfoDatum(dng),target) != (char *) NULL)
++            (void) CopyMagickString(image->magick,"DNG",MagickPathExtent);
++          dng=DestroyStringInfo(dng);
++        }
+     }
+ #endif
+   if ((TIFFGetField(tiff,34118,&length,&profile) == 1) &&
diff --git a/CVE-2020-27753.patch b/CVE-2020-27753.patch
new file mode 100644
index 0000000..14befb1
--- /dev/null
+++ b/CVE-2020-27753.patch
@@ -0,0 +1,170 @@
+From 6f5d3d2cd94eb8361e07546c4bf72cb60681b984 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 16 Oct 2019 19:36:11 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1757
+
+---
+ coders/miff.c | 40 ++++++++++------------------------------
+ 1 file changed, 10 insertions(+), 30 deletions(-)
+
+diff --git a/coders/miff.c b/coders/miff.c
+index d4a9b44bbe..3dfcbb73b2 100644
+--- a/coders/miff.c
++++ b/coders/miff.c
+@@ -224,6 +224,7 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
+       switch (image->depth)
+       {
+         case 32:
++        default:
+         {
+           *index=ConstrainColormapIndex(image,(ssize_t) (((size_t) *p << 24) |
+             ((size_t) *(p+1) << 16) | ((size_t) *(p+2) << 8) |
+@@ -244,9 +245,6 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
+           p++;
+           break;
+         }
+-        default:
+-          (void) ThrowMagickException(&image->exception,GetMagickModule(),
+-            CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
+       }
+       *pixel=image->colormap[(ssize_t) *index];
+       switch (image->depth)
+@@ -277,6 +275,7 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
+           break;
+         }
+         case 32:
++        default:
+         {
+           unsigned int
+             quantum;
+@@ -289,9 +288,6 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
+             }
+           break;
+         }
+-        default:
+-          (void) ThrowMagickException(&image->exception,GetMagickModule(),
+-            CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
+       }
+       *length=((size_t) *p++)+1;
+       return;
+@@ -359,6 +355,7 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
+       break;
+     }
+     case 32:
++    default:
+     {
+       unsigned int
+         quantum;
+@@ -390,9 +387,6 @@ static void PushRunlengthPacket(Image *image,const unsigned char *pixels,
+         }
+       break;
+     }
+-    default:
+-      (void) ThrowMagickException(&image->exception,GetMagickModule(),
+-        CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
+   }
+   *length=(size_t) (*p++)+1;
+ }
+@@ -1120,7 +1114,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+         (image->compression == UndefinedCompression) ||
+         (image->colorspace == UndefinedColorspace) ||
+         (image->columns == 0) || (image->rows == 0) ||
+-        (image->depth == 0) || (image->depth > 64))
++        (image->depth == 0) || (image->depth > 32))
+       {
+         if (profiles != (LinkedListInfo *) NULL)
+           profiles=DestroyLinkedList(profiles,RelinquishMagickMemory);
+@@ -1239,9 +1233,6 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+             p=colormap;
+             switch (image->depth)
+             {
+-              default:
+-                colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+-                ThrowMIFFException(CorruptImageError,"ImageDepthNotSupported");
+               case 8:
+               {
+                 unsigned char
+@@ -1275,6 +1266,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
+                 break;
+               }
+               case 32:
++              default:
+               {
+                 unsigned int
+                   pixel;
+@@ -1855,6 +1847,7 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
+       switch (image->depth)
+       {
+         case 32:
++        default:
+         {
+           *pixels++=(unsigned char) (value >> 24);
+           *pixels++=(unsigned char) (value >> 16);
+@@ -1866,13 +1859,11 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
+           *pixels++=(unsigned char) value;
+           break;
+         }
+-        default:
+-          (void) ThrowMagickException(&image->exception,GetMagickModule(),
+-            CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
+       }
+       switch (image->depth)
+       {
+         case 32:
++        default:
+         {
+           unsigned int
+             value;
+@@ -1908,9 +1899,6 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
+             }
+           break;
+         }
+-        default:
+-          (void) ThrowMagickException(&image->exception,GetMagickModule(),
+-            CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
+       }
+       *pixels++=(unsigned char) length;
+       return(pixels);
+@@ -1918,6 +1906,7 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
+   switch (image->depth)
+   {
+     case 32:
++    default:
+     {
+       unsigned int
+         value;
+@@ -1995,9 +1984,6 @@ static unsigned char *PopRunlengthPacket(Image *image,unsigned char *pixels,
+         }
+       break;
+     }
+-    default:
+-      (void) ThrowMagickException(&image->exception,GetMagickModule(),
+-        CorruptImageError,"ImageDepthNotSupported","`%s'",image->filename);
+   }
+   *pixels++=(unsigned char) length;
+   return(pixels);
+@@ -2091,8 +2077,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
+     if ((image->storage_class == PseudoClass) &&
+         (image->colors > (size_t) (GetQuantumRange(image->depth)+1)))
+       (void) SetImageStorageClass(image,DirectClass);
+-    image->depth=image->depth <= 8 ? 8UL : image->depth <= 16 ? 16UL :
+-      image->depth <= 32 ? 32UL : 64UL;
++    image->depth=image->depth <= 8 ? 8UL : image->depth <= 16 ? 16UL : 32UL;
+     quantum_info=AcquireQuantumInfo(image_info,image);
+     if (quantum_info == (QuantumInfo *) NULL)
+       ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
+@@ -2449,13 +2434,8 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info,
+         {
+           switch (quantum_info->depth)
+           {
+-            default:
+-            {
+-              colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+-              ThrowWriterException(CorruptImageError,"ImageDepthNotSupported");
+-              break;
+-            }
+             case 32:
++            default:
+             {
+               register unsigned int
+                 pixel;
diff --git a/CVE-2020-27756.patch b/CVE-2020-27756.patch
new file mode 100644
index 0000000..c3c6e5b
--- /dev/null
+++ b/CVE-2020-27756.patch
@@ -0,0 +1,31 @@
+From d3d96f05950275b916207bf9df03640ef3e9fd6e Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sun, 6 Oct 2019 09:31:02 -0400
+Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1725
+
+---
+ magick/geometry.c | 8 ++++----
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+ 
+diff --git a/magick/geometry.c b/magick/geometry.c
+index 27f99f8438..101810ca5e 100644
+--- a/magick/geometry.c
++++ b/magick/geometry.c
+@@ -1423,13 +1423,13 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x,
+       if (geometry_ratio >= image_ratio)
+         {
+           *width=former_width;
+-          *height=(size_t) floor((double) (former_height*image_ratio/
+-            geometry_ratio)+0.5);
++          *height=(size_t) floor((double) (PerceptibleReciprocal(
++            geometry_ratio)*former_height*image_ratio)+0.5);
+         }
+       else
+         {
+-          *width=(size_t) floor((double) (former_width*geometry_ratio/
+-            image_ratio)+0.5);
++          *width=(size_t) floor((double) (PerceptibleReciprocal(
++            image_ratio)*former_width*geometry_ratio)+0.5);
+           *height=former_height;
+         }
+       former_width=(*width);
diff --git a/ImageMagick.spec b/ImageMagick.spec
index 6c1af7b..605cd67 100644
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        6.9.10.67
-Release:        24
+Release:        25
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@@ -58,6 +58,9 @@ Patch0048:      CVE-2020-27752.patch
 Patch0049:      CVE-2021-20309.patch
 Patch0050:      CVE-2021-20311-20312-20313.patch
 Patch0051:      CVE-2020-27769.patch
+Patch0052:      CVE-2020-27756.patch
+Patch0053:      CVE-2020-25667.patch
+Patch0054:      CVE-2020-27753.patch
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -215,6 +218,9 @@ rm PerlMagick/demo/Generic.ttf
 %{_libdir}/pkgconfig/ImageMagick++*
 
 %changelog
+* Thu Jun 03 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-25
+- Fix CVE-2020-27756 CVE-2020-25667 CVE-2020-27753
+
 * Tue May 25 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-24
 - Fix CVE-2020-27769
 
-- 
Gitee