From 6b526343597873e3fe926903bd3d4de6ed1da30a Mon Sep 17 00:00:00 2001
From: chenwenjie <chenwenjie@ncti-gba.cn>
Date: Thu, 13 Oct 2022 16:45:36 +0800
Subject: [PATCH] CVE-2022-3213

---
 CVE-2022-3213-pre1.patch | 53 +++++++++++++++++++++++++++++++++++++++
 CVE-2022-3213-pre2.patch | 22 ++++++++++++++++
 CVE-2022-3213-pre3.patch | 54 ++++++++++++++++++++++++++++++++++++++++
 CVE-2022-3213.patch      | 22 ++++++++++++++++
 ImageMagick.spec         | 15 ++++++++++-
 5 files changed, 165 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-3213-pre1.patch
 create mode 100644 CVE-2022-3213-pre2.patch
 create mode 100644 CVE-2022-3213-pre3.patch
 create mode 100644 CVE-2022-3213.patch

diff --git a/CVE-2022-3213-pre1.patch b/CVE-2022-3213-pre1.patch
new file mode 100644
index 0000000..a9a24ed
--- /dev/null
+++ b/CVE-2022-3213-pre1.patch
@@ -0,0 +1,53 @@
+From a854a0a8af977a1b67830f02a53d9eb4d877e10d Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 21 Jun 2022 15:06:58 -0400
+Subject: [PATCH] prevent possible buffer overflow
+
+---
+ coders/tiff.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 49c1677cb7..2b64958930 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1903,9 +1903,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         */
+         extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
+ #if defined(TIFF_VERSION_BIG)
+-        extent+=image->columns*sizeof(uint64);
++        extent+=samples_per_pixel*sizeof(uint64);
+ #else
+-        extent+=image->columns*sizeof(uint32);
++        extent+=samples_per_pixel*sizeof(uint64);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*strip_pixels));
+@@ -2002,11 +2002,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         number_pixels=(MagickSizeType) columns*rows;
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+-        extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff));
++        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
++          TIFFTileSize(tiff));
+ #if defined(TIFF_VERSION_BIG)
+-        extent+=image->columns*sizeof(uint64);
++        extent+=samples_per_pixel*sizeof(uint64);
+ #else
+-        extent+=image->columns*sizeof(uint32);
++        extent+=samples_per_pixel*sizeof(uint32);
+ #endif
+         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*tile_pixels));
+@@ -2101,9 +2102,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         number_pixels=(MagickSizeType) image->columns*image->rows;
+ #if defined(TIFF_VERSION_BIG)
+-        number_pixels+=image->columns*sizeof(uint64);
++        number_pixels+=samples_per_pixel*sizeof(uint64);
+ #else
+-        number_pixels+=image->columns*sizeof(uint32);
++        number_pixels+=samples_per_pixel*sizeof(uint32);
+ #endif
+         generic_info=AcquireVirtualMemory(number_pixels,sizeof(uint32));
+         if (generic_info == (MemoryInfo *) NULL)
diff --git a/CVE-2022-3213-pre2.patch b/CVE-2022-3213-pre2.patch
new file mode 100644
index 0000000..0d4e14e
--- /dev/null
+++ b/CVE-2022-3213-pre2.patch
@@ -0,0 +1,22 @@
+From b11d64704f46cedade2ca3cdcebbc8d1f315035e Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Tue, 21 Jun 2022 17:14:48 -0400
+Subject: [PATCH] correct copy/paste error
+
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 2b64958930..e2c6ca1093 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1905,7 +1905,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+ #if defined(TIFF_VERSION_BIG)
+         extent+=samples_per_pixel*sizeof(uint64);
+ #else
+-        extent+=samples_per_pixel*sizeof(uint64);
++        extent+=samples_per_pixel*sizeof(uint32);
+ #endif
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*strip_pixels));
diff --git a/CVE-2022-3213-pre3.patch b/CVE-2022-3213-pre3.patch
new file mode 100644
index 0000000..ac77458
--- /dev/null
+++ b/CVE-2022-3213-pre3.patch
@@ -0,0 +1,54 @@
+From 309dfda1122f08fcf349b6f611b3b6df994d9297 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Wed, 29 Jun 2022 19:40:56 -0400
+Subject: [PATCH] eliminate possible buffer overflow
+
+---
+ coders/tiff.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index e2c6ca1093..6bf4b112e1 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1901,12 +1901,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         /*
+           Convert stripped TIFF image.
+         */
+-        extent=(samples_per_pixel+1)*TIFFStripSize(tiff);
+-#if defined(TIFF_VERSION_BIG)
+-        extent+=samples_per_pixel*sizeof(uint64);
+-#else
+-        extent+=samples_per_pixel*sizeof(uint32);
+-#endif
++        extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
+@@ -2002,13 +1997,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         number_pixels=(MagickSizeType) columns*rows;
+         if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+-        extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
++        extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff),
+           TIFFTileSize(tiff));
+-#if defined(TIFF_VERSION_BIG)
+-        extent+=samples_per_pixel*sizeof(uint64);
+-#else
+-        extent+=samples_per_pixel*sizeof(uint32);
+-#endif
+         tile_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*tile_pixels));
+         if (tile_pixels == (unsigned char *) NULL)
+@@ -2101,11 +2091,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
+         number_pixels=(MagickSizeType) image->columns*image->rows;
+-#if defined(TIFF_VERSION_BIG)
+-        number_pixels+=samples_per_pixel*sizeof(uint64);
+-#else
+-        number_pixels+=samples_per_pixel*sizeof(uint32);
+-#endif
+         generic_info=AcquireVirtualMemory(number_pixels,sizeof(uint32));
+         if (generic_info == (MemoryInfo *) NULL)
+           ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed");
diff --git a/CVE-2022-3213.patch b/CVE-2022-3213.patch
new file mode 100644
index 0000000..9d5d30a
--- /dev/null
+++ b/CVE-2022-3213.patch
@@ -0,0 +1,22 @@
+From 30ccf9a0da1f47161b5935a95be854fe84e6c2a2 Mon Sep 17 00:00:00 2001
+From: Cristy <urban-warrior@imagemagick.org>
+Date: Sat, 27 Aug 2022 08:38:57 -0400
+Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik
+
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 132008efbf..a166bea177 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -1892,7 +1892,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info,
+         /*
+           Convert stripped TIFF image.
+         */
+-        extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff);
++        extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff);
+         strip_pixels=(unsigned char *) AcquireQuantumMemory(extent,
+           sizeof(*strip_pixels));
+         if (strip_pixels == (unsigned char *) NULL)
diff --git a/ImageMagick.spec b/ImageMagick.spec
index ed32b68..dc01a5c 100644
--- a/ImageMagick.spec
+++ b/ImageMagick.spec
@@ -1,7 +1,7 @@
 Name:           ImageMagick
 Epoch:          1
 Version:        7.1.0.28
-Release:        3
+Release:        4
 Summary:        Create, edit, compose, or convert bitmap images
 License:        ImageMagick and MIT
 Url:            http://www.imagemagick.org/
@@ -9,6 +9,10 @@ Source0:        https://github.com/ImageMagick/ImageMagick/archive/refs/tags/7.1
 
 Patch0001: backport-fix-CVE-2022-2719.patch
 Patch0002: backport-fix-CVE-2022-1115.patch
+Patch0003: CVE-2022-3213-pre1.patch
+Patch0004: CVE-2022-3213-pre2.patch
+Patch0005: CVE-2022-3213-pre3.patch
+Patch0006: CVE-2022-3213.patch
 
 BuildRequires:  bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators
 BuildRequires:  libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel
@@ -175,6 +179,15 @@ rm PerlMagick/demo/Generic.ttf
 * Thu Mar 10 2022 wangkai <wangkai385@huawei.com> - 7.1.0.27-1
 - Update to 7.1.0.27 for fix CVE-2021-39212 CVE-2021-3596
 
+* Wed Feb 23 2022 xu_ping <xuping33@huawei.com> - 7.1.0.0-3
+- OpenEXR upgrade abandoned ilmbase-devel,reference Imath-devel instead
+
+* Sat Feb 19 2022 xu_ping <xuping33@huawei.com> - 7.1.0.0-2
+- Add requires open-sans-fonts to fix unable to read font `helvetica`
+
+* Fri Dec 31 2021 wulei <wulei80@huawei.com> - 7.1.0.0-1
+- Package update
+
 * Thu Jun 03 2021 wangyue <wangyue92@huawei.com> - 6.9.10.67-25
 - Fix CVE-2020-27756 CVE-2020-25667 CVE-2020-27753
 
-- 
Gitee