From acf82c594c75a7a5af23f8b1037383e6178898e4 Mon Sep 17 00:00:00 2001 From: chenwenjie Date: Thu, 13 Oct 2022 20:30:27 +0800 Subject: [PATCH] CVE-2022-3213 modified: ImageMagick.spec (cherry picked from commit 79ac39ec17119d3517db9c86c78c14a83d147494) --- CVE-2022-3213-pre1.patch | 53 +++++++++++++++++++++++++++++++++++++++ CVE-2022-3213-pre2.patch | 54 ++++++++++++++++++++++++++++++++++++++++ CVE-2022-3213.patch | 22 ++++++++++++++++ ImageMagick.spec | 9 ++++++- 4 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-3213-pre1.patch create mode 100644 CVE-2022-3213-pre2.patch create mode 100644 CVE-2022-3213.patch diff --git a/CVE-2022-3213-pre1.patch b/CVE-2022-3213-pre1.patch new file mode 100644 index 0000000..5ead78d --- /dev/null +++ b/CVE-2022-3213-pre1.patch @@ -0,0 +1,53 @@ +From 4393e83230128de1cb798b67e798101d683380b1 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Tue, 21 Jun 2022 15:06:40 -0400 +Subject: [PATCH] prevent possible buffer overrun + +--- + coders/tiff.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/coders/tiff.c b/coders/tiff.c +index e278ca7c0a..d5e30293db 100644 +--- a/coders/tiff.c ++++ b/coders/tiff.c +@@ -1796,9 +1796,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + */ + extent=(samples_per_pixel+1)*TIFFStripSize(tiff); + #if defined(TIFF_VERSION_BIG) +- extent+=image->columns*sizeof(uint64); ++ extent+=samples_per_pixel*sizeof(uint64); + #else +- extent+=image->columns*sizeof(uint32); ++ extent+=samples_per_pixel*sizeof(uint32); + #endif + strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*strip_pixels)); +@@ -1894,11 +1894,12 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + number_pixels=(MagickSizeType) columns*rows; + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); +- extent=4*MagickMax(rows*TIFFTileRowSize(tiff),TIFFTileSize(tiff)); ++ extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), ++ TIFFTileSize(tiff)); + #if defined(TIFF_VERSION_BIG) +- extent+=image->columns*sizeof(uint64); ++ extent+=samples_per_pixel*sizeof(uint64); + #else +- extent+=image->columns*sizeof(uint32); ++ extent+=samples_per_pixel*sizeof(uint32); + #endif + tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*tile_pixels)); +@@ -1996,9 +1997,9 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + number_pixels=(MagickSizeType) image->columns*image->rows; + #if defined(TIFF_VERSION_BIG) +- number_pixels+=image->columns*sizeof(uint64); ++ number_pixels+=samples_per_pixel*sizeof(uint64); + #else +- number_pixels+=image->columns*sizeof(uint32); ++ number_pixels+=samples_per_pixel*sizeof(uint32); + #endif + generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels)); + if (generic_info == (MemoryInfo *) NULL) diff --git a/CVE-2022-3213-pre2.patch b/CVE-2022-3213-pre2.patch new file mode 100644 index 0000000..46a9e6e --- /dev/null +++ b/CVE-2022-3213-pre2.patch @@ -0,0 +1,54 @@ +From 2b4eabb9d09b278f16727c635e928bd951c58773 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 29 Jun 2022 19:41:14 -0400 +Subject: [PATCH] eliminate possible buffer overflow + +--- + coders/tiff.c | 19 ++----------------- + 1 file changed, 2 insertions(+), 17 deletions(-) + +diff --git a/coders/tiff.c b/coders/tiff.c +index d5e30293db..d88711f941 100644 +--- a/coders/tiff.c ++++ b/coders/tiff.c +@@ -1794,12 +1794,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + /* + Convert stripped TIFF image. + */ +- extent=(samples_per_pixel+1)*TIFFStripSize(tiff); +-#if defined(TIFF_VERSION_BIG) +- extent+=samples_per_pixel*sizeof(uint64); +-#else +- extent+=samples_per_pixel*sizeof(uint32); +-#endif ++ extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff); + strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*strip_pixels)); + if (strip_pixels == (unsigned char *) NULL) +@@ -1894,13 +1889,8 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + number_pixels=(MagickSizeType) columns*rows; + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); +- extent=(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), ++ extent=4*(samples_per_pixel+1)*MagickMax(rows*TIFFTileRowSize(tiff), + TIFFTileSize(tiff)); +-#if defined(TIFF_VERSION_BIG) +- extent+=samples_per_pixel*sizeof(uint64); +-#else +- extent+=samples_per_pixel*sizeof(uint32); +-#endif + tile_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*tile_pixels)); + if (tile_pixels == (unsigned char *) NULL) +@@ -1996,11 +1986,6 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); + number_pixels=(MagickSizeType) image->columns*image->rows; +-#if defined(TIFF_VERSION_BIG) +- number_pixels+=samples_per_pixel*sizeof(uint64); +-#else +- number_pixels+=samples_per_pixel*sizeof(uint32); +-#endif + generic_info=AcquireVirtualMemory(number_pixels,sizeof(*pixels)); + if (generic_info == (MemoryInfo *) NULL) + ThrowTIFFException(ResourceLimitError,"MemoryAllocationFailed"); diff --git a/CVE-2022-3213.patch b/CVE-2022-3213.patch new file mode 100644 index 0000000..f78e4b8 --- /dev/null +++ b/CVE-2022-3213.patch @@ -0,0 +1,22 @@ +From 1aea203eb36409ce6903b9e41fe7cb70030e8750 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Sat, 27 Aug 2022 08:38:18 -0400 +Subject: [PATCH] squash heap-buffer-overflow, PoC TIFF from Hardik + +--- + coders/tiff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/coders/tiff.c b/coders/tiff.c +index 3165ab925..05549f9e5 100644 +--- a/coders/tiff.c ++++ b/coders/tiff.c +@@ -1798,7 +1798,7 @@ static Image *ReadTIFFImage(const ImageInfo *image_info, + /* + Convert stripped TIFF image. + */ +- extent=4*(samples_per_pixel+1)*TIFFStripSize(tiff); ++ extent=4*((image->depth+7)/8)*(samples_per_pixel+1)*TIFFStripSize(tiff); + strip_pixels=(unsigned char *) AcquireQuantumMemory(extent, + sizeof(*strip_pixels)); + if (strip_pixels == (unsigned char *) NULL) diff --git a/ImageMagick.spec b/ImageMagick.spec index 9a4c3f0..c0eab78 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,13 +1,17 @@ Name: ImageMagick Epoch: 1 Version: 6.9.12.43 -Release: 2 +Release: 3 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-43.tar.xz Patch0001: backport-fix-CVE-2022-1115.patch +Patch0002: CVE-2022-3213-pre1.patch +Patch0003: CVE-2022-3213-pre2.patch +Patch0004: CVE-2022-3213.patch + BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -165,6 +169,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Thu Oct 13 2022 chenwenjie - 1:6.9.12.43-3 +- fix CVE-2022-3213 + * Mon Sep 5 2022 cenhuilin - 1:6.9.12.43-2 - fix CVE-2022-1115 -- Gitee