diff --git a/CVE-2023-34151.patch b/CVE-2023-34151.patch new file mode 100644 index 0000000000000000000000000000000000000000..221c1d908d6a80b67de0163b6947dcbefc929985 --- /dev/null +++ b/CVE-2023-34151.patch @@ -0,0 +1,309 @@ +From 133089f716f23ce0b80d89ccc1fd680960235512 Mon Sep 17 00:00:00 2001 +From: Cristy +Date: Wed, 17 May 2023 21:06:18 -0400 +Subject: [PATCH] properly cast double to size_t + (https://github.com/ImageMagick/ImageMagick/issues/6341) + +Link: https://github.com/ImageMagick/ImageMagick6/commit/133089f716f23ce0b80d89ccc1fd680960235512 + +--- + coders/caption.c | 10 +++++----- + coders/label.c | 10 +++++----- + coders/pcl.c | 4 ++-- + coders/pdf.c | 4 ++-- + coders/ps.c | 4 ++-- + coders/ps2.c | 4 ++-- + coders/ps3.c | 4 ++-- + coders/svg.c | 4 ++-- + magick/annotate.c | 4 ++-- + magick/draw.c | 8 ++++---- + magick/geometry.c | 4 ++-- + magick/shear.c | 10 +++++----- + magick/visual-effects.c | 4 ++-- + 13 files changed, 37 insertions(+), 37 deletions(-) + +diff --git a/coders/caption.c b/coders/caption.c +index b6219617e..23cf4eacf 100644 +--- a/coders/caption.c ++++ b/coders/caption.c +@@ -168,7 +168,7 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info, + return(DestroyImageList(image)); + (void) SetImageProperty(image,"caption",caption); + draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL); +- width=(size_t) floor(draw_info->pointsize*strlen(caption)+0.5); ++ width=CastDoubleToUnsigned(draw_info->pointsize*strlen(caption)+0.5); + if (AcquireMagickResource(WidthResource,width) == MagickFalse) + { + caption=DestroyString(caption); +@@ -259,8 +259,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info, + AdjustTypeMetricBounds(&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->interline_spacing+draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +@@ -289,8 +289,8 @@ static Image *ReadCAPTIONImage(const ImageInfo *image_info, + AdjustTypeMetricBounds(&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->interline_spacing+draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +diff --git a/coders/label.c b/coders/label.c +index cc6af9472..389ae8d14 100644 +--- a/coders/label.c ++++ b/coders/label.c +@@ -149,7 +149,7 @@ static Image *ReadLABELImage(const ImageInfo *image_info, + return(DestroyImageList(image)); + (void) SetImageProperty(image,"label",label); + draw_info=CloneDrawInfo(image_info,(DrawInfo *) NULL); +- width=(size_t) floor(0.5*draw_info->pointsize*strlen(label)+0.5); ++ width=CastDoubleToUnsigned(0.5*draw_info->pointsize*strlen(label)+0.5); + if (AcquireMagickResource(WidthResource,width) == MagickFalse) + { + label=DestroyString(label); +@@ -190,8 +190,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info, + AdjustTypeMetricBounds(&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +@@ -222,8 +222,8 @@ static Image *ReadLABELImage(const ImageInfo *image_info, + AdjustTypeMetricBounds(&metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); +- height=(size_t) floor(metrics.height-metrics.underline_position+ ++ width=CastDoubleToUnsigned(metrics.width+draw_info->stroke_width+0.5); ++ height=CastDoubleToUnsigned(metrics.height-metrics.underline_position+ + draw_info->stroke_width+0.5); + if ((image->columns != 0) && (image->rows != 0)) + { +diff --git a/coders/pcl.c b/coders/pcl.c +index 0606df854..17a020d3c 100644 +--- a/coders/pcl.c ++++ b/coders/pcl.c +@@ -334,9 +334,9 @@ static Image *ReadPCLImage(const ImageInfo *image_info,ExceptionInfo *exception) + image->x_resolution,image->y_resolution); + if (image_info->ping != MagickFalse) + (void) FormatLocaleString(density,MagickPathExtent,"2.0x2.0"); +- page.width=(size_t) floor((double) page.width*image->x_resolution/delta.x+ ++ page.width=CastDoubleToUnsigned((double) page.width*image->x_resolution/delta.x+ + 0.5); +- page.height=(size_t) floor((double) page.height*image->y_resolution/delta.y+ ++ page.height=CastDoubleToUnsigned((double) page.height*image->y_resolution/delta.y+ + 0.5); + (void) FormatLocaleString(options,MaxTextExtent,"-g%.20gx%.20g ",(double) + page.width,(double) page.height); +diff --git a/coders/pdf.c b/coders/pdf.c +index 35d9e8f9b..7097586e9 100644 +--- a/coders/pdf.c ++++ b/coders/pdf.c +@@ -1674,9 +1674,9 @@ static MagickBooleanType WritePDFImage(const ImageInfo *image_info,Image *image) + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=(double) (geometry.width*delta.x)/resolution.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=(double) (geometry.height*delta.y)/resolution.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +diff --git a/coders/ps.c b/coders/ps.c +index 942c7f793..b359de50d 100644 +--- a/coders/ps.c ++++ b/coders/ps.c +@@ -1552,9 +1552,9 @@ static MagickBooleanType WritePSImage(const ImageInfo *image_info,Image *image) + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +diff --git a/coders/ps2.c b/coders/ps2.c +index 1a704e570..e81a6e200 100644 +--- a/coders/ps2.c ++++ b/coders/ps2.c +@@ -531,9 +531,9 @@ static MagickBooleanType WritePS2Image(const ImageInfo *image_info,Image *image) + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +diff --git a/coders/ps3.c b/coders/ps3.c +index d3c49d624..945aca73c 100644 +--- a/coders/ps3.c ++++ b/coders/ps3.c +@@ -980,9 +980,9 @@ static MagickBooleanType WritePS3Image(const ImageInfo *image_info,Image *image) + (void) ParseMetaGeometry(page_geometry,&geometry.x,&geometry.y, + &geometry.width,&geometry.height); + scale.x=PerceptibleReciprocal(resolution.x)*geometry.width*delta.x; +- geometry.width=(size_t) floor(scale.x+0.5); ++ geometry.width=CastDoubleToUnsigned(scale.x+0.5); + scale.y=PerceptibleReciprocal(resolution.y)*geometry.height*delta.y; +- geometry.height=(size_t) floor(scale.y+0.5); ++ geometry.height=CastDoubleToUnsigned(scale.y+0.5); + (void) ParseAbsoluteGeometry(page_geometry,&media_info); + (void) ParseGravityGeometry(image,page_geometry,&page_info, + &image->exception); +diff --git a/coders/svg.c b/coders/svg.c +index 6d6e38798..309a72683 100644 +--- a/coders/svg.c ++++ b/coders/svg.c +@@ -2830,10 +2830,10 @@ static void SVGStartElement(void *context,const xmlChar *name, + svg_info->view_box=svg_info->bounds; + svg_info->width=0; + if (svg_info->bounds.width >= MagickEpsilon) +- svg_info->width=(size_t) floor(svg_info->bounds.width+0.5); ++ svg_info->width=CastDoubleToUnsigned(svg_info->bounds.width+0.5); + svg_info->height=0; + if (svg_info->bounds.height >= MagickEpsilon) +- svg_info->height=(size_t) floor(svg_info->bounds.height+0.5); ++ svg_info->height=CastDoubleToUnsigned(svg_info->bounds.height+0.5); + (void) FormatLocaleFile(svg_info->file,"viewbox 0 0 %.20g %.20g\n", + (double) svg_info->width,(double) svg_info->height); + sx=PerceptibleReciprocal(svg_info->view_box.width)*svg_info->width; +diff --git a/magick/annotate.c b/magick/annotate.c +index 3068f61d5..29ab333cb 100644 +--- a/magick/annotate.c ++++ b/magick/annotate.c +@@ -326,7 +326,7 @@ MagickExport MagickBooleanType AnnotateImage(Image *image, + (void) CloneString(&annotate->text,textlist[i]); + if ((metrics.width == 0) || (annotate->gravity != NorthWestGravity)) + (void) GetTypeMetrics(image,annotate,&metrics); +- height=(size_t) floor(metrics.ascent-metrics.descent+0.5); ++ height=CastDoubleToUnsigned(metrics.ascent-metrics.descent+0.5); + if (height == 0) + height=draw_info->pointsize; + height+=(size_t) floor(draw_info->interline_spacing+0.5); +@@ -654,7 +654,7 @@ MagickExport ssize_t FormatMagickCaption(Image *image,DrawInfo *draw_info, + status=GetTypeMetrics(image,draw_info,metrics); + if (status == MagickFalse) + break; +- width=(size_t) floor(metrics->width+draw_info->stroke_width+0.5); ++ width=CastDoubleToUnsigned(metrics->width+draw_info->stroke_width+0.5); + if (width <= image->columns) + continue; + if (s != (char *) NULL) +diff --git a/magick/draw.c b/magick/draw.c +index 867b58ab2..40b6f4be6 100644 +--- a/magick/draw.c ++++ b/magick/draw.c +@@ -3486,14 +3486,14 @@ static MagickBooleanType RenderMVGContent(Image *image, + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- bounds.width=(size_t) floor(GetDrawValue(token,&next_token)+ ++ bounds.width=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+ + 0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- bounds.height=(size_t) floor(GetDrawValue(token,&next_token)+ ++ bounds.height=CastDoubleToUnsigned(GetDrawValue(token,&next_token)+ + 0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); +@@ -3909,14 +3909,14 @@ static MagickBooleanType RenderMVGContent(Image *image, + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- graphic_context[n]->viewbox.width=(size_t) floor(GetDrawValue( ++ graphic_context[n]->viewbox.width=CastDoubleToUnsigned(GetDrawValue( + token,&next_token)+0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); + (void) GetNextToken(q,&q,extent,token); + if (*token == ',') + (void) GetNextToken(q,&q,extent,token); +- graphic_context[n]->viewbox.height=(size_t) floor(GetDrawValue( ++ graphic_context[n]->viewbox.height=CastDoubleToUnsigned(GetDrawValue( + token,&next_token)+0.5); + if (token == next_token) + ThrowPointExpectedException(image,token); +diff --git a/magick/geometry.c b/magick/geometry.c +index 0aa7f74d0..470adc2d2 100644 +--- a/magick/geometry.c ++++ b/magick/geometry.c +@@ -1475,8 +1475,8 @@ MagickExport MagickStatusType ParseMetaGeometry(const char *geometry,ssize_t *x, + scale.y=geometry_info.sigma; + if ((flags & SigmaValue) == 0) + scale.y=scale.x; +- *width=(size_t) floor(scale.x*former_width/100.0+0.5); +- *height=(size_t) floor(scale.y*former_height/100.0+0.5); ++ *width=CastDoubleToUnsigned(scale.x*former_width/100.0+0.5); ++ *height=CastDoubleToUnsigned(scale.y*former_height/100.0+0.5); + former_width=(*width); + former_height=(*height); + } +diff --git a/magick/shear.c b/magick/shear.c +index e66ceac9a..ec7a7568e 100644 +--- a/magick/shear.c ++++ b/magick/shear.c +@@ -166,8 +166,8 @@ static MagickBooleanType CropToFitImage(Image **image, + } + geometry.x=CastDoubleToLong(ceil(min.x-0.5)); + geometry.y=CastDoubleToLong(ceil(min.y-0.5)); +- geometry.width=(size_t) floor(max.x-min.x+0.5); +- geometry.height=(size_t) floor(max.y-min.y+0.5); ++ geometry.width=CastDoubleToUnsigned(max.x-min.x+0.5); ++ geometry.height=CastDoubleToUnsigned(max.y-min.y+0.5); + page=(*image)->page; + (void) ParseAbsoluteGeometry("0x0+0+0",&(*image)->page); + crop_image=CropImage(*image,&geometry,exception); +@@ -1787,9 +1787,9 @@ MagickExport Image *ShearRotateImage(const Image *image,const double degrees, + */ + width=integral_image->columns; + height=integral_image->rows; +- bounds.width=(size_t) floor(fabs((double) height*shear.x)+width+0.5); +- bounds.height=(size_t) floor(fabs((double) bounds.width*shear.y)+height+0.5); +- shear_width=(size_t) floor(fabs((double) bounds.height*shear.x)+ ++ bounds.width=CastDoubleToUnsigned(fabs((double) height*shear.x)+width+0.5); ++ bounds.height=CastDoubleToUnsigned(fabs((double) bounds.width*shear.y)+height+0.5); ++ shear_width=CastDoubleToUnsigned(fabs((double) bounds.height*shear.x)+ + bounds.width+0.5); + bounds.x=CastDoubleToLong(floor((double) ((shear_width > bounds.width) ? + width : bounds.width-shear_width+2)/2.0+0.5)); +diff --git a/magick/visual-effects.c b/magick/visual-effects.c +index dc039727a..1ec419e61 100644 +--- a/magick/visual-effects.c ++++ b/magick/visual-effects.c +@@ -2052,8 +2052,8 @@ MagickExport Image *ShadowImage(const Image *image,const double opacity, + (void) SetImageColorspace(clone_image,sRGBColorspace); + (void) SetImageVirtualPixelMethod(clone_image,EdgeVirtualPixelMethod); + clone_image->compose=OverCompositeOp; +- border_info.width=(size_t) floor(2.0*sigma+0.5); +- border_info.height=(size_t) floor(2.0*sigma+0.5); ++ border_info.width=CastDoubleToUnsigned(2.0*sigma+0.5); ++ border_info.height=CastDoubleToUnsigned(2.0*sigma+0.5); + border_info.x=0; + border_info.y=0; + (void) QueryColorDatabase("none",&clone_image->border_color,exception); diff --git a/ImageMagick.spec b/ImageMagick.spec index ec2d5b090fcd70de8cf4d4370d1866239fe76691..0a85208c3f74ceb1c45bc2ed4d3132e22cfcfaae 100644 --- a/ImageMagick.spec +++ b/ImageMagick.spec @@ -1,11 +1,12 @@ Name: ImageMagick Epoch: 1 Version: 6.9.12.86 -Release: 1 +Release: 2 Summary: Create, edit, compose, or convert bitmap images License: ImageMagick and MIT Url: http://www.imagemagick.org/ Source0: https://www.imagemagick.org/download/ImageMagick-6.9.12-86.tar.xz +Patch0: CVE-2023-34151.patch BuildRequires: bzip2-devel freetype-devel libjpeg-devel libpng-devel perl-generators BuildRequires: libtiff-devel giflib-devel zlib-devel perl-devel >= 5.8.1 jbigkit-devel @@ -163,6 +164,9 @@ rm PerlMagick/demo/Generic.ttf %{_libdir}/pkgconfig/ImageMagick++* %changelog +* Thu Jun 08 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-2 +- Fix CVE-2023-34151 + * Mon Apr 24 2023 wangkai <13474090681@163.com> - 1:6.9.12.86-1 - Update to 6.9.12.86 for Fix CVE-2023-1289,CVE-2023-1906