Good morning,

Does anyone have further information about <http://secunia.com/advisories/56844/>? (I could not get the http://freecode.com/projects/imagemagick/tags/bugfixes link to show anything useful.)


diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c:

""
@@ -1224,7 +1224,7 @@
               Allocate layered image.
             */
             layer_info[i].image=CloneImage(image,layer_info[i].page.width,

- layer_info[i].page.height == ~0U ? 1 : layer_info[i].page.height, + layer_info[i].page.height == ~0UL ? 1 : layer_info[i].page.height,

               MagickFalse,&image->exception);
             if (layer_info[i].image == (Image *) NULL)
               {
@@ -2112,9 +2112,6 @@
   StringInfo
     *bim_profile;

-  unsigned char
-    layer_name[4];
-
   /*
     Open image file.
   */
@@ -2372,12 +2369,15 @@
         property=(const char *) GetImageProperty(next_image,"label");
         if (property == (const char *) NULL)
           {
+            char
+              layer_name[MaxTextExtent];
+
             (void) WriteBlobMSBLong(image,16);
             (void) WriteBlobMSBLong(image,0);
             (void) WriteBlobMSBLong(image,0);
-            (void) FormatLocaleString((char *) layer_name,MaxTextExtent,
-              "L%06ld",(long) layer_count++);
-            WritePascalString( image, (char*)layer_name, 4 );

+ (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)

+              layer_count++);
+            WritePascalString(image,layer_name,4);
           }
         else
           {

""

Would the issue have been writing the amount of 6 long ints into the 4 byte layer_name buffer?


Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using "L%02ld" instead of "L%06ld", but that's still 4 bytes too many before the layer_name[MaxTextExtent]; change.


Could a CVE please be assigned if it has not been already?

Sorry for missing anything obvious.

--
Murray McAllister / Red Hat Security Response Team