Good morning,
Does anyone have further information about <http://secunia.com/advisories/56844/>? (I could not get the http://freecode.com/projects/imagemagick/tags/bugfixes link to show anything useful.)
diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c:
""
@@ -1224,7 +1224,7 @@
Allocate layered image.
*/
layer_info[i].image=CloneImage(image,layer_info[i].page.width,
- layer_info[i].page.height == ~0U ? 1 : layer_info[i].page.height, + layer_info[i].page.height == ~0UL ? 1 : layer_info[i].page.height,
MagickFalse,&image->exception);
if (layer_info[i].image == (Image *) NULL)
{
@@ -2112,9 +2112,6 @@
StringInfo
*bim_profile;
- unsigned char
- layer_name[4];
-
/*
Open image file.
*/
@@ -2372,12 +2369,15 @@
property=(const char *) GetImageProperty(next_image,"label");
if (property == (const char *) NULL)
{
+ char
+ layer_name[MaxTextExtent];
+
(void) WriteBlobMSBLong(image,16);
(void) WriteBlobMSBLong(image,0);
(void) WriteBlobMSBLong(image,0);
- (void) FormatLocaleString((char *) layer_name,MaxTextExtent,
- "L%06ld",(long) layer_count++);
- WritePascalString( image, (char*)layer_name, 4 );
+ (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)
+ layer_count++);
+ WritePascalString(image,layer_name,4);
}
else
{
""
Would the issue have been writing the amount of 6 long ints into the 4 byte layer_name buffer?
Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using "L%02ld" instead of "L%06ld", but that's still 4 bytes too many before the layer_name[MaxTextExtent]; change.
Could a CVE please be assigned if it has not been already?
Sorry for missing anything obvious.
--
Murray McAllister / Red Hat Security Response Team