Good morning, Does anyone have further information about <http://secunia.com/advisories/56844/>? (I could not get the http://freecode.com/projects/imagemagick/tags/bugfixes link to show anything useful.) diffing ImageMagick-6.8.7/coders/psd.c ImageMagick-6.8.8/coders/psd.c: "" @@ -1224,7 +1224,7 @@ Allocate layered image. */ layer_info[i].image=CloneImage(image,layer_info[i].page.width, - layer_info[i].page.height == ~0U ? 1 : layer_info[i].page.height, + layer_info[i].page.height == ~0UL ? 1 : layer_info[i].page.height, MagickFalse,&image->exception); if (layer_info[i].image == (Image *) NULL) { @@ -2112,9 +2112,6 @@ StringInfo *bim_profile; - unsigned char - layer_name[4]; - /* Open image file. */ @@ -2372,12 +2369,15 @@ property=(const char *) GetImageProperty(next_image,"label"); if (property == (const char *) NULL) { + char + layer_name[MaxTextExtent]; + (void) WriteBlobMSBLong(image,16); (void) WriteBlobMSBLong(image,0); (void) WriteBlobMSBLong(image,0); - (void) FormatLocaleString((char *) layer_name,MaxTextExtent, - "L%06ld",(long) layer_count++); - WritePascalString( image, (char*)layer_name, 4 ); + (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long) + layer_count++); + WritePascalString(image,layer_name,4); } else { "" Would the issue have been writing the amount of 6 long ints into the 4 byte layer_name buffer? Having a (very brief) look at ImageMagick-6.5.4 on RHEL 6, it's using "L%02ld" instead of "L%06ld", but that's still 4 bytes too many before the layer_name[MaxTextExtent]; change. Could a CVE please be assigned if it has not been already? Sorry for missing anything obvious. -- Murray McAllister / Red Hat Security Response Team