'[GM-commit] GraphicsMagick: ReadMNGImage(): mng_LOOP chunk must be at least ...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       graphicsmagick-commit
Subject:    [GM-commit] GraphicsMagick: ReadMNGImage(): mng_LOOP chunk must be at least ...
From:       GraphicsMagick Commits <graphicsmagick-commit () lists ! sourceforge ! net>
Date:       2018-09-20 13:34:23
Message-ID: mailman.17027.1537450474.1387.graphicsmagick-commit () lists ! sourceforge ! net
[Download RAW message or body]

changeset 2c147f7b970a in /hg/GraphicsMagick
details: http://hg.GraphicsMagick.org/hg/GraphicsMagick?cmd=changeset;node=2c147f7b970a
                
summary: ReadMNGImage(): mng_LOOP chunk must be at least 5 bytes long. (Credit to \
OSS-Fuzz)

diffstat:

 ChangeLog                              |   7 +++++++
 VisualMagick/installer/inc/version.isx |   4 ++--
 coders/png.c                           |  12 +++++++++---
 magick/version.h                       |   4 ++--
 www/Changelog.html                     |   9 +++++++++
 5 files changed, 29 insertions(+), 7 deletions(-)

diffs (93 lines):

diff -r 90ff9f04a465 -r 2c147f7b970a ChangeLog
--- a/ChangeLog	Sat Sep 15 14:21:14 2018 -0500
+++ b/ChangeLog	Thu Sep 20 08:34:20 2018 -0500
@@ -1,3 +1,10 @@
+2018-09-20  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* coders/png.c (ReadMNGImage): mng_LOOP chunk must be at least 5
+	bytes long.  Fixes oss-fuzz 10455
+	"graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in
+	ReadMNGImage". (Credit to OSS-Fuzz)
+
 2018-09-15  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
 	* magick/render.c (TraceEllipse): Detect arithmetic overflow when
diff -r 90ff9f04a465 -r 2c147f7b970a VisualMagick/installer/inc/version.isx
--- a/VisualMagick/installer/inc/version.isx	Sat Sep 15 14:21:14 2018 -0500
+++ b/VisualMagick/installer/inc/version.isx	Thu Sep 20 08:34:20 2018 -0500
@@ -10,5 +10,5 @@
 
 #define public MagickPackageName "GraphicsMagick"
 #define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020180915"
-#define public MagickPackageReleaseDate "snapshot-20180915"
+#define public MagickPackageVersionAddendum ".020180920"
+#define public MagickPackageReleaseDate "snapshot-20180920"
diff -r 90ff9f04a465 -r 2c147f7b970a coders/png.c
--- a/coders/png.c	Sat Sep 15 14:21:14 2018 -0500
+++ b/coders/png.c	Thu Sep 20 08:34:20 2018 -0500
@@ -5023,15 +5023,15 @@
             {
               long loop_iters=1;
 
-              if (length > 0) /* To do: check spec, if empty LOOP is allowed */
+              if (length >= 5) /* To do: check spec, if empty LOOP is allowed */
                 {
-                  loop_level=chunk[0];
+                  loop_level=chunk[0]; /* 1 byte */
                   loops_active++;
                   mng_info->loop_active[loop_level]=1;  /* mark loop active */
                   /*
                     Record starting point.
                   */
-                  loop_iters=mng_get_long(&chunk[1]);
+                  loop_iters=mng_get_long(&chunk[1]); /* 4 bytes */
                   if (loop_iters <= 0)
                     skipping_loop=loop_level;
                   else
@@ -5060,6 +5060,12 @@
                     }
                   mng_info->loop_iteration[loop_level]=0;
                 }
+              else
+                {
+                  if (logging)
+                    (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                                          "Ignoring short LOOP chunk (%lu bytes)", \
length); +                }
               MagickFreeMemory(chunk);
               continue;
             }
diff -r 90ff9f04a465 -r 2c147f7b970a magick/version.h
--- a/magick/version.h	Sat Sep 15 14:21:14 2018 -0500
+++ b/magick/version.h	Thu Sep 20 08:34:20 2018 -0500
@@ -38,8 +38,8 @@
 #define MagickLibVersion  0x211801
 #define MagickLibVersionText  "1.4"
 #define MagickLibVersionNumber 21,18,1
-#define MagickChangeDate   "20180915"
-#define MagickReleaseDate  "snapshot-20180915"
+#define MagickChangeDate   "20180920"
+#define MagickReleaseDate  "snapshot-20180920"
 	
 /*
   The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff -r 90ff9f04a465 -r 2c147f7b970a www/Changelog.html
--- a/www/Changelog.html	Sat Sep 15 14:21:14 2018 -0500
+++ b/www/Changelog.html	Thu Sep 20 08:34:20 2018 -0500
@@ -35,6 +35,15 @@
 <div class="document">
 
 
+<p>2018-09-20  Bob Friesenhahn  &lt;<a class="reference external" \
href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#6 \
4;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 +<blockquote>
+<ul class="simple">
+<li>coders/png.c (ReadMNGImage): mng_LOOP chunk must be at least 5
+bytes long.  Fixes oss-fuzz 10455
+&quot;graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in
+ReadMNGImage&quot;. (Credit to OSS-Fuzz)</li>
+</ul>
+</blockquote>
 <p>2018-09-15  Bob Friesenhahn  &lt;<a class="reference external" \
href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#6 \
4;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
  <blockquote>
 <ul class="simple">


_______________________________________________
Graphicsmagick-commit mailing list
Graphicsmagick-commit@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-commit


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic