'[GM-commit] GraphicsMagick: MagickGetToken(): Fix stack read overflow when p...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       graphicsmagick-commit
Subject:    [GM-commit] GraphicsMagick: MagickGetToken(): Fix stack read overflow when p...
From:       GraphicsMagick Commits <graphicsmagick-commit () lists ! sourceforge ! net>
Date:       2018-09-26 13:33:26
Message-ID: mailman.20933.1537968815.1387.graphicsmagick-commit () lists ! sourceforge ! net
[Download RAW message or body]

changeset 709e7ed55c6a in /hg/GraphicsMagick
details: http://hg.GraphicsMagick.org/hg/GraphicsMagick?cmd=changeset;node=709e7ed55c6a
                
summary: MagickGetToken(): Fix stack read overflow when parsing url.

diffstat:

 ChangeLog                              |   9 ++++++++-
 VisualMagick/installer/inc/version.isx |   4 ++--
 magick/utility.c                       |   2 +-
 magick/version.h                       |   4 ++--
 www/Changelog.html                     |  11 ++++++++++-
 5 files changed, 23 insertions(+), 7 deletions(-)

diffs (81 lines):

diff -r 678a9cbcb255 -r 709e7ed55c6a ChangeLog
--- a/ChangeLog	Sat Sep 22 17:18:11 2018 -0500
+++ b/ChangeLog	Wed Sep 26 08:33:23 2018 -0500
@@ -1,7 +1,14 @@
+2018-09-26  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* magick/utility.c (MagickGetToken): Fix possible read up to four
+	bytes beyond end of stack allocated token buffer.  Fixes oss-fuzz
+	10653 "graphicsmagick/coder_MVG_fuzzer: Stack-buffer-overflow in
+	MagickGetToken". (Credit to OSS-Fuzz)
+
 2018-09-22  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
 	* fuzzing/coder_fuzzer.cc (LLVMFuzzerTestOneInput): Limit the
-	maximum number of JPEG progressive scanlines to 50.
+	maximum number of JPEG progressive scans to 50.
 
 	* coders/jpeg.c (ReadJPEGImage): Apply a default limit of 100
 	progressive scans before the reader quits with an error.  This
diff -r 678a9cbcb255 -r 709e7ed55c6a VisualMagick/installer/inc/version.isx
--- a/VisualMagick/installer/inc/version.isx	Sat Sep 22 17:18:11 2018 -0500
+++ b/VisualMagick/installer/inc/version.isx	Wed Sep 26 08:33:23 2018 -0500
@@ -10,5 +10,5 @@
 
 #define public MagickPackageName "GraphicsMagick"
 #define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020180922"
-#define public MagickPackageReleaseDate "snapshot-20180922"
+#define public MagickPackageVersionAddendum ".020180926"
+#define public MagickPackageReleaseDate "snapshot-20180926"
diff -r 678a9cbcb255 -r 709e7ed55c6a magick/utility.c
--- a/magick/utility.c	Sat Sep 22 17:18:11 2018 -0500
+++ b/magick/utility.c	Wed Sep 26 08:33:23 2018 -0500
@@ -3876,7 +3876,7 @@
         ((r = strrchr(token,')')) != NULL))
       {
         *r='\0';
-        (void) memmove(token,token+5,r-token+1);
+        (void) memmove(token,token+5,r-token-4);
       }
   }
   if (end != (char **) NULL)
diff -r 678a9cbcb255 -r 709e7ed55c6a magick/version.h
--- a/magick/version.h	Sat Sep 22 17:18:11 2018 -0500
+++ b/magick/version.h	Wed Sep 26 08:33:23 2018 -0500
@@ -38,8 +38,8 @@
 #define MagickLibVersion  0x211801
 #define MagickLibVersionText  "1.4"
 #define MagickLibVersionNumber 21,18,1
-#define MagickChangeDate   "20180922"
-#define MagickReleaseDate  "snapshot-20180922"
+#define MagickChangeDate   "20180926"
+#define MagickReleaseDate  "snapshot-20180926"
 	
 /*
   The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff -r 678a9cbcb255 -r 709e7ed55c6a www/Changelog.html
--- a/www/Changelog.html	Sat Sep 22 17:18:11 2018 -0500
+++ b/www/Changelog.html	Wed Sep 26 08:33:23 2018 -0500
@@ -35,11 +35,20 @@
 <div class="document">
 
 
+<p>2018-09-26  Bob Friesenhahn  &lt;<a class="reference external" \
href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#6 \
4;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 +<blockquote>
+<ul class="simple">
+<li>magick/utility.c (MagickGetToken): Fix possible read up to four
+bytes beyond end of stack allocated token buffer.  Fixes oss-fuzz
+10653 &quot;graphicsmagick/coder_MVG_fuzzer: Stack-buffer-overflow in
+MagickGetToken&quot;. (Credit to OSS-Fuzz)</li>
+</ul>
+</blockquote>
 <p>2018-09-22  Bob Friesenhahn  &lt;<a class="reference external" \
href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#6 \
4;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
  <blockquote>
 <ul class="simple">
 <li>fuzzing/coder_fuzzer.cc (LLVMFuzzerTestOneInput): Limit the
-maximum number of JPEG progressive scanlines to 50.</li>
+maximum number of JPEG progressive scans to 50.</li>
 <li>coders/jpeg.c (ReadJPEGImage): Apply a default limit of 100
 progressive scans before the reader quits with an error.  This
 limit may be adjusted using the -define mechanism like -define


_______________________________________________
Graphicsmagick-commit mailing list
Graphicsmagick-commit@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-commit


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic