[prev in list] [next in list] [prev in thread] [next in thread]
List: graphicsmagick-commit
Subject: [GM-commit] GraphicsMagick: ReadMIFFImage()/ReadMPCImage(): Arbitrarily limi...
From: GraphicsMagick Commits <graphicsmagick-commit () lists ! sourceforge ! net>
Date: 2020-12-25 15:15:50
Message-ID: mailman.279468.1608909365.1370.graphicsmagick-commit () lists ! sourceforge ! net
[Download RAW message or body]
changeset 678b102743c6 in /hg/GraphicsMagick
details: http://hg.GraphicsMagick.org/hg/GraphicsMagick?cmd=changeset;node=678b102743c6
summary: ReadMIFFImage()/ReadMPCImage(): Arbitrarily limit the number of header \
keywords to avoid DOS attempts.
diffstat:
ChangeLog | 9 +++++++++
VisualMagick/installer/inc/version.isx | 4 ++--
coders/miff.c | 13 ++++++++++++-
coders/mpc.c | 14 ++++++++++++++
magick/version.h | 4 ++--
www/Changelog.html | 10 ++++++++++
6 files changed, 49 insertions(+), 5 deletions(-)
diffs (136 lines):
diff -r dc86d77d8bf1 -r 678b102743c6 ChangeLog
--- a/ChangeLog Thu Dec 24 17:05:06 2020 -0600
+++ b/ChangeLog Fri Dec 25 09:15:48 2020 -0600
@@ -1,3 +1,12 @@
+2020-12-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * coders/miff.c (ReadMIFFImage): Arbitrarily limit the number of
+ header keywords to avoid DOS attempts.
+
+ * coders/mpc.c (ReadMPCImage): Arbitrarily limit the number of
+ header keywords to avoid DOS attempts. Fixes oss-fuzz 28956
+ "Timeout - coder_MPC_fuzzer".
+
2020-12-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/render.c (AffineEdge): Use MagickDoubleToLong();
diff -r dc86d77d8bf1 -r 678b102743c6 VisualMagick/installer/inc/version.isx
--- a/VisualMagick/installer/inc/version.isx Thu Dec 24 17:05:06 2020 -0600
+++ b/VisualMagick/installer/inc/version.isx Fri Dec 25 09:15:48 2020 -0600
@@ -10,5 +10,5 @@
#define public MagickPackageName "GraphicsMagick"
#define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020201224"
-#define public MagickPackageReleaseDate "snapshot-20201224"
+#define public MagickPackageVersionAddendum ".020201225"
+#define public MagickPackageReleaseDate "snapshot-20201225"
diff -r dc86d77d8bf1 -r 678b102743c6 coders/miff.c
--- a/coders/miff.c Thu Dec 24 17:05:06 2020 -0600
+++ b/coders/miff.c Fri Dec 25 09:15:48 2020 -0600
@@ -750,6 +750,8 @@
ThrowReaderException(code_,reason_,image_); \
} while (0);
+#define ReadMIFFMaxKeyWordCount 256 /* Arbitrary limit on keywords in one MIFF frame \
*/ +
static Image *ReadMIFFImage(const ImageInfo *image_info,
ExceptionInfo *exception)
{
@@ -956,7 +958,6 @@
keyword);
ThrowMIFFReaderException(CorruptImageError,ImproperImageHeader,image);
}
-
/*
Get values.
@@ -1009,6 +1010,16 @@
ThrowMIFFReaderException(CorruptImageError,ImproperImageHeader,image);
}
/*
+ Arbitrarily limit the number of header keywords to avoid DOS attempts.
+ */
+ if (keyword_count > ReadMIFFMaxKeyWordCount)
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Excessive key word count %u"
+ " (Denial of service \
attempt?)",keyword_count); + \
ThrowMIFFReaderException(CorruptImageError,ImproperImageHeader,image); + \
} + /*
Assign a value to the specified keyword.
*/
switch (*keyword)
diff -r dc86d77d8bf1 -r 678b102743c6 coders/mpc.c
--- a/coders/mpc.c Thu Dec 24 17:05:06 2020 -0600
+++ b/coders/mpc.c Fri Dec 25 09:15:48 2020 -0600
@@ -143,6 +143,9 @@
} \
ThrowReaderException(code_,reason_,image_); \
} while (0);
+
+#define ReadMPCMaxKeyWordCount 256 /* Arbitrary limit on number of keywords in MPC \
frame */ +
static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
char
@@ -390,6 +393,16 @@
ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,image);
}
/*
+ Arbitrarily limit the number of header keywords to avoid DOS attempts.
+ */
+ if (keyword_count > ReadMPCMaxKeyWordCount)
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Excessive key word count %u"
+ " (Denial of service \
attempt?)",keyword_count); + \
ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,image); + \
} + /*
Assign a value to the specified keyword.
*/
switch (*keyword)
@@ -646,6 +659,7 @@
*new_profiles;
i=(long) number_of_profiles;
+
new_profiles=MagickReallocateResourceLimitedArray(ProfileInfo \
*,profiles,
(size_t) \
i+1,sizeof(ProfileInfo)); if (new_profiles == (ProfileInfo *) NULL)
diff -r dc86d77d8bf1 -r 678b102743c6 magick/version.h
--- a/magick/version.h Thu Dec 24 17:05:06 2020 -0600
+++ b/magick/version.h Fri Dec 25 09:15:48 2020 -0600
@@ -38,8 +38,8 @@
#define MagickLibVersion 0x242100
#define MagickLibVersionText "1.4"
#define MagickLibVersionNumber 24,21,0
-#define MagickChangeDate "20201224"
-#define MagickReleaseDate "snapshot-20201224"
+#define MagickChangeDate "20201225"
+#define MagickReleaseDate "snapshot-20201225"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff -r dc86d77d8bf1 -r 678b102743c6 www/Changelog.html
--- a/www/Changelog.html Thu Dec 24 17:05:06 2020 -0600
+++ b/www/Changelog.html Fri Dec 25 09:15:48 2020 -0600
@@ -35,6 +35,16 @@
<div class="document">
+<p>2020-12-25 Bob Friesenhahn <<a class="reference external" \
href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span> \
4;</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+<blockquote>
+<ul class="simple">
+<li>coders/miff.c (ReadMIFFImage): Arbitrarily limit the number of
+header keywords to avoid DOS attempts.</li>
+<li>coders/mpc.c (ReadMPCImage): Arbitrarily limit the number of
+header keywords to avoid DOS attempts. Fixes oss-fuzz 28956
+"Timeout - coder_MPC_fuzzer".</li>
+</ul>
+</blockquote>
<p>2020-12-24 Bob Friesenhahn <<a class="reference external" \
href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span> \
4;</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">
_______________________________________________
Graphicsmagick-commit mailing list
Graphicsmagick-commit@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-commit
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic