2018-04-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* version.sh: Updates to prepare for the 1.3.29 release.
* coders/pict.c (DecodeImage): Assure that scanline is initialized
to avoid use of uninitialized data. Fixes oss-fuzz 8063
"graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value in
ReadPICTImage". (Credit to OSS-Fuzz)
* coders/dpx.c (ReadDPXImage): Assure that NULL pixels is not
used. Fixes oss-fuzz 8078 "graphicsmagick/coder_DPX_fuzzer:
Null-dereference WRITE in ReadDPXImage". (Credit to OSS-Fuzz)
* NEWS.txt: Update NEWS file with information about changes since
last release.
2018-04-28 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dib.c (ReadDIBImage): Disable EOF tests for "ICODIB"
subformat due to icon file provided by SourceForge issue #557
"ErrorCorruptImage: Magick: Unexpected end-of-file ()" where an
EOF error was reported due to no mask data being supplied.
* coders/png.c (ReadOneJNGImage): The embedded JPEG image is
required to have the same dimensions as the JNG image as provided
by JHDR. Fixes SourceForge bug 555 "heap-buffer-overflow in
AcquireCacheNexus when processing jng file". It is likely that
this issue is precipitated by using 'montage' which seems to set a
default non-zero image size.
(ReadMNGImage): By default limit the maximum loops specifiable by
the MNG LOOP chunk to 512 loops, but allow this to be modified by
'-define mng:maximum-loops=value'. Also assure that the value is
in the range of 0-2147483647 as per the MNG specification. This
is to address the denial of service issue described by
CVE-2018-10177. This problem was reported to us by Petr Gajdos
via email on Fri, 20 Apr 2018.
* coders/dpx.c (ReadDPXImage): Move misplaced channel validation
code. Fixes oss-fuzz 8041 "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage" and oss-fuzz 8055
"graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in
EnhanceImage". (Credit to OSS-Fuzz)
2018-04-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xpm.c (StringToListMod): Algorithm fixes to fix use of
uninitialized data. Fixes oss-fuzz 8046
"graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in
StringToListMod". (Credit to OSS-Fuzz)
2018-04-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xpm.c (ReadXPMImage): Reduce memory consumption further.
Hopefully fixes oss-fuzz 8013 "graphicsmagick/coder_XPM_fuzzer:
Out-of-memory in graphicsmagick_coder_XPM_fuzzer". (Credit to
OSS-Fuzz)
* magick/utility.c (StringToList): Only allocate the memory
required when converting string to an ASCII list. May or may not
fix oss-fuzz 8013 "graphicsmagick/coder_XPM_fuzzer: Out-of-memory
in graphicsmagick_coder_XPM_fuzzer". (Credit to OSS-Fuzz)
2018-04-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/bmp.c (ReadBMPImage): Fix benign use of uninitialized
data when testing header magick. Fixes oss-fuzz 7980
"graphicsmagick/coder_BMP_fuzzer: Use-of-uninitialized-value in
LocaleNCompare". (Credit to OSS-Fuzz)
* coders/dpx.c (ReadDPXImage): ColorDifferenceCbCr does require
even image width. Fixes oss-fuzz 7966
"graphicsmagick/coder_DPX_fuzzer: Unknown signal in
TentUpsampleChroma". (Credit to OSS-Fuzz)
2018-04-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): ColorDifferenceCbCr element
requires two samples/pixel, not one. Fixes oss-fuzz 7951
"graphicsmagick/coder_DPX_fuzzer: Heap-buffer-overflow in
ReadDPXImage". (Credit to OSS-Fuzz)
2018-04-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pdb.c (ReadPDBImage): Assure that pixels buffer is
initialized. Fixes oss-fuzz 7937
"graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in
ReadPDBImage". (Credit to OSS-Fuzz)
* coders/mvg.c (ReadMVGImage): Assure that MVG viewbox parameters
were supplied. Fixes oss-fuzz 7936
"graphicsmagick/coder_MVG_fuzzer: Use-of-uninitialized-value in
ReadMVGImage". (Credit to OSS-Fuzz)
* coders/dpx.c (ReadDPXImage): Element descriptors CbYCrY422 and
CbYACrYA4224 require that the image width be evenly divisible by 2
so enforce that. Fixes oss-fuzz 7935
"graphicsmagick/coder_DPX_fuzzer: Heap-buffer-overflow in
ReadDPXImage". (Credit to OSS-Fuzz)
2018-04-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): Reject DPX files which claim to use
signed data. Fixes oss-fuzz 7758
"graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in
WriteDPXImage". (Credit to OSS-Fuzz)
(ReadDPXImage): Validate that the image elements do update all of
the channels, including the alpha channel. Now report an error if
a color channel is missing. Fixes oss-fuzz 7758
"graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in
WriteDPXImage".
* coders/gif.c (DecodeImage): Finally fix oss-fuzz 7732
"graphicsmagick/coder_GIF_fuzzer: Heap-buffer-overflow in
DecodeImage" which was not actually fixed with previous
changes. (Credit to OSS-Fuzz)
2018-04-21 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/topol.c Emit error when tile storage overflows image data;
fixes oss-fuzz 7769 thanks to oss-fuzz.
2018-04-20 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (ConvertPrimitiveToPath): Fixed a bug
in which SVG paths containing multiple open subpaths were
not being processed correctly, resulting in incorrect
output. This fixes ticket #94.
2018-04-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/gif.c (DecodeImage): Fix use of uninitialized memory
during error condition in decoder. Fixes oss-fuzz 7732
"graphicsmagick/coder_GIF_fuzzer: Heap-buffer-overflow in
DecodeImage". (Credit to OSS-Fuzz)
* coders/txt.c (ReadTXTImage): Assure that all image pixels are
initialized to black.
* Magick++/demo/zoom.cpp (main): Add a -read-blob option to read
input file into a Blob so that it is read by the Blob reader
rather than the file reader. Default the output Geometry to the
input image geometry in case the user does not specify a resize
resolution or geometry.
* Magick++/tests/readWriteBlob.cpp (main): Improve the quality of
code which reads a file into memory for Blob testing.
* magick/blob.c (BlobToImage): Add exception reports for the cases
where 'magick' was not set and the file format could not be
deduced from its header. Previously a null Image pointer was
being returned without any exception being thrown.
2018-04-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): Assure that CbCr layer initializes
all channels if it is the first element of a planar DPX. Fixes
oss-fuzz 7703 "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)
* coders/pict.c (ReadPICTImage): Don't refer to filename member of
ImageInfo which was just destroyed. Much thanks to Alex Gaynor for
finding this. Should fix oss-fuzz 6867
"graphicsmagick/coder_PCT_fuzzer: Heap-use-after-free in
GetLocaleExceptionMessage". (Credit to OSS-Fuzz).
2018-04-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/sgi.c (ReadSGIImage): Assure that iris pixels are fully
initialized. Fixes oss-fuzz 7543
"graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in
SGIEncode". (Credit to OSS-Fuzz).
* coders/xcf.c (ReadXCFImage): Restore SetImage() which was
previously commented out. This is needed to assure initialized
pixels. Fixes oss-fuzz 7430 "graphicsmagick/coder_XCF_fuzzer:
Use-of-uninitialized-value in AlphaCompositePixel". (Credit to
OSS-Fuzz).
* coders/pict.c (ReadPICTImage): Properly initialize "black
canvas" that tiles may be composed on. Fixes oss-fuzz 7574
"graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in
EnhanceImage". (Credit to OSS-Fuzz).
* coders/rle.c (ReadRLEImage): Check for EOF when reading comment.
Fixes oss-fuzz 7667 "graphicsmagick/coder_RLE_fuzzer:
Use-of-uninitialized-value in ReadRLEImage". (Credit to OSS-Fuzz).
* coders/pdb.c (WritePDBImage): Avoid use of uninitialized
bytes. Fixes oss-fuzz 7638 "graphicsmagick/coder_PDB_fuzzer:
Use-of-uninitialized-value in WritePDBImage". (Credit to
OSS-Fuzz).
* coders/rla.c (ReadRLAImage): Add many more validations,
including scanline offsets and number of channels. Fixes oss-fuzz
7653 "graphicsmagick/coder_RLA_fuzzer: Timeout in
graphicsmagick_coder_RLA_fuzzer". (Credit to OSS-Fuzz).
* coders/txt.c (ReadTXTImage): Implement missing subrange logic to
read only the specified range of frames. Limits frames read from
oss-fuzz test case
clusterfuzz-testcase-minimized-coder_TEXT_fuzzer-6061076048248832
"graphicsmagick/coder_TEXT_fuzzer: Timeout in
graphicsmagick_coder_TEXT_fuzzer". (Credit to OSS-Fuzz).
* Magick++/lib/Image.cpp (read): Set subrange = 1 since this
interface is intended to read just one frame from the input file.
Use the STL-based interfaces to read multiple frames.
* coders/fits.c (ReadFITSImage): Verify FITS header before reading
further. Rejects file from oss-fuzz 7650
"graphicsmagick/coder_FITS_fuzzer: Out-of-memory in
graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz).
* PerlMagick/Magick.xs (Get): Fix PerlMagick compilation problem
due to rename/repurposing of image->clip_mask.
2018-04-13 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/image.c, magick/image.h: In order to be able to
support SVG masks, and to be able to further extend the
Image data structure without changing its size, new data
structure ImageExtra (struct _ImageExtra) has been added.
Header file image.h contains only a forward declaration;
the members of ImageExtra are defined in file image.c.
Image member variable Image * clip_mask has been replaced
by ImageExtra * extra, and function prototypes that enable
access to ImageExtra have been added to image.h. The
clip_mask member variable now resides in ImageExtra. All
references to Image::clip_mask in the GraphicsMagick
source code have either been replaced with direct references
to ImageExtra::clip_mask (image.c), or have been replaced
with calls to access function ImageGetClipMask().
* magick/render.c, magick/render.h: In order to be able to
support SVG masks, and to be able to further extend the
DrawInfo data structure without changing its size, new data
structure DrawInfoExtra (struct _DrawInfoExtra) has been added.
Header file render.h contains only a forward declaration;
the members of DrawInfoExtra are defined in file render.c.
DrawInfo member variable char * clip_path has been replaced by
DrawInfoExtra * extra, and function prototypes that enable
access to DrawInfoExtra have been added to render.h. The
clip_path member variable now resides in ImageExtra. All
references to DrawInfo::clip_path in the GraphicsMagick
source code have either been replaced with direct references
to DrawInfoExtra::clip_path (render.c), or have been
replaced with calls to access function DrawInfoGetClipPath().
* magick/image.c (new functions CompositePathImage,
CompositeMaskImage, GetImageCompositeMask,
SetImageCompositeMask): Defined new data structure ImageExtra,
added create/destroy logic, and implemented associated access
functions. Implemented SVG masks.
* magick/render.c (DrawImage, new function DrawCompositeMask):
Defined new data structure DrawInfoExtra, added create/destroy
logic, and implemented associated access functions. Impemented
SVG masks.
* magick/pixel_cache.c (SyncCacheNexus, new function
CompositeCacheNexus): Fixed references to Image::clip_mask.
Implemented SVG masks.
* coders/svg.c (SVGStartElement, SVGEndElement): Implemented
SVG masks.
* locale/c.mgk, magick/gm_messages.mc, magick/local_c.h:
Added new error codes to support SVG masks.
* coders/ps3.c, magick/enhance.c: Fixed references to
Image::clip_mask.
* magick/draw.c, wand/drawing_wand.c: Fixed references to
DrawInfo::clip_path.
2018-04-13 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/wpg.c Crash on row overflow fixed oss-fuzz 7639 thanks to oss-fuzz.
2018-04-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): Add more header validations.
Always assure that scanline is initialized for Luma channel. Fixes
oss-fuzz 7544 "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)
* coders/pdb.c (ReadPDBImage): Add more EOF checks to avoid benign
use of uninitialized data. Fixes oss-fuzz 7545
"graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in
ReadPDBImage".
* coders/wpg.c (InsertRow, UnpackWPGRaster): x & y should be
'unsigned long' to match type used by pixel cache APIs and image
rows/columns.
2018-04-08 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/wpg.c Stop reading when last row is reached.
This should stop oss-fuzz 7528 thanks to oss-fuzz.
2018-04-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xcf.c (ReadXCFImage): Fix use of uninitialized data in
magick header string for runt file. Fixes oss-fuzz 7521
"graphicsmagick/coder_XCF_fuzzer: Use-of-uninitialized-value in
LocaleNCompare". (Credit to OSS-Fuzz).
2018-04-09 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* OVERVIEW: Change set 9aaeeca0224c modified the drawing
of clipping paths to conform to the SVG spec. This change
set restores the previous behavior for non-SVG clients of
render.c, while still satisfying the SVG spec for SVG clients.
* magick/render.h (DrawInfo): Added a bit field in member
"flags" to indicate that drawing should be SVG compliant.
* magick/render.c (DrawImage): Now recognizes keyword
"svg-compliant", and tags DrawInfo accordingly. This
allows for existing features in render.c to be changed
to comply with the SVG spec without impacting the previous
behavior expected by non-SVG clients.
* magick/render.c (DrawImage): Now uses DrawInfo "flags"
bit for SVG compliance in conjunction with "flags" bit
for "clipping path" to determine when to ignore changes
to fill color, stroke color, etc. This restores the
previous behavior for clipping paths for non-SVG clients.
* coders/svg.c (SVGStartElement): The initial set of
MVG commands for rendering an SVG file now includes
new keyword "svg-compliant" (to indicate that certain
graphical elements should be drawn according to the
SVG spec), and includes an intialization of the SVG
"fill-rule" to "nonzero" (the SVG default) instead of
the internally initialized value of "evenodd".
* coders/wpg.c: Fixed C99 "//" comments.
2018-04-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pict.c (ReadPICTImage): Copy tile exception info to main
image and don't composite tile if it has a problem. Fixes
oss-fuzz 7169 "graphicsmagick/enhance_fuzzer:
Use-of-uninitialized-value in EnhanceImage". (Credit to OSS-Fuzz)
* coders/dib.c (ReadDIBImage): Do not increase decode bits/pixel
if compression=2, but use it to increase pixel packet size when
estimating bytes per line for decode buffer. Fixes oss-fuzz issue
7324 "graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value
in ReadDIBImage". (Credit to OSS-Fuzz)
* coders/dpx.c (ReadDPXImage): When handling the first element of
a planar DPX, assure that the other channels are
initialized. Fixes oss-fuzz 7841 "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)
* coders/tim.c (ReadTIMImage): Only 4 and 8 bit TIM requires a
colormap. For other depths, force reading as DirectClass even if
the TIM file provides a colormap. Fixes oss-fuzz 7407
"graphicsmagick/coder_TIM_fuzzer: Use-of-uninitialized-value in
SyncImageCallBack". (Credit to OSS-Fuzz)
2018-04-08 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c The unread data contains crap in memory,
erase current image data. This should mute oss-fuzz 6604.
* coders/wpg.c - condition "if(y<1) continue;" is redundant
and could be removed completely.
Allow logging in MatlabV4 module.
* coders/svg.c - Do not use C++ syntax in C code - removed.
2018-04-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/wpg.c (UnpackWPGRaster): Fix uninitialized row 0 when
row-based RLE is used. Fixes oss-fuzz 6603
"graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in
BlendCompositePixel". (Credit to OSS-Fuzz)
* coders/pcd.c: Fix many issues, including oss-fuzz 6016
"graphicsmagick/coder_PCD_fuzzer: Heap-double-free in
MagickRealloc" and oss-fuzz 6108 "graphicsmagick/coder_PCD_fuzzer:
Unknown signal in AllocateThreadViewDataSet". (Credit to OSS-Fuzz)
2018-04-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dcm.c (funcDCM_BitsStored): Limit DICOM significant bits
to 16. Otherwise rescale map code blows up. Fixes oss-fuzz 7435
"graphicsmagick/coder_DCM_fuzzer: Out-of-memory in
graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)
* coders/pix.c (ReadPIXImage): Detect EOF. Reject RLE lenth of
zero. Fixes oss-fuzz 7440 "graphicsmagick/coder_PIX_fuzzer:
Out-of-memory in graphicsmagick_coder_PIX_fuzzer". (Credit to
OSS-Fuzz)
2018-04-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): Insist on having an element
descriptor we understand since otherwise we can not decode the
image. Fixes oss-fuzz 7410 "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)
* coders/avs.c, etc... (WriteAVSImage): Cache image list length
before writing image sequence so that progress monitor is
scalable. Helps with oss-fuzz 7404
"graphicsmagick/coder_AVS_fuzzer: Timeout in
graphicsmagick_coder_AVS_fuzzer". (Credit to OSS-Fuzz)
2018-04-05 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement, SVGEndElement),
magick/render.c (DrawImage): The current text position
is now maintained by DrawImage() instead of by
SVGStartElement() and SVGEndElement(). This change was
made to support the recently implmemented "use" and
"class" elements, which may make changes to the font
size that are not visible to the code in svg.c.
* coders/svg.c (GetStyleTokens, SVGStartElement): The
list of SVG attributes is now reordered so that
"font-size", "class", and "style" are processed first.
This ensures that a change to the font size will be
processed before any dimensional attribute whose value
may depend on the font size (e.g., a width value
specified in "em" units).
* coders/svg.c (ProcessStyleClassDefs): Fixed two memory
leaks associated with making an early return when
malformed input is detected.
* magick/render.c (ExtractTokensBetweenPushPop): Fixed
an uninitialized variable condition which can occur when
malformed input is detected.
* magick/render.h (DrawInfo), magick/render.c: DrawInfo
member "unused1" has been renamed "flags". It is now
used to tag a DrawInfo as being a clipping path or a
compositing mask.
2018-04-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pdb.c (ReadPDBImage): Update DirectClass pixels to avoid
use of uninitialized memory for 2 bits/pixel. Fixes oss-fuzz 7350
"graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in
WritePDBImage". (Credit to OSS-Fuzz)
* coders/palm.c (ReadPALMImage): Fix use of uninitialized memory.
Fixes oss-fuzz 7325 "graphicsmagick/coder_PALM_fuzzer:
Use-of-uninitialized-value in TransparentImageCallBack". (Credit
to OSS-Fuzz)
* coders/dcm.c (DCM_ReadNonNativeImages): Break out of reading
loop on EOF and properly report exception. Fixes oss-fuzz 7349
"graphicsmagick/coder_DCM_fuzzer: Timeout in
graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)
2018-04-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xcf.c (ReadXCFImage): Require that XCF file offsets be in
ascending order to avoid DOS. Fixes oss-fuzz 7333
"graphicsmagick/coder_XCF_fuzzer: Out-of-memory in
graphicsmagick_coder_XCF_fuzzer". (Credit to OSS-Fuzz)
* coders/wpg.c (UnpackWPGRaster): Fix memory leak in error return
path. Fixes oss-fuzz 7338 "graphicsmagick/enhance_fuzzer:
Direct-leak in UnpackWPGRaster". (Credit to OSS-Fuzz)
2018-04-03 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): This changeset adds
support for SVG geometric transforms specified using the
style="transform: ..." syntax. This syntax is sometimes
used when exporting SVG files from Adobe Illustrator.
2018-04-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): Validate DPX packing method. Fixes
oss-fuzz 7296 "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)
2018-04-02 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement, SVGEndElement),
magick/render.c (DrawImage): This changeset adds support for
"class" styling attributes within a <style> section within
the <defs> section, and the ability to reference them from
other SVG elements by class="classname". SVG files exported
from Adobe Illustrator make extensive use of "class" definitions.
2018-04-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pict.c (ReadPICTImage): Fix leak of tile image on EOF.
This is a recent regression. Fixes oss-fuzz 7287
"graphicsmagick/coder_PCT_fuzzer: Indirect-leak in
CloneImage". (Credit to OSS-Fuzz)
* magick/pixel_cache.c (OpenCache): Use image->scene rather than
GetImageIndexInList(image) for scene-id part of cache info file
name.
* coders/txt.c (WriteTXTImage): Optimize the progress indicator
since it is very inefficient with a large number of scenes and
oss-fuzz 7090 "graphicsmagick/coder_TEXT_fuzzer: Timeout in
graphicsmagick_coder_TEXT_fuzzer" consistently shows
GetImageListLength() in its stack traces.
* coders/dcm.c (ReadDCMImage): DICOM reader was no longer
immediately quitting with excessive samples per pixel. This
caused spinning for a very long time when reading planar images
with large samples per pixel. This is a regression due to recent
changes. Fixes oss-fuzz 7269 "graphicsmagick/coder_DCM_fuzzer:
Timeout in graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)
* coders/xcf.c (ReadXCFImage): Destroy layer info before returning
due to exception. This is a new regression due to adding more
checks. Fixes oss-fuzz 7277 "graphicsmagick/coder_XCF_fuzzer:
Direct-leak in ReadXCFImage". (Credit to OSS-Fuzz)
* coders/pdb.c (ReadPDBImage): Assure that all bytes of scanline
are initialized while decoding. Fixes oss-fuzz 7051
"graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in
WritePDBImage". (Credit to OSS-Fuzz)
2018-03-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pcx.c (ReadPCXImage): Assure that scanline is
initialized. Fixes oss-fuzz 6612
"graphicsmagick/coder_PCX_fuzzer: Use-of-uninitialized-value in
WriteRLEPixels". (Credit to OSS-Fuzz)
* coders/wpg.c (ReadWPGImage): Detect unexpected EOF and avoid use
of uninitialized data. Fixes oss-fuzz 6601
"graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in
ImportIndexQuantumType". (Credit to OSS-Fuzz)
* coders/sgi.c (ReadSGIImage): Assure that RLE decode buffer is
initialized. Fixes oss-fuzz 6599
"graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in
SyncImageCallBack" and oss-fuzz 6600
"graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in
SGIEncode". (Credit to OSS-Fuzz)
* coders/viff.c (ReadVIFFImage): Fix blob I/O size validation to
avoid use of uninitialized data. Fixes oss-fuzz 6597
"graphicsmagick/coder_VIFF_fuzzer: Use-of-uninitialized-value in
ThresholdImage". (Credit to OSS-Fuzz)
(ReadVIFFImage): Don't execute SetImageType(image,BilevelType) on
an image which has no pixels yet in order to avoid use of
uninitialized data. Fixes oss-fuzz 6597. (Credit to OSS-Fuzz)
* coders/wbmp.c (ReadWBMPImage): Fix blob I/O size validation to
avoid use of uninitialized data. Fixes oss-fuzz 7047
"graphicsmagick/coder_WBMP_fuzzer: Use-of-uninitialized-value in
ReadWBMPImage". (Credit to OSS-Fuzz)
* coders/wpg.c (ExtractPostscript): Allow non-Postscript content
but force reading using the magick we already detected. Also log
the format that we detected.
* coders/xcf.c (ReadOneLayer): Reject layer size of 0x0. Fixes
oss-fuzz 6636 "graphicsmagick/coder_XCF_fuzzer: Direct-leak in
MagickMallocAligned". (Credit to OSS-Fuzz)
(ReadXCFImage): Verify that seek offsets are within the bounds of
the file data. Fixes oss-fuzz 6682
"graphicsmagick/coder_XCF_fuzzer: Out-of-memory in
graphicsmagick_coder_XCF_fuzzer". (Credit to OSS-Fuzz)
* magick/pixel_cache.c (ModifyCache): Destroy CacheInfo if
OpenCache() fails so it is not leaked.
* coders/wpg.c (ExtractPostscript): Enforce that embedded file is
a Postscript file. Fixes oss-fuzz 7235
"graphicsmagick/coder_WPG_fuzzer: Indirect-leak in MagickRealloc".
This is indicated to be a regression. (Credit to OSS-Fuzz)
2018-03-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pict.c (ReadPICTImage): Check image pixel limits before
allocating memory for tile. Fixes oss-fuzz 7217
"graphicsmagick/coder_PICT_fuzzer: Out-of-memory in
graphicsmagick_coder_PICT_fuzzer".
2018-03-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pcd.c (ReadPCDImage): Add checks for EOF. Fixes oss-fuzz
issue 7180 "graphicsmagick/coder_PCDS_fuzzer: Timeout in
graphicsmagick_coder_PCDS_fuzzer". (Credit to OSS-Fuzz)
2018-03-29 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement, SVGEndElement),
magick/render.c (DrawImage): This changeset implements the SVG
"use" element. Graphical elements (e.g., "rect", "text", etc.)
can be tagged with an identifier using 'id="identifier"' when
defined within the "defs" section. They can then be referenced
elsewhere in the SVG file using:
<use xlink:href="#identifier" ... />
When referencing a graphical element by its identifier, the
following syntaxes are now treated as being the same:
href="#identifier"
href="url(#identifier)"
xlink:href="#identifier"
xlink:href="url(#identifier)"
2018-03-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/tim.c (ReadTIMImage): Reader was not observing subimage
and subrange to quit after the specified frame range. Inspired by
oss-fuzz 7132 "graphicsmagick/coder_TIM_fuzzer: Timeout in
graphicsmagick_coder_TIM_fuzzer" (Credit to OSS-Fuzz)
2018-03-27 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): Enable setting the
background color from the SVG file when the client
specifies style="background:color" inside the <svg>
... </svg> element.
2018-03-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/mtv.c (ReadMTVImage): Add some elementary tracing to MTV
reader.
* coders/png.c (ReadMNGImage): Fix SourceForge issue 554
"Divide-by-zero in ReadMNGImage (coders/png.c)". (Credit to Trace
Probe)
* coders/bmp.c (ReadBMPImage): Assure that start position always
advances to avoid looping BMPs. Fixes oss-fuzz 7045
"graphicsmagick/coder_BMP_fuzzer: Timeout in
graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz)
* coders/pict.c (DecodeImage): Verify that sufficient backing data
exists before allocating memory to read it. Fixes oss-fuzz 6629
"graphicsmagick/coder_PCT_fuzzer: Out-of-memory in
graphicsmagick_coder_PCT_fuzzer".
(ReadPICTImage): Destroy tile_image in ThrowPICTReaderException()
macro to simplify logic.
2018-03-25 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Check whether datablock is really read.
Fixes oss-fuzz 7056 (Credit to OSS-Fuzz)
* coders/txt.c Duplicate image check for data with fixed geometry
previous check is skipped. Fixes oss-fuzz 7090.
2018-03-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dcm.c (ReadDCMImage): Validate that samples per pixel is
in valid range. Fixes oss-fuzz 6260
"graphicsmagick/coder_DCM_fuzzer: Out-of-memory in
graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)
* coders/meta.c (format8BIM): Allocate space for null termination
and null terminate string. Fixes oss-fuzz 5985
"graphicsmagick/coder_8BIMTEXT_fuzzer: Heap-buffer-overflow in
formatIPTCfromBuffer". (Credit to OSS-Fuzz)
* coders/fits.c (ReadFITSImage): Include number of FITS scenes in
file size validations. Fixes oss-fuzz 6781
"graphicsmagick/coder_FITS_fuzzer: Timeout in
graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz)
2018-03-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/meta.c (format8BIM): Validate size request prior to
allocation. Fixes oss-fuzz issue 5974
"graphicsmagick/coder_8BIMTEXT_fuzzer: Out-of-memory in
graphicsmagick_coder_8BIMTEXT_fuzzer". (Credit to OSS-Fuzz)
2018-03-23 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Fix forged amount of frames 7076. (Credit to OSS-Fuzz)
* coders/topol.c Check for forged image that overflows file size
(fuzz 6836).
2018-03-23 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c, render.h (DrawInfo, CloneDrawInfo,
DrawClipPath, DrawImage, GetDrawInfo): According to the SVG
spec, a clipping path is defined only by the geometry of its
constituent elements, and is not dependent on fill color/opacity,
stroke color/opacity, or stroke width. To ensure conformity
with the spec, when a clipping path is created, these SVG
elements are set to appropriate values, and any attempt to
modify them is ignored.
Also, whenever a clipping path is drawn, the associated image
attributes are now updated from the parent image structure.
This ensures that any added or modified attributes are up to
date.
2018-03-22 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/topol.c Use rather MagickSwabArrayOfUInt32() to
flip all array elements at once.
* magick/annotate.c Compilation issue - using C++ syntax in C code.
2018-03-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadDPXImage): Validate header length and offset
properties. Fixes oss-fuzz "graphicsmagick/coder_DPX_fuzzer:
Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)
2018-03-20 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/annotate.c (RenderType): According to the SVG
spec, the 'font-family' element can be a comma-separated
list of one or more font family names. Function RenderType
in file annotate.c has been modified to support multiple
font family names as follows. The comma-separated list is
processed until the first available font family is found.
If no font family is found, or if font substitution occurred,
then the entire font family string is tested to see if it
exactly matches a font name, or if the font family string
with blanks changed to hypens exactly matches a font name.
If a font name match is found, the matched font overrides
the font substution. The font name matching functionality
is beyond what's in the SVG spec and is provided as a
convenience to the user.
2018-03-20 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Fix forged amount of frames 6755. (Credit to OSS-Fuzz)
2018-03-20 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/topol.c Redesign ReadBlobDwordLSB() to be more effective.
2018-03-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/xpm.c (ReadXPMImage): Reject XPM if its condensed version
contains non-whitespace control characters. Fixes oss-fuzz 7027
"graphicsmagick/coder_XPM_fuzzer: Timeout in
graphicsmagick_coder_XPM_fuzzer". (Credit to OSS-Fuzz)
2018-03-19 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/topol.c Fix tile index overflow fuzz 6634. (Credit to OSS-Fuzz)
2018-03-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dcm.c (DCM_ReadGrayscaleImage): Don't use rescale map if
it was not allocated. This issue was induced in this development
cycle due to disabling generating the rescale map. Fixes oss-fuzz
7021 "graphicsmagick/coder_DCM_fuzzer: Null-dereference READ in
DCM_ReadGrayscaleImage". (Credit to OSS-Fuzz)
2018-03-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/color_lookup.c (QueryColorDatabase): Defend against
partial scanf() expression matching, resulting in use of
uninitialized data. Likely fixes oss-fuzz 6596
"graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in
IsMonochromeImage". (Credit to OSS-Fuzz)
* coders/rle.c (ReadRLEImage): Validate number of colormap bits to
avoid undefined shift behavior. Fixes oss-fuzz 6630
"graphicsmagick/enhance_fuzzer: Undefined-shift in
ReadRLEImage". (Credit to OSS-Fuzz)
* coders/dcm.c (DCM_ReadRGBImage): Don't use rescale map if it was
not allocated. This issue was induced in this development cycle
due to disabling generating the rescale map. Fixes oss-fuzz 6995
"graphicsmagick/coder_DCM_fuzzer: Null-dereference READ in
DCM_ReadRGBImage". (Credit to OSS-Fuzz)
* coders/dib.c (DecodeImage): Report failure to decode to expected
amount of pixel data as an error. Fixes oss-fuzz 7007
"graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in
EnhanceImage". (Credit to OSS-Fuzz)
* coders/bmp.c (ReadBMPImage): Add file size and offset/seek
validations. Fixes oss-fuzz 6623
"graphicsmagick/coder_BMP_fuzzer: Timeout in
graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz)
2018-03-17 Fojtik Jaroslav <JaFojtik@seznam.cz>
* dcraw/dcraw.c Updated to version 9.27
2018-03-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/gif.c (ReadGIFImage): Fix botched fixes for use of
uninitialized data when reading GIF extension blocks. Hopefully
ok now.
2018-03-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/gif.c (ReadGIFImage): Fix use of uninitialized data when
reading GIF extension blocks. Fixes oss-fuzz 6609
"graphicsmagick/coder_GIF_fuzzer: Use-of-uninitialized-value in
MagickArraySize". This seems to be a totally benign issue. (Credit
to OSS-Fuzz)
* magick/magick.c (MagickSignal): Use an alternate signal stack,
if available. This is required for Go lang C language extensions
since Go lang requests an alternate signal sack, and uses small
stacks for its threads. If the library user has not allocated an
alternate signal stack, then behavior should be just as before.
Issue was originally reported by yzhæ¨æ¯å® on March 1, 2018 via
the graphicsmagick-help SourceForge mailing list.
2018-02-28 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/pixel_cache.c (AcquireCacheNexus): Add a check that the
pixel cache is compatible with the image dimensions. Fixes
oss-fuzz issues 5978 5988 5989 5990 5993 6016, and 6056, which are
all related to the PICT writer. (Credit to OSS-Fuzz)
* magick/draw.c (DrawGetStrokeDashArray): Check for failure to
allocate memory. Patch submited by Petr Gajdos via email on
February 28, 2018.
2018-02-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/fits.c (ReadFITSImage): Fix signed integer overflow when
computing pixels size. Fixes oss-fuzz 6586
"graphicsmagick/coder_FITS_fuzzer: Integer-overflow in
ReadFITSImage". (Credit to OSS-Fuzz)
2018-02-27 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement, SVGEndElement): From the
SVG spec: "The 'foreignObject' element allows for inclusion
of a foreign namespace which has its graphical content drawn
by a different user agent." Code has been added to consume
and discard the 'foreignObject' element and any settings (e.g.,
fill color) internal to it. Previously, settings internal
to the 'foreignObject' element would persist and "leak" into
the graphic elements that followed it, resulting in undesired
side effects (e.g., fill color other than the expected default).
2018-02-27 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (DrawPolygonPrimitive): Fixed a bug
introduced by changeset 39102dd1d456. For SVG, this
changeset applied both the group AND the fill opacity
values to fill patterns (similarly for stroke). For WMF,
however, this caused the fill pattern to be rendered as
100% transparent. A closer reading of the SVG spec does
NOT show that the fill opacity should be applied to the
fill pattern, so as of this latest changeset only the group
opacity value is applied to fill and stroke patterns.
2018-02-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/bmp.c (ReadBMPImage): Fix divide by zero regression added
by latest fixes. Fixes oss-fuzz 6583
"graphicsmagick/coder_BMP_fuzzer: Divide-by-zero in ReadBMPImage".
(Credit to OSS-Fuzz)
2018-02-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pict.c (ReadPICTImage): Validate that PICT rectangles do
not have zero dimensions. Specify expected file type when reading
from a temporary file. Trace PICT rectangle dimensions. More
detection of blob EOF and more error handling. Fixes oss-fuzz
issue 6193 "graphicsmagick/coder_PCT_fuzzer: Unknown signal in
AllocateImageColormap" and likely many oss-fuzz ASAN/UBSAN issues
reported against "PCT" and "PICT" since this one problem appears
to be causing a spew of reports.
* coders/png.c (ReadMNGImage): Detect and handle failure to
allocate global PLTE. Problem was reported via email from Petr
Gajdos on February 26, 2018.
2018-02-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/blob.c (ReadBlobLSBDouble): Make sure imported double is
a normal value.
(ReadBlobLSBDoubles): Make sure imported doubles are normal
values.
(ReadBlobLSBFloat): Make sure imported float is a normal value.
(ReadBlobLSBFloats): Make sure imported floats are normal values.
(ReadBlobMSBFloat): Make sure imported float is a normal value.
(ReadBlobMSBFloats): Make sure imported floats are normal values.
(ReadBlobMSBDouble): Make sure imported double is a normal value.
(ReadBlobMSBDoubles): Make sure imported doubles are normal
values.
* magick/import.c (ImportFloat32Quantum): Make sure imported float
is a normal value.
(ImportFloat64Quantum): Make sure imported double is a normal
value.
* magick/image.h (RoundDoubleToQuantum): Restore previous behavior
(from earlier today).
(RoundFloatToQuantum): Restore previous behavior (from earlier
today).
* coders/bmp.c (ReadBMPImage): Fix UBSAN runtime error: left shift
of 205 by 24 places cannot be represented in type 'int'.
* coders/ept.c (ReadEPTImage): Fix dereference of NULL pointer
which was detected by UBSAN in the test suite.
* magick/image.h (RoundDoubleToQuantum): Check double value for
NaN and infinity in order to avoid undefined behavior.
(RoundFloatToQuantum): Check float value for NaN and infinity in
order to avoid undefined behavior.
* magick/common.h (MAGICK_ISNAN): Add a isnan() wrapper macro.
(MAGICK_ISINF): Add a isinf() wrapper macro.
2018-02-25 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Fix oss-fuzz issue 6273 - Heap-use-after-free in
GetLocaleExceptionMessage. (Credit to OSS-Fuzz)
2018-02-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dcm.c (DCM_PostRescaleImage): Remove use of
DCM_PostRescaleImage() since its implementation is wrong and
accesses non-allocated heap memory. Problem was reported by Petr
Gajdos via email on February 8, 2018.
* coders/jp2.c (ReadJP2Image): Use a ThrowJP2ReaderException macro
to automatically clean up when throwing an exception.
* coders/bmp.c (ReadBMPImage): Report an error if RLE decode does
not produce the expected number of bytes. Fixes oss-fuzz issue
6015 "graphicsmagick/coder_BMP_fuzzer: Out-of-memory in
graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz)
2018-02-23 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (DrawImage): Fixed a bug in which graphical
elements defined within <defs> ... </defs> were being rendered,
contrary to the SVG spec.
2018-02-23 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (DrawPolygonPrimitive): When filling or
stroking a polygon using a pattern, the fill (or stroke)
and group/object opacity values were not being applied to
the pattern (fixed).
2018-02-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/bmp.c (ReadBMPImage): Fix SeekBlob() return value checks.
Add more EOF checks. Require that a provided ba_offset be a
forward seek in order to avoid the possibility of endless looping.
2018-02-23 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Fix oss-fuzz issue 6301. (Credit to OSS-Fuzz)
2018-02-22 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/alpha_composite.c (BlendQuantumOpacity): The
pixel compositing equation used when compositing an
image into the output was incorrect and has been fixed.
* magick/render.c (DrawPolygonPrimitive): When
compositing polygon edge pixels over a transparent
black background, the code would composite as if the
background were opaque black, resulting in the edge
pixels being too dark (fixed).
2018-02-21 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (DrawImage): Per the SVG spec, opacity,
fill-opacity, and stroke-opacity values are now clamped
to [0,1].
Also fixed two bugs introduced by changeset 91de8039f27d
(dated 2018-02-12): (1) a group/object opacity value
specified using a percentage was not being converted to a
value in [0,1]; (2) if fill-opacity or stroke-opacity was
1, and the group/object opacity value was set to 1, the
resulting fill-opacity or stroke-opacity value would be
set to 0 instead of 1.
2018-02-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/viff.c (ReadVIFFImage): Fix excessive memory usage.
Fixes oss-fuzz 6006 "graphicsmagick/coder_XV_fuzzer: Out-of-memory
in graphicsmagick_coder_XV_fuzzer". (Credit to OSS-Fuzz)
* coders/txt.c (ReadInt): Avoid benign signed integer overflow due
to accepting an arbitrary number of digits. Fixes oss-fuzz 6002
"graphicsmagick/coder_TEXT_fuzzer: Integer-overflow in
ReadInt". (Credit to OSS-Fuzz)
* coders/viff.c (ReadVIFFImage): Verify that there is sufficient
data to back up colormap allocation request. Fixes oss-fuzz 5986
"graphicsmagick/coder_VIFF_fuzzer: Out-of-memory in
graphicsmagick_coder_VIFF_fuzzer". (Credit to OSS-Fuzz)
* magick/memory.c: Define MAGICK_MEMORY_HARD_LIMIT=value to abort
when memory request exceeds value. Useful to find location of
excessive memory requests.
2018-02-19 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): Per the SVG spec, the
SVG coder now initializes the MVG coder (which renders
SVG graphical elements) with the the SVG defaults for
fill color, fill-opacity, stroke color, stroke-opacity,
and stroke-width. This makes the SVG coder independent
of the MVG coder intial state.
2018-02-19 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): Fixed initialization of
x and y attributes per the SVG spec: for graphical elements
"image", "pattern", "text", "rect", and "use", if the x or y
attribute is not specified, the effect is as if a value of
"0" were specified.
2018-02-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/sun.c (ReadSUNImage): Fix edge case which broke file-size
validation logic. Fixes oss-fuzz issue 5981
"graphicsmagick/coder_SUN_fuzzer: Out-of-memory in
graphicsmagick_coder_SUN_fuzzer". (Credit to OSS-Fuzz)
* coders/txt.c (ReadTXTImage): Validate that file size is
sufficient for claimed image properties. Fixes oss-fuzz issue
5960 "graphicsmagick/coder_TXT_fuzzer: Out-of-memory in
graphicsmagick_coder_TXT_fuzzer". (Credit to OSS-Fuzz)
* coders/tga.c (ReadTGAImage): Only allow 1 and 8 bit
colormapped/grey images. Fixes oss-fuzz issue 6314
"graphicsmagick/coder_ICB_fuzzer: Undefined-shift in
ReadTGAImage". (Credit to OSS-Fuzz)
* coders/bmp.c (ReadBMPImage): Detect and report when BMP height
value is out of range (too negative). Fixes oss-fuzz issue 6394
"graphicsmagick/coder_BMP_fuzzer: Integer-overflow in
ReadBMPImage". (Credit to OSS-Fuzz)
* coders/rla.c (ReadRLAImage): Detect when RLE decoding is
producing too many samples and report as an error. Fixes oss-fuzz
issue 6312 "graphicsmagick/coder_RLA_fuzzer: Timeout in
graphicsmagick_coder_RLA_fuzzer". (Credit to OSS-Fuzz)
* coders/fits.c (ReadFITSImage): Validate that file size is
sufficient for claimed image properties. Fixes oss-fuzz issue
6429 "graphicsmagick/coder_FITS_fuzzer: Timeout in
graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz)
* magick/image.c (CloneImage): Check image pixel limits in
CloneImage() when it is used to change the image dimensions. This
avoids depending on the using code to detect and report such
issues.
* coders/xcf.c (ReadXCFImage): Check image pixel limits after each
CloneImage() to assure that image is within specified resource
limits. Fixes oss-fuzz issue 6399 "graphicsmagick/enhance_fuzzer:
Timeout in graphicsmagick_enhance_fuzzer". (Credit to OSS-Fuzz)
2018-02-16 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (TracePath): TracePath() was not
correctly processing multiple sets of cubic or quadratic
Bezier coordinates when the previous path data command was
not a cubic or quadratic Bezier command. This would result
in the first control point being equal to the current path
point instead of being computed using the current path
point and the second control point of the previous Bezier
command.
2018-02-15 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (TracePath): TracePath() was not
consuming commas (if present) at the end of a set of
points when multiple sets of points were specified for
various path commands (e.g., line, Bezier). This
resulted in the remaining sets of points being ignored
(fixed).
2018-02-15 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (TraceArcPath): No points are generated
by TraceArcPath() if the starting and ending arc points
are the same. For this case, the coordinate count was not
being set to zero before returning (fixed).
2018-02-15 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (DrawImage): Clipping of polygons in
DrawImage() would sometime result in a starting pixel
location that was greater than the ending pixel location,
causing a subsequent call to GetImagePixelsEx() to fail
due a column count <= 0. Modified the clipping code to
eliminate this condition, and also to return early if
the polygon lies completely outside the image boundaries.
Also fixed variable declarations from a previous commit
that were causing problems for the C89 compiler.
2018-02-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/topol.c (ReadTOPOLImage): Detect EOF immediately rather
than spinning. Fixes oss-fuzz issue 6303
"graphicsmagick/coder_TOPOL_fuzzer: Timeout in
graphicsmagick_coder_TOPOL_fuzzer". (Credit to OSS-Fuzz)
* coders/dcm.c (DCM_SetupRescaleMap): Avoid excessive left shift.
Fixes oss-fuzz issue 6256 "graphicsmagick/coder_DCM_fuzzer:
Undefined-shift in DCM_SetupRescaleMap". (Credit to OSS-Fuzz)
2018-02-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/wpg.c (ExtractPostscript): Detect EOF on input while
transferring bytes to Postscript file. Fixes oss-fuzz issue 6087
"graphicsmagick/coder_WPG_fuzzer: NULL". Later identified to be
CVE-2017-17682 as previously discovered in ImageMagick. (Credit to
OSS-Fuzz)
* coders/pdb.c (ReadPDBImage): Quit attempting to read image data
immediately at EOF. Fixes oss-fuzz issue 6252
"graphicsmagick/coder_PDB_fuzzer: Timeout in
graphicsmagick_coder_PDB_fuzzer". (Credit to OSS-Fuzz)
2018-02-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/topol.c (ReadTOPOLImage): Avoid index out of bounds when
input filename does not use a file extension. Fixes oss-fuzz issue
6237 "graphicsmagick/coder_TOPOL_fuzzer: Index-out-of-bounds in
ReadTOPOLImage". (Credit to OSS-Fuzz)
2018-02-12 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (DrawImage): Object/group opacity,
when set in DrawImage(), would overwrite the fill
and stroke opacities. This has been fixed so that
the object opacity is now combined with the fill
and stroke opacities per the SVG spec.
2018-02-12 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Fix oss-fuzz issue 6021. (Credit to OSS-Fuzz)
2018-02-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dcm.c (ReadDCMImage): Avoid undefined left shift of
short. Fix memory leaks in error reporting paths. Fixes oss-fuzz
issue 6217 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in
ReadDCMImage". (Credit to OSS-Fuzz)
* coders/dpx.c (ReadDPXImage): Avoid divide by zero exception in
the case where reference high equals reference low. Fixes oss-fuzz
issue 6215 "graphicsmagick/coder_DPX_fuzzer: Divide-by-zero in
ReadDPXImage". (Credit to OSS-Fuzz)
* coders/topol.c (ReadTOPOLImage): Avoid index out of bounds when
input filename does not use a file extension.
* coders/cut.c (ReadCUTImage): Avoid index out of bounds when
input filename does not use a file extension. Fixes oss-fuzz issue
6218 "graphicsmagick/coder_CUT_fuzzer: Index-out-of-bounds in
ReadCUTImage". (Credit to OSS-Fuzz)
* coders/pwp.c (ReadPWPImage): Force temporary file to be read as
a SFW file rather than autodetecting the format. Fixes oss-fuzz
issue 6220 "graphicsmagick/coder_PWP_fuzzer: Indirect-leak in
AllocateImage". (Credit to OSS-Fuzz)
2018-02-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pdf.c (WritePDFImage): Assure that xref memory is not
leaked if an exception is thrown. Fixes oss-fuzz issue 5968
"graphicsmagick/coder_EPDF_fuzzer: Direct-leak in MagickRealloc".
(Credit to OSS-Fuzz)
* coders/tim.c (ReadTIMImage): Verify that 4/8 bit PSX TIM
provides a CLUT and verify indexes. Fixes oss-fuzz issue 5972
"graphicsmagick/coder_TIM_fuzzer: Null-dereference WRITE in
ReadTIMImage". (Credit to OSS-Fuzz)
* coders/topol.c (ReadTOPOLImage): Add additional header
validations. Fixes oss-fuzz issue 5975
"graphicsmagick/coder_TOPOL_fuzzer: Floating-point-exception in
ReadTOPOLImage". (Credit to OSS-Fuzz)
* coders/bmp.c (ReadBMPImage): Avoid possible division by zero
when decoding CIE primary values. (Credit to OSS-Fuzz)
* magick/export.c (ExportViewPixelArea): Only compute
unsigned_maxvalue if sample_bits <= 32.
* magick/import.c (ImportViewPixelArea): Assure that
double_maxvalue minus double_minvalue is not zero, or excessively
close to zero to avoid divide by zero exception or impossible
scaling factor. (Credit to OSS-Fuzz)
(ImportViewPixelArea): Only compute unsigned_maxvalue if
sample_bits <= 32.
2018-02-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dib.c (ReadDIBImage): Validate that image width is not
too negative such that it's absolute value can not fit in 32-bit
unsigned width. Resolves oss-fuzz issue 6179
"graphicsmagick/coder_ICO_fuzzer: Integer-overflow in
ReadDIBImage". (Credit to OSS-Fuzz)
* coders/dcm.c (funcDCM_BitsStored): Validate DICOM datum size.
Use a different means to determine the maximum value which does
not use excessive shifting. Resolves oss-fuzz issue 6165
"graphicsmagick/coder_DCM_fuzzer: Undefined-shift in
funcDCM_BitsStored". (Credit to OSS-Fuzz)
2018-02-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/dpx.c (ReadWordU32BE): Add casts to avoid default type
promotion from unsigned char to 'int' leading to undefined
behavior for 24 bit shift. Fixes oss-fuzz issue 6058
"graphicsmagick/coder_DPX_fuzzer: Undefined-shift in
ReadWordU32BE". (Credit to OSS-Fuzz)
(ReadDPXImage): Require that the file has at least one element.
Add bountiful casts for values which are left-shifted. Fixes
oss-fuzz issue 5962 "graphicsmagick/coder_DPX_fuzzer:
Undefined-shift in ReadDPXImage". (Credit to OSS-Fuzz)
* coders/dcm.c (DCM_ReadOffsetTable): Add casts Add casts to avoid
default type promotion from unsigned char to 'int' leading to
undefined behavior for 16 bit shift. Fixes oss-fuzz issue 5980
"graphicsmagick/coder_DCM_fuzzer: Undefined-shift in
DCM_ReadOffsetTable". (Credit to OSS-Fuzz)
* magick/module_aliases.h (ModuleAliases): Add missing mapping
from "ICODIB" format to "DIB" module.
* magick/import.c (ImportUInt32Quantum): Add casts to avoid
default type promotion from unsigned char to 'int' leading to
undefined behavior for 24 bit shift. Fixes oss-fuzz
"graphicsmagick/coder_P7_fuzzer: Undefined-shift in
ImportRGBQuantumType". (Credit to OSS-Fuzz)
2018-02-07 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/wpg.c Fix oss-fuzz issue 5964
"graphicsmagick/coder_MAT_fuzzer: Heap-use-after-free in
GetLocaleExceptionMessage". (Credit to OSS-Fuzz)
2018-02-07 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/render.c (IsPoint): Fixed a bug in which
IsPoint() would reject as a valid coordinate value
strings that did not begin with an integer: e.g.,
"0.25" would be accepted, but ".25" would not.
2018-02-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/cut.c (ReadCUTImage): Fix DestroyImageInfo() of NULL
pointer leading to assertion. Fixes oss-fuzz issue 6067
"graphicsmagick/coder_CUT_fuzzer: Unknown signal in
DestroyImageInfo".
* coders/tga.c (ReadTGAImage): Throw exception rather than
assertion for unexpected comment size. Fixes oss-fuzz issue 5961
"graphicsmagick/coder_ICB_fuzzer: ASSERT: (size_t)
(tga_info.id_length+1) == commentsize".
2018-02-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pdf.c (WritePDFImage): Free 'xref' allocation before
error return. Fixes oss-fuzz issue 5968
"graphicsmagick/coder_EPDF_fuzzer: Direct-leak in MagickRealloc".
2018-02-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/pdb.c (ReadPDBImage): Fix heap buffer overflow if blob is
already at EOF when comment is read. Fixes oss-fuzz issue 5997
"graphicsmagick/coder_PDB_fuzzer: Heap-buffer-overflow in
SetImageAttribute".
* coders/dpx.c (ReadDPXImage): Fix memory leak of user data if
user data is truncated. Fix consumption of one uninitialized
stack bytes. Fixes oss-fuzz issue 5973:
graphicsmagick/enhance_fuzzer: Direct-leak in ReadDPXImage.
* coders/pnm.c (ReadPNMImage): Detect and avoid division by zero.
Fixes Issue 5959 in oss-fuzz: graphicsmagick/coder_P7_fuzzer:
Divide-by-zero in ReadPNMImage
* magick/xwindow.c (MagickXClientMessage): Eliminate valgrind
gripe about use of uninitialized stack data by clearing allocation
to zero.
(MagickXMakeImage): Eliminate valgrind gripe about use of
uninitialized heap data by clearing allocation to zero.
* coders/pwp.c (ReadPWPImage): Remove bogus EOF test on an image
with a closed blob. Fixes Issue 5957 in oss-fuzz:
graphicsmagick/coder_PWP_fuzzer: ASSERT: image->blob->type !=
UndefinedStream.
* www/Changes.rst: Fix typo with spelling "ChangeLog-2017.html".
Resolves SourceForge issue #544 "dead link 2017 changelog page on
GraphicsMagick web site".
2018-02-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/static.c (OpenModule): Assure that status is initialized.
Resolves Coverity 261207 "Uninitialized scalar variable".
* wand/magick_wand.c (MagickHasColormap): New function to test if
the image has a colormap.
(MagickIsGrayImage): New function to test if the image uses only
gray pixels.
(MagickIsMonochromeImage): New function to test if the image uses
only monochrome pixels.
(MagickIsOpaqueImage): New function to test if the image uses only
opaque pixels.
(MagickIsPaletteImage): New function to test if the image is based
on a color palette. Above functions are written by Troy Patteson
and submitted via SourceForge patch #54 "Wand API patches: has
colormap, is gray image, is monochrome image, is opaque image, is
palette image".
* fuzzing: Added initial OSS-Fuzz integration by Alex Gaynor.
From SourceForge patch #55 "OSS-Fuzz integration"
* coders/png.c (ReadMNGImage): Fix free using possibly unallocated
pointer value.
* magick/blob.c (SeekBlob): Remove implicit extension of blob
allocation size based on seek offset. Besides making an
assumption about how the blob memory was allocated, this
reallocation feature provides a memory DOS opportunity. Resolves
issue reported by Alex Gaynor via email entitled "Security issue
with memory management in Magick++" to the graphicsmagick-security
list on 31 Jan 2018.
(SeekBlob):
* coders/jpeg.c (ReadIPTCProfile): Revert inadvertent wrong return
codes added by change on December 9, 2017. Fixes SourceForge bug
542 "Improper call to JPEG library in state 201" since 1.3.28.
2018-02-01 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/annotate.c (RenderFreetype): Fixed the text
opacity computation in RenderFreeType(). This bug caused
the text fill color to bleed into the character cell when
the SVG "fill-opacity" is less than 1.0.
2018-02-01 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* magick/attribute.c (CloneImageAttributes): Fixed a bug
in which the source image attributes would always replace
the destination image attributes instead of being appended
to them, and the destination image attributes would become
a memory leak.
2018-01-31 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): Fixed a bug in which the
x,y location values for a <text> or <tspan> were overwritten
by the x,y values for the next <tspan> before the previous
values were used. This caused the text associated with the
previous <text> or <tspan> to appear at the location
specified for the next <tspan>.
2018-01-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/static.c: Use !defined(SupportMagickModules) to enable
static module loader. Fixes SourceForge bug #543 "Multiple
definition of "OpenModule" (etc) when cross-compiling shared".
2018-01-29 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): A terminating '>' in
a geometry string is interpreted to mean that the dimensions
of an image should only be changed if its width or height
exceeds the geometry specification. For an unapparent and
undocumented reason, a terminating '>', if present, was
being nulled out, making this feature unusable for SVG files
(now fixed).
2018-01-29 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (ReadSVGImage): If there is a geometry string
in image_info->size (e.g., gm convert -size "50x50%" in.svg
out.png), AllocateImage() sets image->columns and image->rows
to the width and height values from the size string. However,
this makes no sense if the size string was something like
"50x50%" (we'll get columns = rows = 50). So we set columns
and rows to 0 after AllocateImage(), which is the same as if
no size string was supplied by the client. This also results
in svg_info.bounds to be set to 0,0 (i.e., unknown), so that
svg_info.bounds will later be set using the image size
information from either the svg "canvas" width/height or from
the viewbox. Later, variable "page" is set from
svg_info->bounds. Then the geometry string in image_info->size
gets applied to the (now known) "page" width and height when
SvgStartElement() calls GetMagickGeometry(), and the intended
result is obtained.
2018-01-24 Greg Wolfe <gregory.wolfe@kodakalaris.com>
* coders/svg.c (SVGStartElement): When the density (DPI)
is specified using the ImageInfo::density member, the derived
scale factor is incorrectly applied a second time to the
width and height members of variable RectangleInfo page.
Fixes SourceForge ticket #451.
2018-01-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/static.c: Use a lazy-loader for static modules with the
same external interface as the lazy-loader for dynamic modules.
2018-01-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* NEWS.txt: Prepare for 1.3.28 release.
2018-01-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* NEWS.txt: Update with changes since previous release.
2018-01-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* PerlMagick/Magick.xs: Compiler warnings reduction.
* magick/pixel_cache.h: Mark GetPixels(), GetIndexes(), and
GetOnePixel() as deprecated. Compilers may produce a warning if
these functions are used.
* magick/pixel_cache.c (InterpolateColor): Return black pixel if
InterpolateViewColor() reports failure.
* coders/png.c (ReadMNGImage): Fix memory leak of chunk and
mng_info in error path.
* coders/gif.c (ReadGIFImage): Fix memory leak of global colormap.
2018-01-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/symbols.h: Fix SourceForge issue #538 "13 symbols in
common with ImageMagick despite --enable-symbol-prefix".
* coders/bmp.c (ReadBMPImage): Fix non-terminal loop due to
unexpected bit-field mask value. Fixes SourceForge issue #541
"Infinite Loop in ReadBMPImage (coders/bmp.c)".
* coders/jpeg.c (JPEGMessageHandler): Revert code added on
2017-07-08 to promote certain warnings from libjpeg to errors.
Add code to rationalize claimed image dimensions based on file
size. Resolves SourceForge issue #539 "Images with libjpeg
warnings result in error".
2018-01-11 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/wpg.c Recursive ReadImage could return multiple scenes
fixed.
2018-01-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/png.c (ReadOnePNGImage): Quit 'passes' loop if we
encountered an error
* magick/pixel_cache.c (SetNexus): Fix heap overwrite in
AcquireCacheNexus() due to SetNexus() not using an allocated
staging area for the pixels like it should. This problem impacts
all 1.3.X releases. Resolves SourceForge issues 532
"heap-buffer-overflow bug in ReadWPGImage" and #531
"heap-buffer-overflow in AcquireCacheNexus".
* magick/pixel_cache.c (InterpolateViewColor): Now returns
MagickPassFail rather than void. Code using this function is
updated to check the return status.
2018-01-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/describe.c (DescribeImage): Discriminate between
AcquireImagePixels() returning NULL or finding a transparent
pixel. This avoids use of a null pointer in the case where
AcquireImagePixels() returns NULL.
2017-12-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* magick/static.c: Change static module initialization to be based
on an initialized list rather than a squence of function calls in
order to simplify maintenance and possibly address future
requirements.
2017-12-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* Copyright.txt: Bump copyright years and rotate ChangeLog.
distrib
>
Mageia
>
6
>
armv5tl
>
media
>
core-updates
>
by-pkgid
>
228c9f5c80c0827354c18f4f1dd3d081
>
files
>
2
