2019-07-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * NEWS.txt: Updates in preparation for 1.3.33 release. 2019-07-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * NEWS.txt: Updated NEWS to reflect updates since last release. 2019-07-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/png.c (WriteOnePNGImage): Fix saving to palette when image has an alpha channel but no color is marked as transparent. Patch submitted by PrzemysÅaw Sobala via SourceForge patch #61 "WriteOnePNGImage(): Fix saving to palette when image has an alpha channel but no color is marked as transparent". * doc/options.imdoc (characters): Fix -format documentation to reflect that '%r' returns the image type. Patch submitted by PrzemysÅaw Sobala via SourceForge patch #60 "Fix documentation typo". 2019-07-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/tempfile.c (AcquireTemporaryFileDescriptor): Fix compilation under Cygwin. Patch by Marco Atzeri and submitted via email to the graphicsmagick-help mailing list on Fri, 5 Jul 2019. 2019-06-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/attribute.c (GenerateEXIFAttribute): Added range checks and tracing. Fixes oss-fuzz 14998 "graphicsmagick/coder_JPEG_fuzzer: Heap-buffer-overflow in Read32s". This is a tiny read overflow. * coders/miff.c (ReadMIFFImage): Similar fix as to mpc.c * coders/mpc.c (ReadMPCImage): Fix faulty signed overflow logic for profiles[i].length which still allowed overflow. Fixes oss-fuzz issue 15190 "graphicsmagick/coder_MPC_fuzzer: Out-of-memory in graphicsmagick_coder_MPC_fuzzer". * doc/options.imdoc: Add notes about security hazards due to commands which support a '@filename' syntax. * www/security.rst: Add notes about security hazards due to commands which support a '@filename' syntax. 2019-06-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/render.c (DrawImage): Assure that 'token' is initialized. Fixes oss-fuzz issue 14897 "graphicsmagick/coder_MVG_fuzzer: Use-of-uninitialized-value in DrawImage". * magick/animate.c (MagickXAnimateImages): Fix memory leak of scene_info.pixels. * magick/display.c (MagickXDisplayImage): Fix heap overwrite of windows->image.name and windows->image.icon_name buffers. It appears that the code assumed that CloneString() would always allocated a string at least MaxTextExtent in size. I assume that this issue has existed for a very long time since CloneString() was re-written many years ago. * coders/caption.c (ReadCAPTIONImage): The CAPTION reader did not appear to work at all any more. Now it works again, but still not very well. * magick/command.c: Re-implement '@' file inclusion support for -comment, -draw, -format, and -label which was removed for the 1.3.32 release. Note that arguments from untrusted sources will still need to be sanitized to detect attempts to subvert this feature to access file data, but this feature has always been supported by GraphicsMagick and it originated early in the development of ImageMagick. 2019-06-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/utility.c (MagickStrlCat, MagickStrlCpy): Add debug checks enabled by MAGICK_STRL_CHECK. * magick/montage.c (MontageImages): Fix wrong length argument to strlcat() when building montage directory, which could allow heap overwrite. * coders/png.c (RegisterPNGImage): Pass correct size value to strlcat(). Under Apple's OS X (and possibly other targets) strlcat() writes bytes beyond what it needs to (but within the range it is allowed to) causing a crash due to the wrong limit value. Fixes SourceForge issue #609 `gm identify foo.png` crashes on macOS (v 1.3.32). * www/Changes.rst: Update ChangeLog links due to new year, and 1.3.32 release. 2019-06-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/bmp.c (WriteBMPImage): Detect arithmetic overflow of image_size. Add more tracing. Reduce compilation warnings. (EncodeImage): Reduce compilation warnings. (WriteBMPImage): Assure that chromaticity uses double-precision for multiply before casting to unsigned integer. * coders/wpg.c (ReallocColormap): Reduce compilation warnings. * coders/braille.c (WriteBRAILLEImage): Reduce compilation warnings. * coders/dib.c (WriteDIBImage): Detect arithmetic overflow of image_size. Reduce compilation warnings. (EncodeImage): Reduce compilation warnings. * coders/locale.c (WriteLOCALEImage): Reduce compilation warnings. 2019-06-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * Makefile.am (dist-zstd): Use the maximum possible compression level (22) when creating a Zstd-compressed tarball to get close to lzip/xz compression levels. * coders/tiff.c (ReadTIFFImage): Fix typo in initialization of 'tile' pointer variable. * version.sh: Updates in preparation for 1.3.32 release. 2019-06-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * Makefile.am (release): Add a release target to make it easier to produce and sign the release files. Add a zstd-compressed output tarball just because we can. 2019-06-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/render.c (DrawImage): Fix typo when initializing number_coordinates. Somehow GCC and clang let this typo slip by. 2019-06-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/dib.c (ReadDIBImage): Preserve PseudoClass opaque representation if ICO mask is opaque, otherwise return a DirectClass image. 2019-06-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/render.c (DrawImage): Detect an error in TracePath() and quit rather than forging on. 2019-06-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/render.c (DrawImage): Terminate drawing if DrawCompositeMask() reports failure. Fixes oss-fuzz 12373 "graphicsmagick/coder_MVG_fuzzer: Timeout in graphicsmagick_coder_MVG_fuzzer". (TracePath): Terminate path parsing upon first parsing error. 2019-06-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/txt.c (ReadTXTImage): Use real a new-line character as line delimiter rather than '\n' string. * magick/annotate.c (AnnotateImage): No longer implicitly call TranslateText() since this is not suitable for most use-cases and causes additional performance impact. The API user can perform such translations in advance on the text string using TranslateText() if need be. No longer call StringToList() to split strings into an array of strings since this can lead to unexpected results, and a custom-splitter is more efficient. 2019-06-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/render.c (DrawImage): Only support '@filename' syntax to read drawing primitive from a file if we are not already drawing. * magick/utility.c (TranslateTextEx): Remove support for reading from a file using '@filename' syntax due to security concerns. Problem was reported to us by "Battle Furry" via the GraphicsMagick security mail alias on June 6, 2019. 2019-06-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/utility.c (SetClientFilename): Reduce initialized data some more. 2019-06-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/nt_base.c: Search for n019003l.pfb (the "Helvetica"-like font) rather than fonts.dir since fonts.dir is not present in all URW font collections. * NEWS.txt: Update news. 2019-06-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/logo.c: Tidy logo image definitions, and logo image output. 2019-05-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/mat.c: Make more data const. 2019-05-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/animate.c: Reduce initialized static allocations. * magick/display.c: Reduce initialized static allocations. * magick/widget.c (MagickSplitNDLTextToList): Add static implementation function. 2019-05-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/webp.c (RegisterWEBPImage): Use sprintf to format version since snprintf is not available in old Visual Studio. 2019-05-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/dcm.c: Make more data const. * www/INSTALL-unix.rst: Add documentation for how to install URW fonts from various package management systems. 2019-05-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * www/authors.rst: Add authorship attribution to Samuel Thibault for contributing support for the Braille image format. * coders/braille.c: Add support for Braille image format by Samuel Thibault. Patch submitted via SourceForge patch #59 "Add braille image format support. 2019-05-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/tempfile.c: Make more data const. * magick/signature.c: Make more data const. * magick/quantize.c: Make more data const. * magick/attribute.c: Make more data const. * coders/png.c: Make more data const. * coders/mpeg.c: Make more data const. * coders/wmf.c: Make more data const. * coders/tile.c: Make more data const. 2019-05-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/enum_strings.c: Make more data const. 2019-05-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/magick.c: Make more data const. * magick/type.c (GetTypeInfoByFamily): Make more data const. * magick/unix_port.c (MagickGetMMUPageSize): Decrease initialized data. * magick/utility.c (GetPageGeometry): Make more data const. * coders/pdf.c (WritePDFImage): Allocate working buffer on stack and pass as argument to EscapeParenthesis() to eliminate a thread safety problem and also reduce BSS size. * coders/webp.c (RegisterWEBPImage): Fix compiler warning. * coders/jbig.c (RegisterJBIGImage): Make more data const. * coders/pict.c (DecodeImage): Allocate output buffer used by ExpandBuffer() on the stack rather than as static data private to ExpandBuffer(). Eliminates a thread safety problem and also reduces BSS size. * coders/webp.c (RegisterWEBPImage): Reduce BSS size. 2019-05-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/jp2.c: Make more data const. * coders/wmf.c: Make more data const. * coders/ps.c (WritePSImage): Make more data const. * coders/ps2.c (WritePS2Image): Make more data const. 2019-05-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/static.c: Revert to previous 'name' storage. Callback functions in structure block being properly const. * coders/xpm.c: Make more data const. * coders/pnm.c: Make more data const. * coders/palm.c: Make more data const. * coders/meta.c: Make more data const. * coders/dcraw.c: Make more data const. * magick/command.c: Fix compilation problem when HasX11 is not defined. 2019-05-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/command.c: Make more data const. 2019-05-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/webp.c (RegisterWEBPImage): Make more data const. * coders/svg.c (RegisterSVGImage): Reduce BSS size. * coders/miff.c (RegisterMIFFImage): Fix version reporting. * coders/ttf.c (RegisterTTFImage): Fixed reporting of FreeType version. * coders/tiff.c (RegisterTIFFImage): Reduce BSS size. * coders/sfw.c (ReadSFWImage): Make SFW static data completely const. * coders/ps3.c: Make PS3 static data completely const. * coders/pict.c: Make PICT static data completely const. * magick/error.c (ThrowException, ThrowLoggedException): Handle the case where some passed character strings refer to existing exception character strings. Fixes SourceForge issue #603 "heap-use-after-free in function ThrowLoggedException of magick/error.c". (CatchException): Restructure so there is one return point. * coders/miff.c (ImportRLEPixels): Fix heap overflow caused by a typo in the code. Also fix undefined behavior caused by large left shifts of an unsigned char. Fixes SourceForge issue #608 "heap-buffer-overflow in ImportRLEPixels of coders/miff.c. 2019-05-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/bmp.c (ReadBMPImage): Fix subrange/scene handling in 'ping' mode so it is like the other formats. Only the first frame was being enumerated while in 'ping' mode. 2019-05-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * NEWS.txt: Update news. * magick/utility.c (ExpandFilenames): Only expand '@filename' to a list of arguments read from 'filename' if the path '@filename' does not exist. This fix is made based on an email posting to the 'graphicsmagick-help' mailing list at SourceForge by "Test User" on Tue, 7 May 2019. 2019-05-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/colorspace.c: Reorder initialization of colorspace tables for a possible performance improvement. * magick/fx.c (WaveImage): Use float for sin map. * configure.ac: Test for float versions of math functions. * magick/gem.c (GenerateDifferentialNoise): Use float versions of math functions when available. 2019-05-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * www/INSTALL-unix.rst: Expanded configure documentation for --with-modules. Added specific configure documentation for --with-umem and --with-mtmalloc, which may be useful on Solaris-derived systems. 2019-04-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/command.c (VersionCommand): Show OpenMP specification version corresponding to version enumeration. * magick/locale.c (GetLocaleMessageFromTag): Eliminate clang warning about comparison with a constant value. * magick/log.c (InitializeLogInfo): Initialize LogInfo log_configured. 2019-04-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/magic.c (struct): Ajust StaticMagic definition to be more const-friendly. * magick/color_lookup.c (struct): Adjust StaticColors definition to be more const-friendly. * magick/attribute.c: Ajust tag_table definition to be more const-friendly. * magick/log.c: Allocate LogInfo from heap as we used to do. * magick/locale.c (GetLocaleMessageFromTag): Adaptations to locale coder output changes. * coders/locale.c (WriteLOCALEImage): Adjust locale coder output to be more const. 2019-04-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/color_lookup.c: Make built-in color tables fully const. * magick/animate.c: Use MagickXTextViewWidgetNDL() to display help text. * magick/display.c: Use MagickXTextViewWidgetNDL() to display help text. * magick/widget.c (MagickXTextViewWidgetNDL): New private function to display multi-line null-delimited text in an X11 widget. * coders/xwd.c (ReadXWDImage): Added even more XWD header validation logic. Addresses problems noted by email from Hongxu Chen to the graphicsmagick-security mail alias on Fri, 19 Apr 2019 and Sat, 20 Apr 2019 and entitled "Multiple crashes (FPE and invalid read) when processing XWD files". 2019-04-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/xwd.c (ReadXWDImage): Added even more XWD header validation logic. Addresses problems noted by email from Hongxu Chen to the graphicsmagick-security mail alias on Wed, 17 Apr 2019 and entitled "Multiple crashes (FPE and invalid read) when processing XWD files". Also addresses additional issues noted that an attacker could request to allocate an arbitrary amount of memory based on ncolors and the claimed header size. 2019-04-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/xwd.c (ReadXWDImage): Add more XWD header validation logic. Addresses problems noted by email from Hongxu Chen to the graphicsmagick-security mail alias on Sun, 14 Apr 2019 and entitled "Multiple crashes (FPE and invalid read) when processing XWD files". 2019-04-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/pdb.c (WritePDBImage): Assure that input scanline is cleared in order to cover up some decoder bug. May fix 14215 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in WritePDBImage", which I have not been able to reproduce. * magick/render.c (DrawPrimitive): Check primitive point x/y values for NaN. (DrawImage): Fix oss-fuzz issue 14173 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in DrawImage". * magick/pixel_cache.c (SetNexus): Fix oss-fuzz issue 14208 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in SetNexus". 2019-04-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/display.c: Add even more const declarations. * coders/mat.c (WriteMATLABImage): Add completely missing error handling. Fixes SourceForge issue #604 "heap-buffer-overflow in function WriteMATLABImage of coders/mat.c". 2019-04-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/pdb.c (WritePDBImage): Fix SourceForge issue #605 "heap-buffer-overflow in function WritePDBImage of coders/pdb.c". * magick/widget.c: Add many const declarations. * magick/display.c: Incorporate and eliminate display.h. Add many const declarations. * magick/animate.c: Incorporate and eliminate animate.h. Add many const declarations. 2019-04-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/wmf.c (ReadWMFImage): Reject WMF files with an empty bounding box. Fixes SourceForge issue #606 "Division by Zero in coders/wmf.c". 2019-04-07 Fojtik Jaroslav <JaFojtik@seznam.cz> * magick/nt_base.c Fix a problem of finding ghostscript fonts. Variable "font_dir" was useless and thus removed. No need to copy text multiple times. Use const char gs_font_dir[] instead of pointer. 2019-04-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/xwd.c (ReadXWDImage): Perform more header validations and a file size validation in order to reject files with bogus headers. (WriteXWDImage): Fix SourceForge issue #599 "heap_buffer_overflow_WRITE in function WriteXWDImage of coders/xwd.c". 2019-04-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/svg.c (SVGStartElement): Fix stack buffer overflow while parsing quoted font family value. Fixes SourceForge issue #600 "stack-buffer-overflow in function SVGStartElement of coders/svg.c". * coders/miff.c (ReadMIFFImage): Detect end of file while reading RLE packets. Fixes SourceForge issue #598 "heap-buffer-overflow in function ReadMIFFImage of coders/miff.c". 2019-04-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/xwd.c (ReadXWDImage): Fix heap buffer overflow while reading DirectClass XWD file. Fixes SourceForge issue #597 "heap-buffer-overflow in function ReadXWDImage of coders/xwd.c". 2019-04-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/png.c (ReadMNGImage): Fix small buffer overflow (one PixelPacket) of image colormap. Fixes SourceForge issue #596 "heap-buffer-overflow in function CloneImage of magick/image.c". * magick/colormap.c (ReallocateImageColormap): New function to reallocate an image colormap. * coders/logo.c: Make more static data const. * magick/module_aliases.h: Make more static data const. * magick/static.c: Make more static data const. 2019-04-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/log.c (LogMagickEventList): Log elapsed time with microsecond precision. 2019-03-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/mpc.c (ReadMPCImage): Deal with a profile length of zero, or an irrationally large profile length. Fixes SourceForge issue #601 "memory leak in function ReadMPCImage of coders/mpc.c ". * magick/xwindow.c (MagickXGetWindowInfo): Deal with the unlikely case that the memory allocation for window->segment_info fails. Fixes SourceForge #595 "use allocate memory before null check" as pertains to magick/xwindow.c. * magick/segment.c (Classify): Add check for memory allocation failure when allocating cluster array. Fixes SourceForge #595 "use allocate memory before null check" as pertains to magick/segment.c. * coders/pdb.c (ReadPDBImage): Fix use of allocated memory before null check. Fixes SourceForge #595 "use allocate memory before null check" as pertains to coders/pdb.c. 2019-03-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/pixel_cache.c (AllocateThreadViewSet): Simplify the image view model by adding NexusInfo to the View structure (rather than referencing it via a pointer) to lessen the number of required per-thread allocations and to improve locality of reference. 2019-03-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/wpg.c (WPG1_Palette): Change to a static declaration. * coders/dcm.c: dicom_info array is now fully in the data segment. 2019-03-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * configure.ac: Add support for using the Solaris mtmalloc library. This is primarily for testing or as an alternative to Solaris umem. Stop using posix_memalign() until it is uniformly more mature and reliably quick. 2019-03-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/pixel_cache.c (SetNexus): Smallest staging-area allocation is cache line size so declare it as such. * magick/fx.c: Functions in the fx module which return a new Image should return a null Image if an exception was thrown. Also, assure that user has an opportunity to see the exception which was thrown. * magick/error.c (ThrowLoggedException): Throwing an exception is now thread-safe. * magick/pixel_cache-private.h: Moved pixel cache private definitions to private header. 2019-03-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/pixel_cache.c (SetNexus): Pass x, y, columns, and rows rather than a pointer to RectangleInfo. This should be easier to inline on modern CPUs. 2019-03-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/pixel_cache.c (SetNexus): Cache resource limits in CacheInfo rather than repeatedly calling into the resource code in order to lessen the overhead of performing resource limit checks on the pixel cache views. * magick/resource.c (AcquireMagickResource): Use a lock for each resource in order to lessen contention. Return a maximum 64-bit integer value if the resource has not been limited. Previously returned -1 in this case but this was not documented. 2019-03-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/import.c (ImportViewPixelArea): If range between max and min is less than MagickEpsilon, produce a black image rather than throwing an exception. * coders/mat.c (ReadMATImage): Fix memory leak on unexpected end of file. Fixes oss-fuzz 13556 "graphicsmagick/coder_MAT_fuzzer: Direct-leak in ReadMATImage". (Credit to OSS-Fuzz) 2019-03-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/mat.c (ReadMATImage): Quit if image scanlines are not fully populated due to exception. Fixes oss-fuzz 13530 "graphicsmagick/coder_MAT_fuzzer: Use-of-uninitialized-value in InsertComplexFloatRow". (Credit to OSS-Fuzz) 2019-03-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/txt.c (ReadTXTImage): Don't start new line if x_max < x_min. Avoids calling SetImagePixels() with a width of zero. Related to oss-fuzz 13521 "graphicsmagick/coder_TEXT_fuzzer: Floating-point-exception in SetNexus". (Credit to OSS-Fuzz) * magick/pixel_cache.c (SetNexus): Report error for empty region rather than crashing due to divide by zero exception. This is a new bug due to yesterday's changes. Fixes oss-fuzz 13521 "graphicsmagick/coder_TEXT_fuzzer: Floating-point-exception in SetNexus". (Credit to OSS-Fuzz) 2019-03-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * design/pixel-cache.dot: Update design dot diagram to remove IsNexusInCore and add CompositeCacheNexus. * magick/pixel_cache.c (SetNexus): Apply resource limits to pixel nexus allocations using the same limits (total pixels, width, height, memory) as applied to the whole image since some requests are directly influenced by the input file. Add yet more tests for arithmetic overflow. Whole source module is re-arranged so that static functions are in order of dependency so that forward prototype declarations are no longer needed. Fixes oss-fuzz 13210 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in SetNexus". (Credit to OSS-Fuzz) 2019-03-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/pixel_cache.c (OpenCache): Use unsigned 64-bit value to store CacheInfo offset and length as well as for the total pixels calculation. Add some more arithmetic overflow detections. * coders/topol.c (ReadTOPOLImage): Report a corrupt image exception "Unexpected end-of-file" if reader encounters end of file while reading header rows. Addresses oss-fuzz 7981 "graphicsmagick/coder_TOPOL_fuzzer: Use-of-uninitialized-value in InsertRow". (Credit to OSS-Fuzz) * coders/mat.c (ReadMATImage): Report a corrupt image exception "Unexpected end-of-file" if reader encounters end of file while reading scanlines. Also added some helpful traces. Hopefully addresses oss-fuzz 13445 "graphicsmagick/coder_MAT_fuzzer: Use-of-uninitialized-value in IsGrayImage". (Credit to OSS-Fuzz) 2019-02-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/image.h ("C"): Include as "magick/image-private.h" as the other headers are. ("C"): Include "magick/image-private.h" inside the protective MAGICK_IMPLEMENTATION guard, as it should have been. This error broke the oss-fuzz build. 2019-02-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/image-private.h (_ImageExtra): Put ImageExtra definition in a private header file so that its definition may be accessed directly by library internals. Add some accessor macros to provide access and update code to use them. * coders/wpg.c (ReallocColormap): Make sure that there is not a heap overwrite if the number of colors has been reduced. Thanks to Jaroslav Fojtik for giving me a heads up about this. 2019-02-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/monitor.c (MagickMonitorActive): Add new private function to test if a progress monitor is active. Update all progress monitor code in loops to use this information, while also updating code to hopefully address concerns expressed by Hongxu Chen about data races on the graphicsmagick-bugs mailing list starting on February 6, 2019. 2019-02-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/mpc.c (ReadMPCImage): Tally directory length to avoid death by strlen(). * coders/miff.c (ReadMIFFImage): Tally directory length to avoid death by strlen(). Fixes oss-fuzz 13190 "graphicsmagick/coder_MIFF_fuzzer: Timeout in graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz) 2019-02-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/svg.c (ReadSVGImage): Don't call xmlCleanupParser() in module code since this may cause other libxml users to fail. * coders/msl.c (ProcessMSLScript): Don't call xmlCleanupParser() in module code since this may cause other libxml users to fail. * magick/render.c (DrawDashPolygon): (DrawDashPolygon): Don't read beyond end of dash pattern array. This is a second instance of issue identified by SourceForge issue #591. Fixes oss-fuzz 13160 "graphicsmagick/coder_MVG_fuzzer: Heap-buffer-overflow in DrawDashPolygon". The earlier attempt to fix this problem today broke dash patterns entirely. (Credit to OSS-Fuzz) * magick/annotate.c (RenderFreetype): Eliminate memory leak of GlyphInfo.image (type FT_Glyph) while rendering some FreeType fonts such as the one we use now in the Magick++ test suite. 2019-02-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/render.c (DrawDashPolygon): Avoid reading one beyond length of dash pattern array, which is terminated by value 0.0. Fixes SourceForge issue #591 "Heap buffer overflow in DrawDashPolygon when parsing SVG images". (DrawPrimitive): Add arithmetic overflow checks when converting computed coordinates from 'double' to 'long'. (DrawImage): Don't destroy draw_info in graphic_context when draw_info has not been allocated yet. Problem reported via email by Sami Supperi on Thu, 14 Feb 2019. * coders/jpeg.c (ReadJPEGImage): JPEG files are observed to provide compression ratios as high as 2500 so allow for that. Also, the test for "Unreasonable dimensions" delivered yesterday was flawed since magick_rows and magick_columns are only set if a desired image size was provided. Fixes SourceForge issue 592 "Non-malicious JPEG file fails with "Unreasonable dimensions"". * coders/tiff.c (ReadTIFFImage): Only disassociate alpha channel for images where photometic is PHOTOMETRIC_RGB. Fixes oss-fuzz 13115 "graphicsmagick/coder_PTIF_fuzzer: Use-of-uninitialized-value in DisassociateAlphaRegion". (Credit to OSS-Fuzz) 2019-02-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/jpeg.c (ReadJPEGImage): Base test for "Unreasonable dimensions" on original JPEG dimensions and not the scaled dimensions. Fixes SourceForge issue 593 "gm convert: Insufficient image data in file when hinting input image". 2019-02-13 Troy Patteson <troyp@ieee.org> * PerlMagick/Magick.xs (Mogrify): Add decorate argument to Annotate. * PerlMagick/Magick.xs (Mogrify): Remove reference to undefined Annotate argument. 2019-02-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/tiff.c (ReadTIFFImage): For planar TIFF, make sure that pixels are initialized in case some planes are missing. Fixes oss-fuzz 13046 "graphicsmagick/coder_PTIF_fuzzer: Use-of-uninitialized-value in DisassociateAlphaRegion". (Credit to OSS-Fuzz) 2019-02-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/pdf.c (WritePDFImage): Make sure to free 'xref' before returning. Similar to ImageMagick CVE-2019-7397 "In ImageMagick before 7.0.8-25, several memory leaks exist in WritePDFImage in coders/pdf.c.". Thanks to Petr Gajdos for bringing this issue to our attention. 2019-02-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/wpg.c (ReadWPGImage): Use a different way to reallocate the colormap which preserves existing content, but also updates image->colors and assures that added palette entries are initialized. * coders/png.c (ReadMNGImage): Bound maximum loop iterations by subrange as a primitive means of limiting resource consumption. This should finally resolve oss-fuzz 12738 "graphicsmagick/enhance_fuzzer: Out-of-memory in graphicsmagick_enhance_fuzzer". (Credit to OSS-Fuzz) * coders/tiff.c (ReadTIFFImage): Assure that opacity channel is initialized in the RGBAStrippedMethod case. Convert 'CorruptImageError' encountered while testing for more frames to 'CorruptImageWarning' so we return the frames already read. Second try at fixing oss-fuzz 11896 "graphicsmagick/coder_PTIF_fuzzer: Use-of-uninitialized-value in VerticalFilter". * coders/dpx.c (AttributeToString): Eliminate clang "-Wstring-plus-int" warning observed in oss-fuzz build. * coders/cineon.c (AttributeToString): Eliminate clang "-Wstring-plus-int" warning observed in oss-fuzz build. 2019-02-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/pict.c (DecodeImage): Avoide a one-byte over-read of pixels heap allocation. The cause of the over-read is not yet understood. Fixes oss-fuzz 12019 "graphicsmagick/coder_PICT_fuzzer: Heap-buffer-overflow in ExpandBuffer". (Credit to OSS-Fuzz) * coders/wpg.c (ReadWPGImage): Assure that all colormap entries are initialized. Fixes oss-fuzz 12614 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in EnhanceImage". (Credit to OSS-Fuzz) * coders/tiff.c (ReadTIFFImage): Make sure that image is in DirectClass mode and ignore any claimed colormap when the image is read using the RGBAStrippedMethod, RGBATiledMethod, or RGBAPuntMethod cases. Fixes oss-fuzz 12195 "graphicsmagick/coder_PTIF_fuzzer: Use-of-uninitialized-value in ExportGrayQuantumType". (Credit to OSS-Fuzz) * coders/miff.c (ReadMIFFImage): Improve pixel buffer calculations to defend against overflow. Assure that zlib and bzlib decode the expected number of bytes for a pixel row. Fixes oss-fuzz issue 12448 "graphicsmagick/coder_MIFF_fuzzer: Use-of-uninitialized-value in RGBTransformPackets". (Credit to OSS-Fuzz) 2019-02-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/png.c (ReadMNGImage): Quit processing and report error upon failure to insert MNG background layer. Fixes oss-fuzz 12738 "graphicsmagick/enhance_fuzzer: Out-of-memory in graphicsmagick_enhance_fuzzer". (Credit to OSS-Fuzz) 2019-02-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/dib.c (ReadDIBImage, WriteDIBImage): Improve buffer-size calculations to guard against buffer overflows. The reader version was not as complete as it should have been, whereas the writer version did not guard against arithmetic overflow at all. * coders/bmp.c (ReadBMPImage, WriteBMPImage): Improve buffer-size calculations to guard against buffer overflows. This is a follow-on fix to the previous fix submitted for SourceForge issue #582 "heap-buffer-overflow in ReadBMPImage of bmp.c" which is now also identified as CVE-2018-20185. * www/Hg.rst: Updates to reflect current usage and availability. * www/authors.rst: Promote Troy Patteson to the active contributor category. 2019-02-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/version.h.in: Rotate ChangeLog and update copyright statements for the new year. 2019-01-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * coders/webp.c (WriteWEBPImage): Patch by PrzemysÅaw Sobala to support WebP 'use_sharp_yuv' option ("if needed, use sharp (and slow) RGB->YUV conversion") via `-define webp:use-sharp-yuv=true`. 2019-01-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * magick/pixel_cache.c (SetNexus): Merge IsNexusInCore() implementation code into SetNexus() and add check for if cache_info->pixels is null. Fixes SourceForge issue #588 "Bug in IsNexusInCore()". * configure.ac (DcrawExtraOptions): Request TIFF output from dcraw if build supports TIFF format in order to obtain more metadata. This allows obtaining some metadata from standard TIFF tags (e.g. camera make, model, and dcraw version), and any attached ICC profile, but not specifically EXIF data since we don't support extracting EXIF data from TIFF yet. Inspired by SourceForge issue 589 "Identify lack of data (no Exif) in RAW formats".