diff -p -up GraphicsMagick-1.3.5/magick/xwindow.c.cve-2009-1882 GraphicsMagick-1.3.5/magick/xwindow.c --- GraphicsMagick-1.3.5/magick/xwindow.c.cve-2009-1882 2008-11-07 12:36:04.000000000 -0500 +++ GraphicsMagick-1.3.5/magick/xwindow.c 2009-10-08 16:42:44.000000000 -0400 @@ -196,6 +196,40 @@ static int MagickShmDt(void *shmaddr) } #endif + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% AcquireQuantumMemory() returns a pointer to a block of memory at least +% count * quantum bytes suitably aligned for any use. +% +% The format of the AcquireQuantumMemory method is: +% +% void *AcquireQuantumMemory(const size_t count,const size_t quantum) +% +% A description of each parameter follows: +% +% o count: the number of quantum elements to allocate. +% +% o quantum: the number of bytes in each quantum. +% +% NOTE: this was backported from 6.5.0.2 in order for patch for CVE-2009-1882 to work +% +*/ +MagickExport void *AcquireQuantumMemory(const size_t count,const size_t quantum) +{ + size_t + size; + + size=count*quantum; + if ((count == 0) || (quantum != (size/count))) + { + errno=ENOMEM; + return((void *) NULL); + } + return(MagickMalloc(size)); +} + /* %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % % @@ -5378,6 +5412,9 @@ MagickExport unsigned int MagickXMakeIma const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image, unsigned int width,unsigned int height) { +#define CheckOverflowException(length,width,height) \ + (((height) != 0) && ((length)/((size_t) height) != ((size_t) width))) + int depth, format; @@ -5515,9 +5552,12 @@ MagickExport unsigned int MagickXMakeIma &segment_info[1],width,height); window->shared_memory&=(ximage != (XImage *) NULL); + length=(size_t) ximage->bytes_per_line*ximage->height; + if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height)) + window->shared_memory=MagickFalse; + if (window->shared_memory) - segment_info[1].shmid=shmget(IPC_PRIVATE,(size_t) - (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777); + segment_info[1].shmid=shmget(IPC_PRIVATE,length,IPC_CREAT | 0777); window->shared_memory&=(segment_info[1].shmid >= 0); if (window->shared_memory) @@ -5626,12 +5666,12 @@ MagickExport unsigned int MagickXMakeIma } if (!window->shared_memory) { - if (ximage->format == XYBitmap) - ximage->data=MagickAllocateArray(char *, - ximage->height*ximage->depth,ximage->bytes_per_line); + if (ximage->format != XYBitmap) + ximage->data=(char *) AcquireQuantumMemory((size_t) + ximage->bytes_per_line,(size_t) ximage->height); else - ximage->data=MagickAllocateArray(char *, - ximage->height,ximage->bytes_per_line); + ximage->data=(char *) AcquireQuantumMemory((size_t) + ximage->bytes_per_line*ximage->depth,(size_t) ximage->height); } if (ximage->data == (char *) NULL) { @@ -5707,9 +5747,9 @@ MagickExport unsigned int MagickXMakeIma /* Allocate matte image pixel data. */ - length=matte_image->bytes_per_line* - matte_image->height*matte_image->depth; - matte_image->data=MagickAllocateMemory(char *,length); + matte_image->data=(char *) AcquireQuantumMemory((size_t) + matte_image->bytes_per_line*matte_image->depth, + (size_t) matte_image->height); if (matte_image->data == (char *) NULL) { XDestroyImage(matte_image);