diff -p -up GraphicsMagick-1.3.5/magick/xwindow.c.cve-2009-1882 GraphicsMagick-1.3.5/magick/xwindow.c
--- GraphicsMagick-1.3.5/magick/xwindow.c.cve-2009-1882 2008-11-07 12:36:04.000000000 -0500
+++ GraphicsMagick-1.3.5/magick/xwindow.c 2009-10-08 16:42:44.000000000 -0400
@@ -196,6 +196,40 @@ static int MagickShmDt(void *shmaddr)
}
#endif
+
+/*
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% AcquireQuantumMemory() returns a pointer to a block of memory at least
+% count * quantum bytes suitably aligned for any use.
+%
+% The format of the AcquireQuantumMemory method is:
+%
+% void *AcquireQuantumMemory(const size_t count,const size_t quantum)
+%
+% A description of each parameter follows:
+%
+% o count: the number of quantum elements to allocate.
+%
+% o quantum: the number of bytes in each quantum.
+%
+% NOTE: this was backported from 6.5.0.2 in order for patch for CVE-2009-1882 to work
+%
+*/
+MagickExport void *AcquireQuantumMemory(const size_t count,const size_t quantum)
+{
+ size_t
+ size;
+
+ size=count*quantum;
+ if ((count == 0) || (quantum != (size/count)))
+ {
+ errno=ENOMEM;
+ return((void *) NULL);
+ }
+ return(MagickMalloc(size));
+}
+
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -5378,6 +5412,9 @@ MagickExport unsigned int MagickXMakeIma
const MagickXResourceInfo *resource_info,MagickXWindowInfo *window,Image *image,
unsigned int width,unsigned int height)
{
+#define CheckOverflowException(length,width,height) \
+ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width)))
+
int
depth,
format;
@@ -5515,9 +5552,12 @@ MagickExport unsigned int MagickXMakeIma
&segment_info[1],width,height);
window->shared_memory&=(ximage != (XImage *) NULL);
+ length=(size_t) ximage->bytes_per_line*ximage->height;
+ if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height))
+ window->shared_memory=MagickFalse;
+
if (window->shared_memory)
- segment_info[1].shmid=shmget(IPC_PRIVATE,(size_t)
- (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777);
+ segment_info[1].shmid=shmget(IPC_PRIVATE,length,IPC_CREAT | 0777);
window->shared_memory&=(segment_info[1].shmid >= 0);
if (window->shared_memory)
@@ -5626,12 +5666,12 @@ MagickExport unsigned int MagickXMakeIma
}
if (!window->shared_memory)
{
- if (ximage->format == XYBitmap)
- ximage->data=MagickAllocateArray(char *,
- ximage->height*ximage->depth,ximage->bytes_per_line);
+ if (ximage->format != XYBitmap)
+ ximage->data=(char *) AcquireQuantumMemory((size_t)
+ ximage->bytes_per_line,(size_t) ximage->height);
else
- ximage->data=MagickAllocateArray(char *,
- ximage->height,ximage->bytes_per_line);
+ ximage->data=(char *) AcquireQuantumMemory((size_t)
+ ximage->bytes_per_line*ximage->depth,(size_t) ximage->height);
}
if (ximage->data == (char *) NULL)
{
@@ -5707,9 +5747,9 @@ MagickExport unsigned int MagickXMakeIma
/*
Allocate matte image pixel data.
*/
- length=matte_image->bytes_per_line*
- matte_image->height*matte_image->depth;
- matte_image->data=MagickAllocateMemory(char *,length);
+ matte_image->data=(char *) AcquireQuantumMemory((size_t)
+ matte_image->bytes_per_line*matte_image->depth,
+ (size_t) matte_image->height);
if (matte_image->data == (char *) NULL)
{
XDestroyImage(matte_image);
distrib
>
Mandriva
>
2009.1
>
x86_64
>
media
>
main-updates-src
>
by-pkgid
>
3a386ff382bad4ef535c7873bd320183
>
files
>
1
