First Last Prev Next    This bug is not in your last search results.
Bug 1002207 - VUL-0: GraphicsMagick, ImageMagick: Buffer overflow in BMP & SGI coders
VUL-0: GraphicsMagick, ImageMagick: Buffer overflow in BMP & SGI coders
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-30 12:10 UTC by Johannes Segitz
Modified: 2016-10-14 14:23 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-09-30 12:10:19 UTC 
Upstream fixed by 
commit 4cc6ec8a4197d4c008577127736bf7985d632323
Author: Cristy 
diff --git a/coders/bmp.c b/coders/bmp.c
index 85741e1..47aeae9 100644
--- a/coders/bmp.c
+++ b/coders/bmp.c
@@ -1682,10 +1682,13 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image,
           bmp_info.file_size+=extra_size;
           bmp_info.offset_bits+=extra_size;
         }
+    if ((image->columns != (signed int) image->columns) ||
+        (image->rows != (signed int) image->rows))
+      ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit");
     bmp_info.width=(ssize_t) image->columns;
     bmp_info.height=(ssize_t) image->rows;
     bmp_info.planes=1;
-    bmp_info.image_size=(unsigned int) (bytes_per_line*image->rows);
+    bmp_info.image_size=(unsigned long) (bytes_per_line*image->rows);
     bmp_info.file_size+=bmp_info.image_size;

and
commit 7afcf9f71043df15508e46f079387bd4689a738d
Author: Cristy 
diff --git a/coders/sgi.c b/coders/sgi.c
index cd8c2b6..1fe65e6 100644
--- a/coders/sgi.c
+++ b/coders/sgi.c
@@ -354,13 +354,15 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception)
     image->rows=iris_info.rows;
     image->depth=(size_t) MagickMin(iris_info.depth,MAGICKCORE_QUANTUM_DEPTH);
     if (iris_info.pixel_format == 0)
-      image->depth=(size_t) MagickMin((size_t) 8*
-        iris_info.bytes_per_pixel,MAGICKCORE_QUANTUM_DEPTH);
+      image->depth=(size_t) MagickMin((size_t) 8*iris_info.bytes_per_pixel,
+        MAGICKCORE_QUANTUM_DEPTH);
     if (iris_info.depth < 3)
       {
         image->storage_class=PseudoClass;
         image->colors=iris_info.bytes_per_pixel > 1 ? 65535 : 256;
       }
+    if (EOFBlob(image) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if ((image_info->ping != MagickFalse)  && (image_info->number_scenes != 0))
       if (image->scene >= (image_info->scene+image_info->number_scenes-1))
         break;

GraphicsMagick and ImageMagick need 4cc6ec8a4197d4c008577127736bf7985d632323.

7afcf9f71043df15508e46f079387bd4689a738d seems only to apply to ImageMagick.
Comment 1 Swamp Workflow Management 2016-09-30 22:00:23 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-10-11 11:10:27 UTC 
As far as I can see:

4cc6ec8a4197d4c008577127736bf7985d632323

is fix for CVE-2016-6823 (bug 1001066).

7afcf9f71043df15508e46f079387bd4689a738d

is fix for CVE-2016-7101 (bug 1001221).
Comment 3 Petr Gajdos 2016-10-13 13:39:47 UTC 
I believe all fixed.
Comment 4 Johannes Segitz 2016-10-14 13:31:30 UTC 
tracked in the two other bugs
First Last Prev Next    This bug is not in your last search results.