ImageMagick-6.9.6-7差分

ImageMagick-6.9.6-6差分 - yoyaのメモの続き

http://www.imagemagick.org/script/download.php

The latest release of ImageMagick is version 6.9.6-7

7 系同時リリースは ImageMagick-7.0.3-9 (https://blogs.gentoo.org/ago/2016/12/01/imagemagick-heap-based-buffer-overflow-in-ispixelgray-pixel-accessor-h-incomplete-fix-for-cve-2016-9556/ CVE-2016-9556)

まとめ

CVE-2016-8707 の修正 (圧縮TIFF の書き出しでバッファオーバーフロー)

差分

圧縮 TIFF を書き出す時にバッファオーバーフローが可能な件の修正。

(Cisco Talos による脆弱性レポート, CVE-2016-8707).

ChangeLog にないもの

Magick++ の STL が大量に書き換えられてる
- Magick++/lib/Magick++/STL.h
  - std::unary_function の継承を外した

47c47
<   class MagickPPExport adaptiveBlurImage : public std::unary_function<Image&,void>
---
>   class MagickPPExport adaptiveBlurImage
<以下沢山>

ChangeLog の分

coders/tiff.c

1157c1157
<     *pixels;
---
>     *tiff_pixels;
1584c1584
<     if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_CONTIG))
---
>     if ((samples_per_pixel >= 3) && (interlace == PLANARCONFIG_CONTIG))
1586c1586
<     if ((samples_per_pixel >= 2) && (interlace == PLANARCONFIG_SEPARATE))
---
>     if ((samples_per_pixel >= 4) && (interlace == PLANARCONFIG_SEPARATE))
1609c1609,1615
<     pixels=GetQuantumPixels(quantum_info);
---
>     tiff_pixels=(unsigned char *) AcquireMagickMemory(TIFFScanlineSize(tiff)+
>       sizeof(uint32));
>     if (tiff_pixels == (unsigned char *) NULL)
>       {
>         TIFFClose(tiff);
>         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
>       }
1646d1651
<         pixels=GetQuantumPixels(quantum_info);
1655c1660
<           status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
---
>           status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
1662c1667
<             quantum_type,pixels,exception);
---
>             quantum_type,tiff_pixels,exception);
1703d1707
<         pixels=GetQuantumPixels(quantum_info);
1712c1716
<           status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
---
>           status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
1719c1723
<             quantum_type,pixels,exception);
---
>             quantum_type,tiff_pixels,exception);
1748c1752
<               pixels);
---
>               tiff_pixels);
1774c1778
<               quantum_type,pixels,exception);
---
>               quantum_type,tiff_pixels,exception);
1790d1793
<         pixels=GetQuantumPixels(quantum_info);
1808c1811
<           status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) pixels);
---
>           status=TIFFReadPixels(tiff,bits_per_sample,0,y,(char *) tiff_pixels);
1815c1818
<           p=pixels;
---
>           p=tiff_pixels;
1864c1867
<               if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) pixels) == 0)
---
>               if (TIFFReadRGBAStrip(tiff,(tstrip_t) y,(uint32 *) tiff_pixels) == 0)
1870c1873
<           p=((uint32 *) pixels)+image->columns*i;
---
>           p=((uint32 *) tiff_pixels)+image->columns*i;
1923,1924c1926,1927
<         tile_pixels=(uint32 *) AcquireQuantumMemory(columns,
<           rows*sizeof(*tile_pixels));
---
>         tile_pixels=(uint32 *) AcquireQuantumMemory(columns,rows*
>            sizeof(*tile_pixels));
2080a2084
>     tiff_pixels=(unsigned char *) RelinquishMagickMemory(tiff_pixels);

ChangeLogにない差分

Magick++ の STL が大量に書き換えられてる
- Magick++/lib/Magick++/STL.h

47c47
<   class MagickPPExport adaptiveBlurImage : public std::unary_function<Image&,void>
---
>   class MagickPPExport adaptiveBlurImage
<以下沢山>

coders/gif.c
- 今のところ p は参照されてないので動作に影響ない。

674c674,677
<       waiting_code=(short) (*indexes);
---
>       {
>         waiting_code=(short) (*indexes);
>         p++;
>       }

magick/accelerate.c
- メモリ取得失敗チェックの間違い

4889c4889
<     if (imageBuffer == (cl_mem) NULL)
---
>     if (filteredImageBuffer == (cl_mem) NULL)
4892c4892

magick/blob.c

132d131
<     immutable,
212d210
<   blob_info->immutable=MagickTrue;
460d457
<   clone_info->immutable=blob_info->immutable;
700d696
<   blob_info->immutable=MagickFalse;
4024c4020
<       if (image->blob->immutable != MagickFalse)
---
>       if (image->blob->mapped != MagickFalse)

magick/compare.c
- 回りくどく clone_image 経由で difference_image を作ってたのを直接作るように。(リファイン)
SetImageAlphaChannel の追加

168a169
>     *clone_image,
204c205,209
<   difference_image=CloneImage(image,0,0,MagickTrue,exception);
---
>   clone_image=CloneImage(image,0,0,MagickTrue,exception);
>   if (clone_image == (Image *) NULL)
>     return((Image *) NULL);
>   difference_image=CloneImage(clone_image,0,0,MagickTrue,exception);
>   clone_image=DestroyImage(clone_image);
206a212
>   (void) SetImageMask(difference_image,(Image *) NULL);
223c229
<   (void) SetImageAlphaChannel(highlight_image,OpaqueAlphaChannel);
---
>   (void) SetImageMask(highlight_image,(Image *) NULL);

ChangeLog

http://www.imagemagick.org/script/changelog.php

2016-12-05  6.9.6-7 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 6.9.6-7, GIT revision 11188:668b60c:20161205.

2016-12-02  6.9.6-7 Cristy  <quetzlzacatenango@image...>
  * Fix possible buffer overflow when writing compressed TIFFS (vulnerability
    report from Cisco Talos, CVE-2016-8707).