ImageMagick-6.9.10-11差分

ImageMagick-6.9.10-10差分 - yoyaのメモの続き

The latest release of ImageMagick is version 6.9.10-11

まとめ

  • OSS Fuzz による修正。
  • module security policy 対応
気になる事
  • geometry の width パース処理に : が追加されてる。アスペクト指定っぽい。
  • GetMagickProperty の printsize.x, printsize.y 対応。(縦や横のサイズに resolution 乗算した値を出す)

差分

  • 多くの修正。初期化変数の利用、整数オーバーフロウ、メモリはみ出し。タイムアウト。 (OSS Fuzz クレジット)
  • "module" security policy 対応。
ChangeLogにない差分
  • coders/bmp.c
    • number_colors より データサイズが小さい時は明らかにおかしいのでエラー
    • UndefinedGravity の時に metrics.bounds.y2 も参照
    • 読み込み長がデータサイズを超えたらエラー
672a673,674
>         if (bmp_info.number_colors > GetBlobSize(image))
>           ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
diff -rBw ImageMagick-6.9.10-10/coders/caption.c ImageMagick-6.9.10-11/coders/caption.c
293c293
<     UndefinedGravity ? metrics.ascent : 0.0);
---
>     UndefinedGravity ? MagickMax(metrics.ascent,metrics.bounds.y2) : 0.0);
diff -rBw ImageMagick-6.9.10-10/coders/dcm.c ImageMagick-6.9.10-11/coders/dcm.c
3866a3867,3868
>           if (length > (size_t) GetBlobSize(image))
>             ThrowDCMException(CorruptImageError,"InsufficientImageDataInFile");
  • coders/gradient.c
    • ReadXCImage の実装。
    • 読み込みでデータサイズをはみ出る所にエラー処理追加
    • 負値が暗黙の型変換で正数にひっくり返る可能性を排除するキャスト
    • その他、暗黙の型変換で警告が出る箇所の対処
93a94,173
>
> static Image *ReadXCImage(const ImageInfo *image_info,ExceptionInfo *exception)
<関数の中身>
<         if ((f > 0) && ((f+GetPixelBlue(q)) < QuantumRange))
---
>         if ((f+GetPixelBlue(q)) < QuantumRange)
297c297
<         if ((f > 0) && (f < GetPixelGreen(q)) && (f < GetPixelRed(q)))
---
>         if (f < GetPixelGreen(q))
1130c1130,1132
<     (void) ReadBlob(image2, 4, (unsigned char *) &size);     /* data size */
---
>     /* data size */
>     if (ReadBlob(image2, 4, (unsigned char *) &size) != 4)
>       goto MATLAB_KO;
diff -rBw ImageMagick-6.9.10-10/coders/pcx.c ImageMagick-6.9.10-11/coders/pcx.c
411c411
<     if ((MagickSizeType) (pcx_packets/8) > GetBlobSize(image))
---
>     if ((MagickSizeType) (pcx_packets/10) > GetBlobSize(image))
diff -rBw ImageMagick-6.9.10-10/coders/pgx.c ImageMagick-6.9.10-11/coders/pgx.c
368,369c368,369
<   (void) FormatLocaleString(buffer,MaxTextExtent,"PG ML + %ld %lu %lu\n",
<     image->depth,image->columns,image->rows);
---
>   (void) FormatLocaleString(buffer,MaxTextExtent,"PG ML + %g %g %g\n",
>     (double) image->depth,(double) image->columns,(double) image->rows);
diff -rBw ImageMagick-6.9.10-10/coders/pict.c ImageMagick-6.9.10-11/coders/pict.c
993a994,996
>             if (length > GetBlobSize(image))
>               ThrowPICTException(CorruptImageError,
>                 "InsufficientImageDataInFile");
<以下 length チェックが沢山>
433,434c433,434
<   color.red=background;
<   SetImageColor(complete_mask,&color);
---
>   color.red=(MagickRealType) background;
>   (void) SetImageColor(complete_mask,&color);
473c473
<       alpha=GetPixelAlpha(q);
---
>       alpha=(MagickRealType) GetPixelAlpha(q);
507c507
<   key[8]=layer_info->mask.background;
---
>   key[8]=(char) layer_info->mask.background;
<大量なので略>
  • magick/constitute.c
    • ReadImage を整理して、一部の処理を IsCoderAuthorized 関数に分離
49a50
> #include "magick/coder.h"
399a401,414
>
> static MagickBooleanType IsCoderAuthorized(const char *coder,
>   const PolicyRights rights,ExceptionInfo *exception)
> {
>   if (IsRightsAuthorized(CoderPolicyDomain,rights,coder) == MagickFalse)
>     {
>       errno=EPERM;
>       (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
>         "NotAuthorized","`%s'",coder);
>       return(MagickFalse);
>     }
>   return(MagickTrue);
> }
>
  • magick/draw.c
    • RenderMVGContent , DrawBoundingRectangles の追加
195c195,196
<   DrawStrokePolygon(Image *,const DrawInfo *,const PrimitiveInfo *);
---
>   DrawStrokePolygon(Image *,const DrawInfo *,const PrimitiveInfo *),
>   RenderMVGContent(Image *,const DrawInfo *,const size_t);
  • magick/geometry.c
    • geometry の区切りに : を追加
232c232,233
<       if ((c == 215) || (*q == 'x') || (*q == 'X') || (*q == '\0'))
---
>       if ((c == 215) || (*q == 'x') || (*q == 'X') || (*q == ':') ||
>           (*q == '\0'))
252c253
<       if ((c == 215) || (*p == 'x') || (*p == 'X'))
---
>       if ((c == 215) || (*p == 'x') || (*p == 'X') || (*p == ':'))
991,992c992,993
<   if ((c == 215) || (*q == 'x') || (*q == 'X') || (*q == ',') ||
<       (*q == '/') || (*q == ':') || (*q =='\0'))
---
>   if ((c == 215) || (*q == 'x') || (*q == 'X') || (*q == ':') ||
>       (*q == ',') || (*q == '/') || (*q =='\0'))
1010,1011c1011,1012
<   if ((c == 215) || (*p == 'x') || (*p == 'X') || (*p == ',') || (*p == '/') ||
<       (*p == ':'))
---
>   if ((c == 215) || (*p == 'x') || (*p == 'X') || (*p == ':') || (*p == ',') ||
>       (*p == '/'))
1020,1021c1021,1022
<       if (((c != 215) && (*q != 'x') && (*q != 'X')) || ((*p != '+') &&
<           (*p != '-')))
---
>       if (((c != 215) && (*q != 'x') && (*q != 'X') && (*q != ':')) ||
>           ((*p != '+') && (*p != '-')))
  • magick/list.c
    • CloneImages でコマ数の start と last を実際のコマ数に収まるようにクランプ。
258a260,261
>     first=MagickMin(MagickMax(first,0),length);
>     last=MagickMin(MagickMax(last,0),length);
49c49
#if MAGICKCORE_SIZEOF_FLOAT_T == 0
typedef float MagickFloatType;
#elif (MAGICKCORE_SIZEOF_FLOAT_T == MAGICKCORE_SIZEOF_FLOAT)
typedef float MagickFloatType;
#elif (MAGICKCORE_SIZEOF_FLOAT_T == MAGICKCORE_SIZEOF_DOUBLE)
typedef double MagickFloatType;
#elif (MAGICKCORE_SIZEOF_FLOAT_T == MAGICKCORE_SIZEOF_LONG_DOUBLE)
< typedef long double MagickFloatType;
> typedef double MagickFloatType;
#else
#error Your MagickFloatType type is neither a float, nor a double, nor a long double
#endif
#if MAGICKCORE_SIZEOF_DOUBLE_T == 0
typedef double MagickDoubleType;
#elif (MAGICKCORE_SIZEOF_DOUBLE_T == MAGICKCORE_SIZEOF_DOUBLE)
typedef double MagickDoubleType;
#elif (MAGICKCORE_SIZEOF_DOUBLE_T == MAGICKCORE_SIZEOF_LONG_DOUBLE)
< typedef long double MagickDoubleType;
> typedef double MagickDoubleType;
#else
#error Your MagickDoubleType type is neither a float, nor a double, nor a long double
#endif
  • magick/module.c
    • Module Policy の実装色々。
984a985,992
<沢山>
  • magick/policy.h
    • Module Policy の機能有効化
37c37,38
<   CachePolicyDomain
---
>   CachePolicyDomain,
>   ModulePolicyDomain
  • magick/property.c
    • GetMagickProperty の printsize.x, printsize.y 対応
3277a3278,3291
>       if (LocaleCompare("printsize.x",property) == 0)
>         {
>           (void) FormatLocaleString(value,MagickPathExtent,"%.*g",
>             GetMagickPrecision(),PerceptibleReciprocal(image->x_resolution)*
>               image->columns);
>           break;
>         }
>       if (LocaleCompare("printsize.y",property) == 0)
>         {
>           (void) FormatLocaleString(value,MagickPathExtent,"%.*g",
>             GetMagickPrecision(),PerceptibleReciprocal(image->y_resolution)*
>               image->rows);
>           break;
>         }
  • magick/static.c
    • RegisterStaticModule での ModulePolicyDomain チェック
380a381,383
>   PolicyRights
>     rights;
>
394a398,405
>   rights=ReadPolicyRights;
>   if (IsRightsAuthorized(ModulePolicyDomain,rights,module) == MagickFalse)
>     {
>       errno=EPERM;
>       (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
>         "NotAuthorized","`%s'",module);
>       return(MagickFalse);
>     }
  • token.c
    • UTFCode 周りの大改造
46a47
> #include "magick/image-private.h"
507c508,511
<         register const char
---
>         char
>           *target;
>
>         register char
510c514,516
<         pattern+=GetUTFOctets(pattern);
---
>         target=AcquireString(pattern);
>         p=target;
>         pattern++;
<大量に略>
  • wand/mogrify.c
    • QueryColorDatabase, GetOneVirtualMagickPixel を QueryMagickColor にまとめた。リファイン。
1640,1642c1640
<             (void) QueryColorDatabase(argv[i+2],&draw_info->fill,exception);
<             (void) GetOneVirtualMagickPixel(*image,geometry.x,geometry.y,
<               &target,exception);
---
>             (void) QueryMagickColor(argv[i+2],&target,exception);

ChangeLog

2018-08-27  6.9.10-11 Cristy  <quetzlzacatenango@image...>
  * Release ImageMagick version 6.9.10-11, GIT revision 13802:5198c3b80:20180828

2018-08-15  6.9.10-11 Cristy  <quetzlzacatenango@image...>
  * Fixed numerous use of uninitialized values, integer overflow, memory
    exceeded, and timeouts (credit to OSS Fuzz).
  * Add support for "module" security policy.