Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch
In libMagick, DisplayImageCommand first allocates an image index array
with a size based on argc and then expands arguments containing glob
patterns which may result an increase of argc. However, the image index
array is not increased in any case.
The image index array should be allocated after the expansion of
arguments.
-- System Information:
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Message-Id: <email address hidden> 1?q?H=E4kkinen? = <email address hidden>
Date: Mon, 2 Jan 2006 06:09:05 +0200
From: Eero =?iso-8859-
To: Debian Bug Tracking System <email address hidden>
Subject: libmagick: array index overflow in DisplayImageCommand
--Boundary- 00=_ndKuDHx03Vz t5NF "iso-8859- 1" Transfer- Encoding: 7bit Disposition: inline
Content-Type: text/plain;
charset=
Content-
Content-
Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch
In libMagick, DisplayImageCommand first allocates an image index array
with a size based on argc and then expands arguments containing glob
patterns which may result an increase of argc. However, the image index
array is not increased in any case.
The image index array should be allocated after the expansion of
arguments.
-- System Information: fi_FI.UTF- 8 (charmap=UTF-8)
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=
--Boundary- 00=_ndKuDHx03Vz t5NF "iso-8859- 1"; "imagemagick- 6.0.6.2. patch" Transfer- Encoding: 7bit Disposition: attachment; "imagemagick- 6.0.6.2. patch"
Content-Type: text/x-diff;
charset=
name=
Content-
Content-
filename=
--- imagemagick- 6.0.6.2. orig/magick/ display. c 2006-01-02 03:38:04.000000000 +0200 6.0.6.2/ magick/ display. c 2006-01-02 03:38:04.000000000 +0200 (unsigned long *) mory((argc+ 1)*sizeof( *image_ marker) ); i]=(unsigned long) argc; (unsigned long *) NULL; database= (XrmDatabase) NULL; ry(&resource_ info,0, sizeof( resource_ info)); name=(char *) NULL; eption( ResourceLimitEr ror,"MemoryAllo cationFailed" , ayException( ResourceLimitEr ror,"MemoryAllo cationFailed" ,
strerror( errno)) ; (unsigned long *) mory((argc+ 1)*sizeof( *image_ marker) ); i]=(unsigned long) argc; eption( ResourceLimitEr ror,"MemoryAllo cationFailed" ,
+++ imagemagick-
@@ -1822,18 +1822,12 @@
image_number=0;
last_image=0;
last_scene=0;
- image_marker=
- AcquireMagickMe
- for (i=0; i <= argc; i++)
- image_marker[
+ image_marker=
option=(char *) NULL;
resource_
(void) ResetMagickMemo
server_
state=0;
- if (image_marker == (unsigned long *) NULL)
- ThrowDisplayExc
- strerror(errno));
/*
Check for server name specified on the command line.
*/
@@ -1842,6 +1836,13 @@
if (status == MagickFalse)
ThrowDispl
+ image_marker=
+ AcquireMagickMe
+ for (i=0; i <= argc; i++)
+ image_marker[
+ if (image_marker == (unsigned long *) NULL)
+ ThrowDisplayExc
+ strerror(errno));
for (i=1; i < (long) argc; i++)
{
/*
--Boundary- 00=_ndKuDHx03Vz t5NF "iso-8859- 1"; "imagemagick- 6.2.4.patch" Transfer- Encoding: 7bit Disposition: attachment; "imagemagick- 6.2.4.patch"
Content-Type: text/x-diff;
charset=
name=
Content-
Content-
filename=
--- ImageMagick- 6.2.4.orig/ magick/ display. c 2005-09-10 06:43:05.000000000 +0300 6.2.4/magick/ display. c 2005-09-10 06:43:05.000000000 +0300 (unsigned long *) mory((argc+ 1)*sizeof( *image_ marker) ); i]=(unsigned long) argc; (unsigned long *) NULL; MagickFalse; database= (XrmDatabase) NULL; name=(char *) NULL; MagickTrue; eption( ResourceLimitEr ror,"MemoryAllo cationFailed" , ayException( ResourceLimitEr ror,"MemoryAllo cationFailed" ,
strerror( errno)) ; (unsigned long *) mory((argc+ 1)*sizeof( *image_ marker) ); i]=(unsigned long) argc; eption( ResourceLimitEr ror,"MemoryAllo cationFailed" ,
+++ ImageMagick-
@@ -1841,10 +1841,7 @@
image_number=0;
last_image=0;
last_scene=0;
- image_marker=
- AcquireMagickMe
- for (i=0; i <= argc; i++)
- image_marker[
+ image_marker=
option=(char *) NULL;
pend=
resource_
@@ -1852,9 +1849,6 @@
server_
state=0;
status=
- if (image_marker == (unsigned long *) NULL)
- ThrowDisplayExc
- strerror(errno));
/*
Check for server name specified on the command line.
*/
@@ -1863,6 +1857,13 @@
if (status == MagickFalse)
ThrowDispl
+ image_marker=
+ AcquireMagickMe
+ for (i=0; i <= argc; i++)
+ image_marker[
+ if (image_marker == (unsigned long *) NULL)
+ ThrowDisplayExc
+ strerror(errno));
for (i=1; i < (long) argc; i++)
{
/*
--Boundary- 00=_ndKuDHx03Vz t5NF--