Comment 4 for bug 28042

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 2 Jan 2006 06:09:05 +0200
From: Eero =?iso-8859-1?q?H=E4kkinen?= <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libmagick: array index overflow in DisplayImageCommand

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch

In libMagick, DisplayImageCommand first allocates an image index array
with a size based on argc and then expands arguments containing glob
patterns which may result an increase of argc. However, the image index
array is not increased in any case.

The image index array should be allocated after the expansion of
arguments.

-- System Information:
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="imagemagick-6.0.6.2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="imagemagick-6.0.6.2.patch"

--- imagemagick-6.0.6.2.orig/magick/display.c 2006-01-02 03:38:04.000000000 +0200
+++ imagemagick-6.0.6.2/magick/display.c 2006-01-02 03:38:04.000000000 +0200
@@ -1822,18 +1822,12 @@
   image_number=0;
   last_image=0;
   last_scene=0;
- image_marker=(unsigned long *)
- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
- for (i=0; i <= argc; i++)
- image_marker[i]=(unsigned long) argc;
+ image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   resource_database=(XrmDatabase) NULL;
   (void) ResetMagickMemory(&resource_info,0,sizeof(resource_info));
   server_name=(char *) NULL;
   state=0;
- if (image_marker == (unsigned long *) NULL)
- ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
- strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1842,6 +1836,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+ image_marker=(unsigned long *)
+ AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+ for (i=0; i <= argc; i++)
+ image_marker[i]=(unsigned long) argc;
+ if (image_marker == (unsigned long *) NULL)
+ ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+ strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="imagemagick-6.2.4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="imagemagick-6.2.4.patch"

--- ImageMagick-6.2.4.orig/magick/display.c 2005-09-10 06:43:05.000000000 +0300
+++ ImageMagick-6.2.4/magick/display.c 2005-09-10 06:43:05.000000000 +0300
@@ -1841,10 +1841,7 @@
   image_number=0;
   last_image=0;
   last_scene=0;
- image_marker=(unsigned long *)
- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
- for (i=0; i <= argc; i++)
- image_marker[i]=(unsigned long) argc;
+ image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   pend=MagickFalse;
   resource_database=(XrmDatabase) NULL;
@@ -1852,9 +1849,6 @@
   server_name=(char *) NULL;
   state=0;
   status=MagickTrue;
- if (image_marker == (unsigned long *) NULL)
- ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
- strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1863,6 +1857,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+ image_marker=(unsigned long *)
+ AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+ for (i=0; i <= argc; i++)
+ image_marker[i]=(unsigned long) argc;
+ if (image_marker == (unsigned long *) NULL)
+ ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+ strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--Boundary-00=_ndKuDHx03Vzt5NF--