From: Laszlo Boszormenyi (GCS) Date: Thu, 24 Nov 2022 20:50:54 +0000 (+0000) Subject: CVE-2022-1270 X-Git-Tag: archive/raspbian/1.4+really1.3.36+hg16481-2+rpi1+deb11u1^2~1 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=d29323f02d677e1d9d7ea2fd1a750e8bcfc41f18;p=graphicsmagick.git CVE-2022-1270 # HG changeset patch # User Bob Friesenhahn # Date 1648301533 18000 # Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12 # Parent 07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0 ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer. Gbp-Pq: Name CVE-2022-1270.patch --- diff --git a/coders/miff.c b/coders/miff.c index 0827420..aa48311 100644 --- a/coders/miff.c +++ b/coders/miff.c @@ -1862,9 +1862,20 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, else { length=ReadBlobMSBLong(image); + if (image->logging) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + "length = %"MAGICK_SIZE_T_F"u", + (MAGICK_SIZE_T) length); + if ((length == 0) || (length > compressed_length)) + { + (void) BZ2_bzDecompressEnd(&bzip_info); + ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage, + image); + } bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in); if ((size_t) bzip_info.avail_in != length) { + (void) BZ2_bzDecompressEnd(&bzip_info); ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile, image); }