DrawImage(): Fix pointer computation which leads to large strncpy size request and bad array index.
authorBob Friesenhahn <bfriesen@GraphicsMagick.org>
Sat, 28 Oct 2017 13:54:22 -0500
changeset 15243 785758bbbfcc
parent 15242 597ff91f38a9
child 15244 fb5c791e5706
DrawImage(): Fix pointer computation which leads to large strncpy size request and bad array index.
ChangeLog
VisualMagick/installer/inc/version.isx
magick/render.c
magick/version.h
www/Changelog.html
--- a/ChangeLog	Fri Oct 27 08:10:34 2017 -0500
+++ b/ChangeLog	Sat Oct 28 13:54:22 2017 -0500
@@ -1,3 +1,12 @@
+2017-10-28  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* magick/render.c (DrawImage): Fix SourceForge bug #517 "Push
+	operations in DrawImage can lead to negative strncpy when looking
+	for pop".  Interestingly, valgrind and ASAN only detected a
+	problem with one of the test cases since exercised code which
+	updated an array using the index.  It appears that Linux strncpy()
+	simply ignores the bad request.
+
 2017-10-27  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
 	* coders/png.c (ReadOneJNGImage): Make sure that a reasonable
--- a/VisualMagick/installer/inc/version.isx	Fri Oct 27 08:10:34 2017 -0500
+++ b/VisualMagick/installer/inc/version.isx	Sat Oct 28 13:54:22 2017 -0500
@@ -10,5 +10,5 @@
 
 #define public MagickPackageName "GraphicsMagick"
 #define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020171027"
-#define public MagickPackageReleaseDate "snapshot-20171027"
+#define public MagickPackageVersionAddendum ".020171028"
+#define public MagickPackageReleaseDate "snapshot-20171028"
--- a/magick/render.c	Fri Oct 27 08:10:34 2017 -0500
+++ b/magick/render.c	Sat Oct 28 13:54:22 2017 -0500
@@ -1,5 +1,5 @@
 /*
-% Copyright (C) 2003-2016 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
 % Copyright (C) 2002 ImageMagick Studio
 % Copyright 1991-1999 E. I. du Pont de Nemours and Company
 %
@@ -2360,6 +2360,11 @@
                     continue;
                   break;
                 }
+                if (p+5U > q)
+                  {
+                    status=MagickFail;
+                    break;
+                  }
                 (void) strncpy(token,p,q-p-4);
                 token[q-p-4]='\0';
                 (void) SetImageAttribute(image,name,token);
@@ -2433,6 +2438,11 @@
                     continue;
                   break;
                 }
+                if (p+5U > q)
+                  {
+                    status=MagickFail;
+                    break;
+                  }
                 (void) strncpy(token,p,q-p-4);
                 token[q-p-4]='\0';
                 bounds.x1=graphic_context[n]->affine.sx*segment.x1+
@@ -2564,6 +2574,11 @@
                     continue;
                   break;
                 }
+                if (p+5U > q)
+                  {
+                    status=MagickFail;
+                    break;
+                  }
                 (void) strncpy(token,p,q-p-4);
                 token[q-p-4]='\0';
                 FormatString(key,"[%.1024s]",name);
--- a/magick/version.h	Fri Oct 27 08:10:34 2017 -0500
+++ b/magick/version.h	Sat Oct 28 13:54:22 2017 -0500
@@ -38,8 +38,8 @@
 #define MagickLibVersion  0x191600
 #define MagickLibVersionText  "1.4"
 #define MagickLibVersionNumber 19,16,0
-#define MagickChangeDate   "20171027"
-#define MagickReleaseDate  "snapshot-20171027"
+#define MagickChangeDate   "20171028"
+#define MagickReleaseDate  "snapshot-20171028"
 	
 /*
   The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
--- a/www/Changelog.html	Fri Oct 27 08:10:34 2017 -0500
+++ b/www/Changelog.html	Sat Oct 28 13:54:22 2017 -0500
@@ -35,6 +35,17 @@
 <div class="document">
 
 
+<p>2017-10-28  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+<ul class="simple">
+<li>magick/render.c (DrawImage): Fix SourceForge bug #517 &quot;Push
+operations in DrawImage can lead to negative strncpy when looking
+for pop&quot;.  Interestingly, valgrind and ASAN only detected a
+problem with one of the test cases since exercised code which
+updated an array using the index.  It appears that Linux strncpy()
+simply ignores the bad request.</li>
+</ul>
+</blockquote>
 <p>2017-10-27  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 <blockquote>
 <ul class="simple">