DrawImage(): Fix pointer computation which leads to large strncpy size request and bad array index.
--- a/ChangeLog Fri Oct 27 08:10:34 2017 -0500
+++ b/ChangeLog Sat Oct 28 13:54:22 2017 -0500
@@ -1,3 +1,12 @@
+2017-10-28 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * magick/render.c (DrawImage): Fix SourceForge bug #517 "Push
+ operations in DrawImage can lead to negative strncpy when looking
+ for pop". Interestingly, valgrind and ASAN only detected a
+ problem with one of the test cases since exercised code which
+ updated an array using the index. It appears that Linux strncpy()
+ simply ignores the bad request.
+
2017-10-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/png.c (ReadOneJNGImage): Make sure that a reasonable
--- a/VisualMagick/installer/inc/version.isx Fri Oct 27 08:10:34 2017 -0500
+++ b/VisualMagick/installer/inc/version.isx Sat Oct 28 13:54:22 2017 -0500
@@ -10,5 +10,5 @@
#define public MagickPackageName "GraphicsMagick"
#define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020171027"
-#define public MagickPackageReleaseDate "snapshot-20171027"
+#define public MagickPackageVersionAddendum ".020171028"
+#define public MagickPackageReleaseDate "snapshot-20171028"
--- a/magick/render.c Fri Oct 27 08:10:34 2017 -0500
+++ b/magick/render.c Sat Oct 28 13:54:22 2017 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2016 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
@@ -2360,6 +2360,11 @@
continue;
break;
}
+ if (p+5U > q)
+ {
+ status=MagickFail;
+ break;
+ }
(void) strncpy(token,p,q-p-4);
token[q-p-4]='\0';
(void) SetImageAttribute(image,name,token);
@@ -2433,6 +2438,11 @@
continue;
break;
}
+ if (p+5U > q)
+ {
+ status=MagickFail;
+ break;
+ }
(void) strncpy(token,p,q-p-4);
token[q-p-4]='\0';
bounds.x1=graphic_context[n]->affine.sx*segment.x1+
@@ -2564,6 +2574,11 @@
continue;
break;
}
+ if (p+5U > q)
+ {
+ status=MagickFail;
+ break;
+ }
(void) strncpy(token,p,q-p-4);
token[q-p-4]='\0';
FormatString(key,"[%.1024s]",name);
--- a/magick/version.h Fri Oct 27 08:10:34 2017 -0500
+++ b/magick/version.h Sat Oct 28 13:54:22 2017 -0500
@@ -38,8 +38,8 @@
#define MagickLibVersion 0x191600
#define MagickLibVersionText "1.4"
#define MagickLibVersionNumber 19,16,0
-#define MagickChangeDate "20171027"
-#define MagickReleaseDate "snapshot-20171027"
+#define MagickChangeDate "20171028"
+#define MagickReleaseDate "snapshot-20171028"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
--- a/www/Changelog.html Fri Oct 27 08:10:34 2017 -0500
+++ b/www/Changelog.html Sat Oct 28 13:54:22 2017 -0500
@@ -35,6 +35,17 @@
<div class="document">
+<p>2017-10-28 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+<blockquote>
+<ul class="simple">
+<li>magick/render.c (DrawImage): Fix SourceForge bug #517 "Push
+operations in DrawImage can lead to negative strncpy when looking
+for pop". Interestingly, valgrind and ASAN only detected a
+problem with one of the test cases since exercised code which
+updated an array using the index. It appears that Linux strncpy()
+simply ignores the bad request.</li>
+</ul>
+</blockquote>
<p>2017-10-27 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">