Hi, I intent to upload a 0-day NMU to fix this bug. Daniel, are you taking care of graphicsmagick?
Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u imagemagick-6.5.1.0/debian/changelog imagemagick-6.5.1.0/debian/changelog
--- imagemagick-6.5.1.0/debian/changelog
+++ imagemagick-6.5.1.0/debian/changelog
@@ -1,3 +1,11 @@
+imagemagick (7:6.5.1.0-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Apply upstream patch to fix integer overflow in XMakeImage()
+ (SA35216.diff; Closes: #530838).
+
+ -- Nico Golde <n...@debian.org> Fri, 29 May 2009 12:46:08 +0200
+
imagemagick (7:6.5.1.0-1) unstable; urgency=low
* New upstream release;
diff -u imagemagick-6.5.1.0/debian/patches/series imagemagick-6.5.1.0/debian/patches/series
--- imagemagick-6.5.1.0/debian/patches/series
+++ imagemagick-6.5.1.0/debian/patches/series
@@ -1 +1 @@
-# no patches for now
+SA35216.diff
only in patch2:
unchanged:
--- imagemagick-6.5.1.0.orig/debian/patches/SA35216.diff
+++ imagemagick-6.5.1.0/debian/patches/SA35216.diff
@@ -0,0 +1,58 @@
+Index: imagemagick-6.5.1.0/magick/xwindow.c
+===================================================================
+--- imagemagick-6.5.1.0.orig/magick/xwindow.c 2009-05-29 12:45:07.000000000 +0200
++++ imagemagick-6.5.1.0/magick/xwindow.c 2009-05-29 12:45:18.000000000 +0200
+@@ -5351,6 +5351,9 @@
+ const XResourceInfo *resource_info,XWindowInfo *window,Image *image,
+ unsigned int width,unsigned int height)
+ {
++#define CheckOverflowException(length,width,height) \
++ (((height) != 0) && ((length)/((size_t) height) != ((size_t) width)))
++
+ int
+ depth,
+ format;
+@@ -5490,9 +5493,11 @@
+ (char *) NULL,&segment_info[1],width,height);
+ if (ximage == (XImage *) NULL)
+ window->shared_memory=MagickFalse;
++ length=(size_t) ximage->bytes_per_line*ximage->height;
++ if (CheckOverflowException(length,ximage->bytes_per_line,ximage->height))
++ window->shared_memory=MagickFalse;
+ if (window->shared_memory != MagickFalse)
+- segment_info[1].shmid=shmget(IPC_PRIVATE,(unsigned int)
+- (ximage->bytes_per_line*ximage->height),IPC_CREAT | 0777);
++ segment_info[1].shmid=shmget(IPC_PRIVATE,length,IPC_CREAT | 0777);
+ if (window->shared_memory != MagickFalse)
+ segment_info[1].shmaddr=(char *) shmat(segment_info[1].shmid,0,0);
+ if (segment_info[1].shmid < 0)
+@@ -5595,11 +5600,12 @@
+ }
+ if (window->shared_memory == MagickFalse)
+ {
+- if (ximage->format == XYBitmap)
+- length=(size_t) ximage->bytes_per_line*ximage->height*ximage->depth;
++ if (ximage->format != XYBitmap)
++ ximage->data=(char *) AcquireQuantumMemory((size_t)
++ ximage->bytes_per_line,(size_t) ximage->height);
+ else
+- length=(size_t) ximage->bytes_per_line*ximage->height;
+- ximage->data=(char *) malloc(length);
++ ximage->data=(char *) AcquireQuantumMemory((size_t)
++ ximage->bytes_per_line*ximage->depth,(size_t) ximage->height);
+ }
+ if (ximage->data == (char *) NULL)
+ {
+@@ -5677,9 +5683,9 @@
+ /*
+ Allocate matte image pixel data.
+ */
+- length=(size_t) matte_image->bytes_per_line*
+- matte_image->height*matte_image->depth;
+- matte_image->data=(char *) malloc(length);
++ matte_image->data=(char *) AcquireQuantumMemory((size_t)
++ matte_image->bytes_per_line*matte_image->depth,
++ (size_t) matte_image->height);
+ if (matte_image->data == (char *) NULL)
+ {
+ XDestroyImage(matte_image);
pgpEtn3Jt6iL3.pgp
Description: PGP signature
