ImageMagick
/
CVE-2021-20311-20312-20313.patch

From 1e48a746b0b1c34b2bdc2ae8cfa094d69ce50aa3 Mon Sep 17 00:00:00 2001
From: Cristy <mikayla-grace@urban-warrior.org>
Date: Thu, 25 Feb 2021 17:03:18 -0500
Subject: [PATCH] possible divide by zero + clear buffers

---
 coders/thumbnail.c  |  3 ++-
 configure           |  2 +-
 magick/cipher.c     | 12 ++++++------
 magick/colorspace.c | 16 ++++++++--------
 magick/memory.c     | 21 ++++++++++++++++-----
 magick/signature.c  |  2 +-
 6 files changed, 34 insertions(+), 22 deletions(-)

diff --git a/coders/thumbnail.c b/coders/thumbnail.c
index 21895a9..73917fc 100644
--- a/coders/thumbnail.c
+++ b/coders/thumbnail.c
@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
       break;
     q++;
   }
-  if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
+  if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
   thumbnail_image=BlobToImage(image_info,q,length,&image->exception);
   if (thumbnail_image == (Image *) NULL)
diff --git a/configure b/configure
index 6f61a2f..65efc18 100755
--- a/configure
+++ b/configure
@@ -4573,7 +4573,7 @@ MAGICK_PATCHLEVEL_VERSION=67

 MAGICK_VERSION=6.9.10-67

-MAGICK_GIT_REVISION=14843:618d759:20190929
+MAGICK_GIT_REVISION=16484:c5e7a8bbe:20210225


 # Substitute library versioning
diff --git a/magick/cipher.c b/magick/cipher.c
index da97378..6c74c51 100644
--- a/magick/cipher.c
+++ b/magick/cipher.c
@@ -483,8 +483,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext,
     Reset registers.
   */
   alpha=0;
-  (void) memset(key,0,sizeof(key));
-  (void) memset(text,0,sizeof(text));
+  (void) ResetMagickMemory(key,0,sizeof(key));
+  (void) ResetMagickMemory(text,0,sizeof(text));
 }

 /*
@@ -706,8 +706,8 @@ MagickExport MagickBooleanType PasskeyDecipherImage(Image *image,
   */
   quantum_info=DestroyQuantumInfo(quantum_info);
   aes_info=DestroyAESInfo(aes_info);
-  (void) memset(input_block,0,sizeof(input_block));
-  (void) memset(output_block,0,sizeof(output_block));
+  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
 }

@@ -923,8 +923,8 @@ MagickExport MagickBooleanType PasskeyEncipherImage(Image *image,
   */
   quantum_info=DestroyQuantumInfo(quantum_info);
   aes_info=DestroyAESInfo(aes_info);
-  (void) memset(input_block,0,sizeof(input_block));
-  (void) memset(output_block,0,sizeof(output_block));
+  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
 }

diff --git a/magick/colorspace.c b/magick/colorspace.c
index 4e68c21..0a3e368 100644
--- a/magick/colorspace.c
+++ b/magick/colorspace.c
@@ -737,15 +737,15 @@ MagickExport MagickBooleanType RGBTransformImage(Image *image,
       if (logmap == (Quantum *) NULL)
         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
           image->filename);
-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
-        film_gamma);
+      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+        PerceptibleReciprocal(film_gamma));
 #if defined(MAGICKCORE_OPENMP_SUPPORT)
       #pragma omp parallel for schedule(static)
 #endif
       for (i=0; i <= (ssize_t) MaxMap; i++)
         logmap[i]=ScaleMapToQuantum((MagickRealType) (MaxMap*(reference_white+
-          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002/
-          film_gamma))/1024.0));
+          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002*
+          PerceptibleReciprocal(film_gamma)))/1024.0));
       image_view=AcquireAuthenticCacheView(image,exception);
 #if defined(MAGICKCORE_OPENMP_SUPPORT)
       #pragma omp parallel for schedule(static) shared(status) \
@@ -2396,14 +2396,14 @@ MagickExport MagickBooleanType TransformRGBImage(Image *image,
       if (logmap == (Quantum *) NULL)
         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
           image->filename);
-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
-        film_gamma);
+      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+        PerceptibleReciprocal(film_gamma));
       for (i=0; i <= (ssize_t) (reference_black*MaxMap/1024.0); i++)
         logmap[i]=(Quantum) 0;
       for ( ; i < (ssize_t) (reference_white*MaxMap/1024.0); i++)
         logmap[i]=ClampToQuantum((MagickRealType) QuantumRange/(1.0-black)*
-          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002/
-          film_gamma)-black));
+          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002*
+          PerceptibleReciprocal(film_gamma))-black));
       for ( ; i <= (ssize_t) MaxMap; i++)
         logmap[i]=QuantumRange;
       if (image->storage_class == PseudoClass)
diff --git a/magick/memory.c b/magick/memory.c
index 487eaa7..791c1a4 100644
--- a/magick/memory.c
+++ b/magick/memory.c
@@ -1190,25 +1190,36 @@ MagickExport MemoryInfo *RelinquishVirtualMemory(MemoryInfo *memory_info)
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %
 %  ResetMagickMemory() fills the first size bytes of the memory area pointed to
-%  by memory with the constant byte c.
+%  by memory with the constant byte c.  We use a volatile pointer when
+%  updating the byte string.  Most compilers will avoid optimizing away access
+%  to a volatile pointer, even if the pointer appears to be unused after the
+%  call.
 %
 %  The format of the ResetMagickMemory method is:
 %
-%      void *ResetMagickMemory(void *memory,int byte,const size_t size)
+%      void *ResetMagickMemory(void *memory,int c,const size_t size)
 %
 %  A description of each parameter follows:
 %
 %    o memory: a pointer to a memory allocation.
 %
-%    o byte: set the memory to this value.
+%    o c: set the memory to this value.
 %
 %    o size: size of the memory to reset.
 %
 */
-MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size)
+MagickExport void *ResetMagickMemory(void *memory,int c,const size_t size)
 {
+  volatile unsigned char
+    *p = memory;
+
+  size_t
+    n = size;
+
   assert(memory != (void *) NULL);
-  return(memset(memory,byte,size));
+  while (n-- != 0)
+    *p++=(unsigned char) c;
+  return(memory);
 }

 /*
diff --git a/magick/signature.c b/magick/signature.c
index d8b100b..7edc295 100644
--- a/magick/signature.c
+++ b/magick/signature.c
@@ -720,7 +720,7 @@ RestoreMSCWarning
   T=0;
   T1=0;
   T2=0;
-  (void) memset(W,0,sizeof(W));
+  (void) ResetMagickMemory(W,0,sizeof(W));
 }

 /*
--
2.23.0