-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy path10055.diff
46 lines (42 loc) · 2.24 KB
/
10055.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
changeset: 15776:bc328f2fcf47
user: Bob Friesenhahn <bfriesen@GraphicsMagick.org>
date: Sat Aug 25 14:06:59 2018 -0500
summary: TranslateTextEx(): Fix off-by-one in loop bounds check which allowed a one-byte stack write overflow. (Credit to OSS-Fuzz)
diff -r 078afa728034 -r bc328f2fcf47 ChangeLog
--- a/ChangeLog Sat Aug 25 13:48:22 2018 -0500
+++ b/ChangeLog Sat Aug 25 14:06:59 2018 -0500
@@ -1,5 +1,10 @@
2018-08-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * magick/utility.c (TranslateTextEx): Fix off-by-one in loop
+ bounds check which allowed a one-byte stack write overflow. Fixes
+ oss-fuzz 10055 "graphicsmagick/coder_MVG_fuzzer:
+ Stack-buffer-overflow in TranslateTextEx". (Credit to OSS-Fuzz)
+
* magick/render.c (DrawImage): Be more precise about error
detection and reporting, and return from an error more quickly.
Also added MAX_DRAWIMAGE_RECURSION pre-processor definition to
diff -r 078afa728034 -r bc328f2fcf47 magick/utility.c
--- a/magick/utility.c Sat Aug 25 13:48:22 2018 -0500
+++ b/magick/utility.c Sat Aug 25 14:06:59 2018 -0500
@@ -6357,7 +6357,7 @@
/* Extract attribute key string. */
p++;
- for (i=0; (i < MaxTextExtent) && (*p) && (*p != ']'); i++)
+ for (i=0; (i < MaxTextExtent-1) && (*p) && (*p != ']'); i++)
{
key[i]=(*p++);
}
diff -r 078afa728034 -r bc328f2fcf47 www/Changelog.html
--- a/www/Changelog.html Sat Aug 25 13:48:22 2018 -0500
+++ b/www/Changelog.html Sat Aug 25 14:06:59 2018 -0500
@@ -38,6 +38,10 @@
<p>2018-08-25 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">
+<li>magick/utility.c (TranslateTextEx): Fix off-by-one in loop
+bounds check which allowed a one-byte stack write overflow. Fixes
+oss-fuzz 10055 "graphicsmagick/coder_MVG_fuzzer:
+Stack-buffer-overflow in TranslateTextEx". (Credit to OSS-Fuzz)</li>
<li>magick/render.c (DrawImage): Be more precise about error
detection and reporting, and return from an error more quickly.
Also added MAX_DRAWIMAGE_RECURSION pre-processor definition to