github.com/kaydxh/golang@v0.0.131/pkg/gocv/cgo/third_path/graphics-magick/share/doc/GraphicsMagick/ChangeLog.2018 (about) 1 2018-12-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2 3 * coders/jpeg.c (ReadJPEGImage): Move return point for 'ping' mode 4 until after jpeg_start_decompress() and after JPEG compression 5 properties have been estimated. Fixes SourceForge issue #578 "gm 6 identify with format "%[JPEG-Colorspace-Name]" does not work" and 7 #586 "Identify returning wrong compression values". 8 9 2018-12-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 10 11 * coders/gif.c (ReadGIFImage): Don't throw an error if opacity is 12 outside of the range of the image colors. Fix suggested by 莫红波 13 <hongbo.mo@upai.com> on the graphicsmagick-bugs mailinb list on 14 Fri, 9 Oct 2015. 15 16 * magick/memory.h (MagickAllocateClearedArray): New macro for 17 allocating a cleared array. 18 19 * magick/resize.c (ScaleImage): Patch by Troy Patteson which 20 resolves SourceForge issue #381 "Artifacts when scaling a PNG with 21 semi-transparent pixels". 22 23 ScaleImage() suffers from two problems related to the blending of 24 fully transparent pixels with non-fully transparent pixels during 25 the scaling operation. 26 27 The first is that the colour values for fully transparent pixels 28 are contributing to the colour values of the blended pixels when 29 they should not. 30 31 The second is that the colour values of pixels blended with fully 32 and non-fully transparent pixels are scaled as though the fully 33 transparent pixels contribute to the blended pixels' colour values 34 when they should not. For example, if blending 10% of a fully 35 opaque white pixel with 90% of a fully transparent black pixel one 36 would expect the blended pixel RGBA values to be 255,255,255,25.5 37 assuming 8 bit colour but they are in fact 25.5,25.5,25.5,25.5. 38 39 The provided patch solves the first issue by treating the colour 40 values of fully transparent pixels as zero and the second issue by 41 recording the volume of each blended pixel made up of pxiels that 42 are not fully transparent (0.1 in the above example) and then 43 scaling the blended pixel RGB values by dividing by that 44 amount. In the above example, 25.5/0.1 = 255. 45 46 2018-12-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 47 48 * coders/dib.c (ReadDIBImage): DIB images claiming more than 49 8-bits per pixel are not colormapped. Reject such files. Fixes 50 SourceForge issue #585 "Assertion Failure in coders/png.c:7503". 51 The problem is in the DIB reader rather than PNG. 52 53 * coders/miff.c (ReadMIFFImage): Detect and reject zero-length 54 deflate-encoded row in MIFF version 0. Fixes oss-fuzz 11876 55 "graphicsmagick/coder_MIFF_fuzzer: Use-of-uninitialized-value in 56 deflate_slow". (Credit to OSS-Fuzz) 57 58 * configure.ac: Improve search for true Microsoft Windows fonts 59 and provide better indication of results. Fix a typo which caused 60 DcrawExtraOptions not to be evaluated correctly. 61 62 2018-12-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 63 64 * coders/tiff.c (QuantumTransferMode): Be more strict about the 65 requirements for CIE Log2(L) and LOGLUV images. 66 (ReadTIFFImage): Apply memory resource limits to strip and tile 67 allocations. 68 (ReadTIFFImage): Rationalize tile width/height to reject large 69 tile sizes which are much larger than the image dimensions. Fixes 70 oss-fuzz 11824 "graphicsmagick/coder_BIGTIFF_fuzzer: Out-of-memory 71 in graphicsmagick_coder_BIGTIFF_fuzzer". (Credit to OSS-Fuzz) 72 (ReadTIFFImage): Return with error if TIFFClientOpen() reports 73 errors yet still returns a TIFF handle. 74 75 2018-12-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 76 77 * coders/tga.c (WriteTGAImage): Image rows/columns must not be 78 larger than 65535. Fixes SourceForge #583 "heap-buffer-overflow in 79 WriteTGAImage of tga.c". 80 81 2018-12-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 82 83 * coders/bmp.c (ReadBMPImage): Fix heap overflow in 32-bit build 84 due to arithmetic overflow. Only happens if limits are changed 85 from defaults. Fixes SourceForge #582 "heap-buffer-overflow in 86 ReadBMPImage of bmp.c". 87 88 2018-12-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 89 90 * common.shi.in (MAGICK_FONT): The test suite must pass even on 91 systems where we don't find any fonts. 92 93 2018-12-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 94 95 * coders/miff.c (ReadMIFFImage): Sanitize claimed profile size 96 before allocating memory for it. Fixes oss-fuzz 11781 97 "graphicsmagick/coder_MIFF_fuzzer: Out-of-memory in 98 graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz) 99 100 2018-12-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 101 102 * coders/png.c (ReadMNGImage): Fix non-terminal MNG looping. 103 Fixes oss-fuzz 11596 "graphicsmagick/coder_MNG_fuzzer: Timeout in 104 graphicsmagick_coder_MNG_fuzzer". (Credit to OSS-Fuzz) 105 106 2018-12-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 107 108 * coders/xpm.c (WriteXPMImage): Assure that added colormap entry 109 for transparent XPM is initialized. Fixes oss-fuzz 11617 110 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in 111 QueryColorname". (Credit to OSS-Fuzz) 112 113 * coders/miff.c (ReadMIFFImage): Fix memory leak of profiles 114 'name' when claimed length is zero. Fixes oss-fuzz 11710 115 "graphicsmagick/coder_MIFF_fuzzer: Direct-leak in AllocateString". 116 and oss-fuzz 11688 "graphicsmagick/coder_MIFF_fuzzer: 117 Out-of-memory in graphicsmagick_coder_MIFF_fuzzer". (Credit to 118 OSS-Fuzz) 119 120 2018-12-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 121 122 * fuzzing/oss-fuzz-build.sh: Apply patch from Alex Gaynor to add 123 Zstd to the oss-fuzz build. 124 125 2018-12-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 126 127 * configure.ac (DcrawExtraOptions): For QuantumDepth > 8 pass -6 128 option to dcraw. Fixes SourceForge issue #568 "dcraw not 129 returning 16 bit image even though quantum depth is set to 16". 130 131 * fuzzing/oss-fuzz-build.sh (PKG_CONFIG_PATH): Build WebP prior to 132 libtiff so that libtiff has a chance to find it. 133 134 2018-11-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 135 136 * magick/command.c (TimeImageCommand): Time command now shows 6 137 digits of elapsed time indication since this precision is often 138 now available and it is useful to see. 139 140 2018-11-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 141 142 * Magick++/lib/Magick++/Drawable.h: Fix use of clang diagnostic 143 syntax. Addresses SourceForge bug #579 "'diagnostic pop' pragma 144 without 'diagnostic push' in Drawable.h.". 145 146 2018-11-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 147 148 * magick/constitute.c (WriteImage): Eliminate use of just-freed 149 memory in clone_info->magick when throwing exception due to no 150 support for format. Fixes SourceForge issue #576 "heap 151 use-after-freee when convert one format into another format". 152 153 * magick/command.c (BenchmarkImageCommand): Benchmark command now 154 shows 6 digits of elapsed time indication since this precision is 155 often now available and it is useful to see. 156 157 2018-11-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 158 159 * wand/wand_api.h ("C"): magick/api.h should be included prior to 160 wand/wand_symbols.h. Change made due to report by yzh杨振宏 on 161 Wed, 21 Nov 2018 via the graphicsmagick-bugs mailing list. 162 163 2018-11-20 Fojtik Jaroslav <JaFojtik@seznam.cz> 164 165 * magick/nt_base.c Fix a bug when OS does not support performance counter. 166 167 2018-11-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 168 169 * magick/nt_base.c (NTElapsedTime): Use 170 QueryPerformanceFrequency() and QueryPerformanceCounter() to 171 measure elapsed time for Windows. 172 173 2018-11-19 Fojtik Jaroslav <JaFojtik@seznam.cz> 174 175 * tiff/port/snprintf.c Fix for older Microsoft Visual Studio 176 177 2018-11-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 178 179 * www/index.rst: Update in preparation for 1.3.31 release. 180 181 * version.sh: Update library versioning in preparation for 182 1.3.31 release. 183 184 * NEWS.txt: Update news in preparation for 1.3.31 release. 185 186 2018-11-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 187 188 * magick/command.c (BenchmarkUsage): Document the benchmark 189 command better. 190 191 2018-11-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 192 193 * magick/resize.c (HorizontalFilter, VerticalFilter): quantum is a 194 pointer so it's value can not be usefully flushed. Use a local 195 variable and then update quantum pointer when done. 196 197 2018-11-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 198 199 * magick/*: Changed row_count tallying to use 'omp atomic' and 200 status update to use 'omp flush' for progress and error 201 indication. This replaces most use of 'omp critical' for this 202 purpose. Changed some lumpy algorithms which were using 'static' 203 scheduling to 'guided' scheduling due to observing better results. 204 Also added prolific 'restrict' annotations where they were 205 missing. 206 207 * www/security.rst: Documented a PGP private key for file signing 208 or private correspondence. 209 210 2018-11-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 211 212 * www/authors.rst: Moved "Glenn Randers-Pehrson" and "Gregory J 213 Wolfe" to the "Former Contributor" category. 214 215 2018-11-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 216 217 * Added many GCC function annotations in the libraries and coders. 218 219 2018-11-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 220 221 * configure.ac: Use printf rather than echo to portably expand tab 222 requests in configuration summary. 223 224 2018-11-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 225 226 * configure.ac: Use pkg-config data as the initial choice when 227 configuring for FreeType 2.0 and libxml-2.0. Only fall back to 228 invoking an external script (and then traditional methods) if 229 pkg-config fails. 230 231 * coders/msl.c (ProcessMSLScript): Release msl_image if OpenBlob 232 fails. Similar to ImageMagick CVE-2018-18544. Problem was 233 reported to us via email from Petr Gajdos on Thu, 1 Nov 2018. 234 235 2018-10-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 236 237 * coders/miff.c (WriteMIFFImage): Only run 238 strlen(attribute->value) once per attribute since the length won't 239 change. May address oss-fuzz 11158 240 "graphicsmagick/coder_MIFF_fuzzer: Timeout in 241 graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz) 242 243 * Fix compilation warnings observed with GCC 8.2.0. 244 245 2018-10-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 246 247 * magick/pixel_iterator.c (PixelIterateMonoModifyImplementation): 248 Use atomic and flush rather than critical construct for a small 249 speedup. 250 251 * magick/monitor.c (MagickMonitorFormatted): Serialize calls to 252 the progress monitor so that the caller does not need to perform 253 this serialization. 254 (MagickMonitor): Serialize calls to the progress monitor so that 255 the caller does not need to perform this serialization. This 256 function is now marked as deprecated. 257 (InitializeMagickMonitor): New private function to initialize 258 monitor functionality. 259 (DestroyMagickMonitor): New private function to destroy monitor 260 functionality. 261 262 2018-10-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 263 264 * coders/gif.c (ReadGIFImage): Improve the efficiency of storing a 265 GIF comment in order to avoid a DOS opportunity. Fixes oss-fuzz 266 11096 "graphicsmagick/coder_GIF_fuzzer: Timeout in 267 graphicsmagick_coder_GIF_fuzzer". (Credit to OSS-Fuzz) 268 269 2018-10-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 270 271 * PerlMagick/Makefile.PL.in: Use MAGICK_API_LIBS to obtain the 272 list of libraries to use when linking. 273 274 * configure.ac: OpenMP library is normally supplied due to a 275 CFLAGS option so only supply it in cases where the CFLAGS option 276 may be lost or it might not be used. Otherwise the compiler may 277 apply the library twice when linking. 278 279 2018-10-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 280 281 * configure.ac: Remove Ghostscript library support (--with-gslib) 282 from configure script. The 'HasGS' pre-processor defines which 283 were enabled by this remain in the source code so it is still 284 possible to use this library if absolutely necessary 285 (e.g. CPPFLAGS=-DHasGS LIBS=-lgs). 286 287 * tests/rwfile.tap: Test TIFF format with all supported 288 compression options. 289 290 * tests/{rwblob.c, rwfile.c} (main): Use StringToCompressionType() 291 to parse compression option. Also consider requested compression 292 algorithm when deciding if format is lossy. 293 294 * coders/tiff.c (WriteTIFFImage): WebP compression needs 295 PHOTOMETRIC_RGB. Fix wrong rows-per-strip calculation when using 296 LZMA compression. 297 298 * tests/rwblob.tap: Added a rwblob test to verify that lower-case 299 magick works. 300 301 * magick/static.c (OpenModule): Upper case magick string before 302 searching static modules list. Fixes Debian bug 911386 303 "libgraphicsmagick-q16-3: graphicsmagick 1.3.30 has made formats 304 case-sensitive at the API level". 305 306 * filters/analyze.c (AnalyzeImage): X and y should be unsigned 307 long to match image rows/columns type. Calculate total pixels by 308 simple multiplication rather than counting. 309 310 2018-10-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 311 312 * coders/tiff.c (WriteTIFFImage): Support WebP compression in 313 TIFF. This requires a libtiff release after 4.0.9. 314 315 * magick/image.h ("C"): WebPCompression added to CompressionType 316 enumeration. 317 318 2018-10-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 319 320 * configure.ac: Configure for the Zstd library. Use 321 --without-zstd to disable searching for this library. Libtiff may 322 require this library to successfully link so static linkage could 323 fail if searching for libzstd is disabled. 324 325 * magick/image.h ("C"): ZSTDCompression added to CompressionType 326 enumeration. 327 328 * coders/tiff.c (WriteTIFFImage): Support Zstd compression in 329 TIFF. This requires a libtiff release after 4.0.9. 330 331 2018-10-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 332 333 * magick/command.c (GMCommandSingle): Add 'compare' to the list of 334 command names that gm will support as a command if copied to or 335 linked from that name. There was already a 'compare' link 336 installed when the '--enable-magick-compat' configure option is 337 used, but it could not possibly function without being blessed by 338 this list. Related to Debian bug #910652 339 "graphicsmagick-imagemagick-compat: Doesn't ship a compare tool". 340 341 2018-09-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 342 343 * Magick++/lib/Magick++/Drawable.h: Block unused-private-field 344 warnings from Clang due to _dummy members which were intentionally 345 included in some parent class definitions. 346 347 * magick/widget.c (XEditText): Fix compilation warnings about 348 cases which fall-through. 349 350 * magick/display.c (MagickXAnnotateEditImage): Fix compilation 351 warnings about cases which fall-through. 352 353 * coders/pict.c (WritePICTImage): Add more checks to memory 354 allocation calculations. 355 356 * magick/pixel_cache.c (DestroyCacheInfo): Eliminate intentional 357 fall-through logic in switch statement which results in compiler 358 warnings. Eliminate switch statements entirely and split 359 unrelated logic. 360 361 * coders/txt.c (ReadTXTImage): Fix comparison between pointer and 362 '\0' rather than NULL as was obviously intended. 363 364 * coders/msl.c (MSLStartElement): Add missing 'break' statements 365 after ThrowException() calls. Otherwise execution falls through 366 into unrelated switch cases and throws a redundant exception. 367 368 2018-09-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 369 370 * coders/meta.c (parse8BIM): Eliminate repeated use of strlen() 371 which scans the entire remaining string on each cycle. Fixes 372 oss-fuzz 10667 "graphicsmagick/coder_IPTCTEXT_fuzzer: Timeout in 373 graphicsmagick_coder_IPTCTEXT_fuzzer". (Credit to OSS-Fuzz) 374 375 2018-09-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 376 377 * magick/utility.c (MagickGetToken): Fix possible read up to four 378 bytes beyond end of stack allocated token buffer. Fixes oss-fuzz 379 10653 "graphicsmagick/coder_MVG_fuzzer: Stack-buffer-overflow in 380 MagickGetToken". (Credit to OSS-Fuzz) 381 382 2018-09-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 383 384 * fuzzing/coder_fuzzer.cc (LLVMFuzzerTestOneInput): Limit the 385 maximum number of JPEG progressive scans to 50. 386 387 * coders/jpeg.c (ReadJPEGImage): Apply a default limit of 100 388 progressive scans before the reader quits with an error. This 389 limit may be adjusted using the -define mechanism like -define 390 JPEG:max-scan-number=500. Also respond more quickly to files 391 which exceed the maximum image dimensions. Fixes oss-fuzz 10258 392 "graphicsmagick/coder_JPEG_fuzzer: Timeout in 393 graphicsmagick_coder_JPEG_fuzzer". (Credit to OSS-Fuzz) 394 395 2018-09-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 396 397 * coders/png.c (ReadMNGImage): mng_LOOP chunk must be at least 5 398 bytes long. Fixes oss-fuzz 10455 399 "graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in 400 ReadMNGImage". (Credit to OSS-Fuzz) 401 402 2018-09-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 403 404 * magick/render.c (TraceEllipse): Detect arithmetic overflow when 405 computing the number of points to allocate for an ellipse. Fixes 406 oss-fuzz 10306 "graphicsmagick/coder_MVG_fuzzer: 407 Heap-buffer-overflow in TracePoint". (Credit to OSS-Fuzz) 408 409 2018-09-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 410 411 * magick/attribute.c (GenerateEXIFAttribute): Eliminate undefined 412 shift. Also right-sized involved data types. Fixes oss-fuzz 413 10309 "graphicsmagick/coder_JPG_fuzzer: Undefined-shift in 414 Read32s". (Credit to OSS-Fuzz) 415 416 2018-09-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 417 418 * magick/render.c (DrawClipPath): Fix Coverity 319663 "Null 419 pointer dereferences". Totally insignificant. 420 421 * coders/wpg.c (ReadWPGImage): Mask/fix Coverity 319664 "Error 422 handling issues". 423 424 * magick/attribute.c (FindEXIFAttribute): Change size types from 425 signed to unsigned and check for unsigned overflow. 426 (GenerateEXIFAttribute): Change size types from signed to unsigned 427 and check for unsigned overflow. Fixes oss-fuzz 10283 428 "graphicsmagick/coder_JPG_fuzzer: Integer-overflow in 429 GenerateEXIFAttribute". (Credit to OSS-Fuzz) 430 431 * coders/sfw.c (ReadSFWImage): Enforce that file is read using the 432 JPEG reader. (Credit to OSS-Fuzz) 433 434 * coders/miff.c (ReadMIFFImage): Fix leak of 'values' buffer due 435 to change made yesterday. 436 437 * coders/mpc.c (ReadMPCImage): Fix leak of 'values' buffer due to 438 change made yesterday. Fixes oss-fuzz 10277 439 "graphicsmagick/coder_MPC_fuzzer: Direct-leak in 440 ReadMPCImage". (Credit to OSS-Fuzz) 441 442 2018-09-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 443 444 * coders/miff.c (ReadMIFFImage): Support legacy keyword 445 'color-profile' for ICC color profile as was used by ImageMagick 446 4.2.9. 447 448 * coders/mpc.c (ReadMPCImage): Require that first keyword/value be 449 id=MagickCache 450 451 * coders/miff.c (ReadMIFFImage): Require that first keyword/value 452 be id=ImageMagick. 453 454 2018-09-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 455 456 * coders/dcm.c (DCM_ReadElement): Add more size checks. 457 458 * coders/jnx.c (ExtractTileJPG): Enforce that JPEG tiles are read 459 by the JPEG coder. Fixes oss-fuzz 10147 460 "graphicsmagick/coder_JNX_fuzzer: Use-of-uninitialized-value in 461 funcDCM_PhotometricInterpretation". (Credit to OSS-Fuzz) 462 463 2018-09-10 Fojtik Jaroslav <JaFojtik@seznam.cz> 464 465 * coders/wpg.c Zero fill raster error recovery. 466 467 2018-08-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 468 469 * magick/render.c (ConvertPrimitiveToPath): Second attempt to 470 prevent heap write overflow of PathInfo array. Fixes oss-fuzz 471 10096 "Heap-buffer-overflow in ConvertPrimitiveToPath". (Credit to 472 OSS-Fuzz) 473 474 2018-08-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 475 476 * coders/tiff.c ("QuantumTransferMode"): CIE Log images with an 477 alpha channel are not supported. Fixes oss-fuzz 10013 478 "graphicsmagick/coder_TIFF_fuzzer: Use-of-uninitialized-value in 479 DisassociateAlphaRegion". (Credit to OSS-Fuzz) 480 481 * magick/render.c (DrawImage): SetImageAttribute() appends new 482 text to any existing value, leading to every increasing memory 483 consumption if the existing value is not deleted first by the 484 unwary. Fixes oss-fuzz 9983 "graphicsmagick/coder_MVG_fuzzer: 485 Timeout in graphicsmagick_coder_MVG_fuzzer" and oss-fuzz 10016 486 "graphicsmagick/coder_MVG_fuzzer: Out-of-memory in 487 graphicsmagick_coder_MVG_fuzzer". (Credit to OSS-Fuzz) 488 489 * magick/utility.c (TranslateTextEx): Fix off-by-one in loop 490 bounds check which allowed a one-byte stack write overflow. Fixes 491 oss-fuzz 10055 "graphicsmagick/coder_MVG_fuzzer: 492 Stack-buffer-overflow in TranslateTextEx". (Credit to OSS-Fuzz) 493 494 * magick/render.c (DrawImage): Be more precise about error 495 detection and reporting, and return from an error more quickly. 496 Also added MAX_DRAWIMAGE_RECURSION pre-processor definition to 497 allow adjusting the drawing recursion limit. The drawing 498 recursion limit is still 100, which seems exceptionally generous. 499 500 * magick/constitute.c (WriteImage): Produce a more useful error 501 message if an encoding delegate is not available. 502 503 * magick/nt_base.h (isnan): Try adding a MSVC replacement for 504 missing isnan() function. Not yet tested. 505 506 2018-08-25 Fojtik Jaroslav <JaFojtik@seznam.cz> 507 508 * coders/wpg.c This should fix intentional 64 bit file offset 509 overflow as depictedin OSS-fuzz-9936. Thanks to OSS-Fuzz. 510 511 2018-08-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 512 513 * magick/render.c (ConvertPrimitiveToPath): Need to enlarge 514 PathInfo array allocation to avoid possible heap write overflow. 515 Fixes oss-fuzz 9651 "graphicsmagick/coder_MVG_fuzzer: 516 Heap-buffer-overflow in ConvertPrimitiveToPath". (Credit to 517 OSS-Fuzz) 518 519 2018-08-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 520 521 * coders/mpc.c (ReadMPCImage): Insist that the format be 522 identified prior to any comment, and that there is only one 523 comment. 524 525 * coders/miff.c (ReadMIFFImage): Insist that the format be 526 identified prior to any comment, and that there is only one 527 comment. Fixes oss-fuzz 9979 "graphicsmagick/coder_MIFF_fuzzer: 528 Timeout in graphicsmagick_coder_MIFF_fuzzer". This is not a 529 serious issue, but the code runs slowly under UBSAN. (Credit to 530 OSS-Fuzz) 531 532 2018-08-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 533 534 * magick/utility.c (MagickAtoFChk): Add additional validation 535 checks for floating point values. NAN and +/- INFINITY values 536 also map to 0.0. Fixes oss-fuzz 9630 537 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in 538 IsNexusInCore" and oss-fuzz 9612 "graphicsmagick/coder_MVG_fuzzer: 539 Integer-overflow in SetCacheNexus". (Credit to OSS-Fuzz) 540 541 * magick/render.c (DrawImage): Add missing error-reporting logic 542 to return immediately upon memory reallocation failure. Apply 543 memory resource limits to PrimitiveInfo array allocation. Fixes 544 oss-fuzz 9576 "graphicsmagick/coder_MVG_fuzzer: Null-dereference 545 READ in DrawImage", oss-fuzz 9593 546 "graphicsmagick/coder_MVG_fuzzer: Out-of-memory in 547 graphicsmagick_coder_MVG_fuzzer", oss-fuzz 9648 548 "graphicsmagick/coder_MVG_fuzzer: Unknown signal in 549 DrawImage". (Credit to OSS-Fuzz) 550 551 2018-08-16 Fojtik Jaroslav <JaFojtik@seznam.cz> 552 553 * coder/mat.c Explicitly reject non-seekable streams. 554 555 2018-08-15 Fojtik Jaroslav <JaFojtik@seznam.cz> 556 557 * coder/mat.c Correctly check GetBlobSize(image) even for zipstreams. 558 559 2018-08-14 Fojtik Jaroslav <JaFojtik@seznam.cz> 560 561 * coders/mat.c More aggresive data corruption checking. 562 563 2018-08-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 564 565 * coders/xbm.c (XBMInteger): Limit the number of hex digits parsed 566 to avoid signed integer overflow. Fixes oss-fuzz 9746 567 "graphicsmagick/coder_XBM_fuzzer: Undefined-shift in 568 XBMInteger". (Credit to OSS-Fuzz) 569 570 2018-08-07 Fojtik Jaroslav <JaFojtik@seznam.cz> 571 572 * coders/mat.c Typecast difference to quantum. 573 574 2018-08-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 575 576 * coders/mat.c (InsertComplexFloatRow): Avoid signed 577 overflow. Fixes oss-fuzz 9667 "graphicsmagick/coder_MAT_fuzzer: 578 Integer-overflow in InsertComplexFloatRow". (Credit to OSS-Fuzz) 579 580 * coders/xbm.c (ReadXBMImage): Add validations for row and column 581 dimensions. Fixes oss-fuzz 9736 "graphicsmagick/coder_XBM_fuzzer: 582 Out-of-memory in graphicsmagick_coder_XBM_fuzzer". (Credit to 583 OSS-Fuzz) 584 585 2018-08-04 Fojtik Jaroslav <JaFojtik@seznam.cz> 586 587 * coders/wpg.c Add mechanism to approve embedded subformats in 588 WPG. This should mute oss-fuzz 9559. (Credit to OSS-Fuzz) 589 590 2018-07-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 591 592 * coders/mvg.c (ReadMVGImage): Fix memory leak added on 593 2018-07-21. Fixes oss-fuzz 9548 "graphicsmagick/coder_MVG_fuzzer: 594 Direct-leak in CloneDrawInfo". (Credit to OSS-Fuzz) 595 596 2018-07-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 597 598 * coders/cineon.c (ReadCINEONImage): Fix SourceForge issue 571 599 "Unexpected hang on a crafted Cineon image" by detecting and 600 quitting on EOF appropriately, and verifying that file size is 601 sufficient for claimed pixel dimensions when possible. 602 603 * fuzzing/oss-fuzz-build.sh, fuzzing/dictionaries/MVG.dict: Added 604 MVG fuzzing dictionary by Alex Gaynor. 605 606 2018-07-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 607 608 * magick/pixel_cache.c (SetNexus): For requests one pixel tall, 609 SetNexus() was wrongly using pixels in-core rather than using a 610 staging area for the case where the nexus rows extend beyond the 611 image raster boundary, leading to heap overflow. This can happen 612 when virtual pixels outside the image bounds are accessed. Fixes 613 oss-fuzz 9512 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: 614 Heap-buffer-overflow in AcquireCacheNexus". (Credit to OSS-Fuzz) 615 616 * magick/render.c (ExtractTokensBetweenPushPop): 617 ExtractTokensBetweenPushPop() needs to always return a valid 618 pointer into the primitive string. Fixes oss-fuzz 9511 619 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Null-dereference 620 READ in DrawImage". (Credit to OSS-Fuzz) 621 (DrawPolygonPrimitive): Fix leak of polygon set when object is 622 completely outside image. Fixes oss-fuzz 9513 623 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Direct-leak in 624 AllocateThreadViewDataSet". (Credit to OSS-Fuzz) 625 626 2018-07-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 627 628 * magick/blob.c (FileToBlob): Use confirm access APIs to verify 629 that read access to this path is allowed by policy. Check that 630 file is a regular file before proceeding to open and read from it. 631 632 * coders/mvg.c (ReadMVGImage): Don't allow MVG files to side-load 633 a file as the drawing primitive using '@' syntax. Fixes oss-fuzz 634 9494 "graphicsmagick/coder_MVG_fuzzer: Sanitizer CHECK failure in 635 "((0)) != (0)" (0x0, 0x0)". (Credit to OSS-Fuzz) 636 637 2018-07-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 638 639 * coders/mvg.c (ReadMVGImage): Don't assume that in-memory MVG 640 blob is a null-terminated C string. Fixes oss-fuzz 9469 641 "graphicsmagick/coder_MVG_fuzzer: Heap-buffer-overflow in 642 AllocateString". (Credit to OSS-Fuzz) 643 644 2018-07-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 645 646 * coders/miff.c (ReadMIFFImage): Detect EOF when reading using 647 ReadBlobZC() and avoid subsequent heap read overflow. Fixes 648 oss-fuzz 9357 "graphicsmagick/coder_MIFF_fuzzer: 649 Heap-buffer-overflow in ImportRGBQuantumType". (Credit to 650 OSS-Fuzz) 651 652 2018-07-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 653 654 * fuzzing/oss-fuzz-build.sh (CFLAGS): Try disabling SIMD 655 instructions in libjpeg-turbo build. 656 657 2018-07-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 658 659 * coders/png.c (WriteOnePNGImage): Free png_pixels as soon as 660 possible. This might help with oss-fuzz 9334 661 "graphicsmagick/coder_PNG8_fuzzer: Direct-leak in 662 WriteOnePNGImage", which we have yet to reproduce. It is not 663 clear if png_pixels is being clobbered by longjmp or if something 664 else is going on. 665 666 2018-06-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 667 668 * coders/jpeg.c (ReadJPEGImage): Provide a memory resource limit 669 (of 1/5th the memory resource limit for Graphicsmagick) to libjpeg 670 to limit how much memory it might consume for itself while reading 671 a file. Fixes oss-fuzz 9096 "graphicsmagick/coder_JPEG_fuzzer: 672 Timeout in graphicsmagick_coder_JPEG_fuzzer". (Credit to 673 OSS-Fuzz) 674 (ReadJPEGImage): Make sure that JPEG pixels array is initialized 675 in case libjpeg fails to completely initialize it. May fix 676 oss-fuzz 9115 "graphicsmagick/coder_JPEG_fuzzer: 677 Use-of-uninitialized-value in ReadJPEGImage". We are not sure 678 since the problem was not reproduced. (Credit to OSS-Fuzz) 679 680 2018-06-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 681 682 * version.sh: Update library versioning for 1.3.30 release. 683 684 * NEWS.txt: Update news for 1.3.30 release. 685 686 2018-06-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 687 688 * coders/dpx.c (ReadDPXImage): Report exception on EOF file 689 reading DPX pixel data. Fixes oss-fuzz 8104 690 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 691 WriteDPXImage", oss-fuzz 8297 "graphicsmagick/enhance_fuzzer: 692 Use-of-uninitialized-value in EnhanceImage", and oss-fuzz 8133 693 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 694 RGBTransformPackets". (Credit to OSS-Fuzz) 695 696 2018-06-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 697 698 * coders/cmyk.c (ReadCMYKImage): Free scanline buffer in error 699 path. Fixes SourceForge issue #567 "small memory leak in rgb.c, 700 gray.c and cmyk.c" reported by Petr Gajdos. 701 702 * coders/gray.c (ReadGRAYImage): Free scanline buffer in error 703 path. Fixes SourceForge issue #567 "small memory leak in rgb.c, 704 gray.c and cmyk.c" reported by Petr Gajdos. 705 706 * coders/rgb.c (ReadRGBImage): Free scanline buffer in error 707 path. Fixes SourceForge issue #567 "small memory leak in rgb.c, 708 gray.c and cmyk.c" reported by Petr Gajdos. 709 710 * coders/jpeg.c (ReadJPEGImage): Avoid memory leak of profile 711 buffer when longjmp-based exception is thrown while reading a 712 profile. Fixes oss-fuzz 8957 "graphicsmagick/enhance_fuzzer: 713 Direct-leak in ReadGenericProfile". (Credit to OSS-Fuzz) 714 715 2018-06-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 716 717 * coders/xcf.c (load_level): Make sure to free 'tile_image' before 718 returning exception. Fixes oss-fuzz 8935 719 "graphicsmagick/coder_XCF_fuzzer: Indirect-leak in 720 CloneImage". (Credit to OSS-Fuzz) 721 722 * coders/jpeg.c (ReadJPEGImage): Allow three warnings of any given 723 type before promoting the next warning of the same type to a hard 724 error. The warning limit may be adjusted by the user using 725 -define jpeg:max-warnings=<value>. Fixes oss-fuzz 8704 726 "graphicsmagick/coder_JPG_fuzzer: Out-of-memory in 727 graphicsmagick_coder_JPG_fuzzer". (Credit to OSS-Fuzz) 728 729 * coders/png.c (ReadPNGImage): Detect EOF when reading 730 magic_number. Fixes oss-fuzz 8944 731 "graphicsmagick/coder_PNG_fuzzer: Use-of-uninitialized-value in 732 ReadPNGImage". (Credit to OSS-Fuzz) 733 (ReadPNGImage, ReadJNGImage): Makes sure that return value of 734 ReadBlob() is always checked to detect EOF. 735 736 2018-06-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 737 738 * coders/tiff.c (ReadTIFFImage): Re-structure exception reporting 739 so that QuantumTransferMode() exceptions thrown for 740 PLANARCONFIG_SEPARATE images are handled immediately. Fixes 741 oss-fuzz 8896 "graphicsmagick/coder_BIGTIFF_fuzzer: 742 Use-of-uninitialized-value in DisassociateAlphaRegion". (Credit to 743 OSS-Fuzz) 744 (ReadTIFFImage): tsize_t is a signed type so be prepared for 745 unexpected negative values produced by libtiff size functions. 746 Fixes oss-fuzz 8934 "graphicsmagick/coder_TIFF_fuzzer: Sanitizer 747 CHECK failure in "((0)) != (0)" (0x0, 0x0)". (Credit to OSS-Fuzz) 748 749 2018-06-16 Fojtik Jaroslav <JaFojtik@seznam.cz> 750 751 * coders/wpg.c Fix oss-fuzz 7735 "graphicsmagick/coder_WPG_fuzzer: 752 Use-of-uninitialized-value in ReadWPGImage". (Credit to OSS-Fuzz) 753 754 2018-06-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 755 756 * coders/png.c (ReadMNGImage): ENDL chunk must be at least one 757 byte in size. Fixes oss-fuzz 8832 758 "graphicsmagick/coder_MNG_fuzzer: Null-dereference READ in 759 ReadMNGImage". (Credit to OSS-Fuzz) 760 (ReadMNGImage): Length of DISC chunk must be evenly divisible by 761 2. Fixes oss-fuzz 8834 "graphicsmagick/coder_MNG_fuzzer: 762 Heap-buffer-overflow in ReadMNGImage". (Credit to OSS-Fuzz) 763 764 2018-06-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 765 766 * coders/mpc.c (ReadMPCImage): Detect end of file while reading 767 image directory. Similar to MIFF fixes for ImageMagick 768 CVE-2017-18272. 769 (RegisterMPCImage): Require seekable stream since MPC is strictly 770 a file-based format and so GetBlobSize() is assured to work. 771 Similar to MIFF behavior. Claimed to be part of the resolution 772 for ImageMagick CVE CVE-2017-11449. Suggested by Petr Gajdos via 773 email on January 3, 2018. 774 775 2018-06-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 776 777 * coders/miff.c (ReadMIFFImage): Detect end of file while reading 778 image directory. Fixes SourceForge issue 565 "ImageMagick 779 CVE-2017-18272 applies to GraphicsMagick". Thanks to Petr Gajdos 780 for reporting this issue to us. 781 782 * magick/import.c (ImportViewPixelArea): Use appropriate 783 bits_per_sample validations for FloatQuantumSampleType. Fixes 784 oss-fuzz 8780 "graphicsmagick/coder_PTIF_fuzzer: 785 Use-of-uninitialized-value in HorizontalFilter". (Credit to 786 OSS-Fuzz) 787 788 2018-06-09 Fojtik Jaroslav <JaFojtik@seznam.cz> 789 790 * coders/mat.c More than 4GiB are not supported in MAT! 791 792 2018-06-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 793 794 * coders/mat.c (ReadMATImage): Add casts to avoid arithmetic 795 overflow when computing size and offsets. Fixes oss-fuzz 8801 796 "graphicsmagick/coder_MAT_fuzzer: Timeout in 797 graphicsmagick_coder_MAT_fuzzer". (Credit to OSS-Fuzz) 798 799 * magick/blob.c (ReadBlobLSBDoubles, ReadBlobMSBDoubles): Only 800 byte-swap doubles or test doubles for NAN if we have read enough 801 bytes for at least one double value. 802 (ReadBlob): Add an assertion to enforce that ReadBlob() will never 803 report reading more bytes than requested due to some 804 implementation issue. 805 806 2018-06-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 807 808 * magick/blob.c (ReadBlob, WriteBlob): gzread(), BZ2_bzread(), 809 gzwrite(), BZ2_bzwrite() return type 'int' rather than 'size_t' 810 like their stdio equivalents. Use correct signed type to avoid 811 returning a negative value into an unsigned type, forming a huge 812 positive value. Fixes oss-fuzz 8600 813 "graphicsmagick/coder_MAT_fuzzer: Heap-buffer-overflow in 814 ReadBlobLSBDoubles". (Credit to OSS-Fuzz) 815 816 2018-06-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 817 818 * coders/png.c (png_read_raw_profile): Try to shore up parsing of 819 raw profile reading to avoid heap read overruns. Fixes oss-fuzz 820 8763 "graphicsmagick/coder_PNG32_fuzzer: Heap-buffer-overflow in 821 png_read_raw_profile". (Credit to OSS-Fuzz) 822 823 2018-06-07 Fojtik Jaroslav <JaFojtik@seznam.cz> 824 825 * coders/mat.c Reduce stack usage for 64 bit architecture. 826 827 2018-06-06 Fojtik Jaroslav <JaFojtik@seznam.cz> 828 829 * coders/wpg.c Check return values of SeekBlob for more safety. 830 831 2018-06-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 832 833 * coders/png.c (ReadOneJNGImage): Use DestroyImageList() rather 834 than DestroyImage() on returned Image from supposed read of JPEG 835 data, in case multiple frames were unexpectedly returned. Also 836 add "JPEG:" prefix to filename when reading from temporary file to 837 force that it can only be read as a JPEG file, disabling format 838 auto-detection based on file header. Fixes oss-fuzz 8755 839 "graphicsmagick/coder_JNG_fuzzer: Indirect-leak in 840 AllocateImage". (Credit to OSS-Fuzz) 841 842 2018-06-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 843 844 * magick/blob.c (EOFBlob): Implement EOF detection for ZipStream. 845 Does some archaic zlib not provide gzeof()? Fixes oss-fuzz 8550 846 "graphicsmagick/coder_MAT_fuzzer: Timeout in 847 graphicsmagick_coder_MAT_fuzzer". (Credit to OSS-Fuzz) 848 849 2018-06-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 850 851 * coders/png.c (ReadOnePNGImage): Skip adding empty raw profile. 852 Fixes oss-fuzz "graphicsmagick/coder_PNG_fuzzer: 853 Heap-buffer-overflow in png_read_raw_profile". (Credit to 854 OSS-Fuzz) 855 856 2018-06-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 857 858 * NEWS.txt: Update NEWS with latest changes. 859 860 * coders/dcm.c (DCM_ReadRGBImage): Force the image to DirectClass 861 to avoid later use of uninitialized indexes. Fixes oss-fuzz 8602 862 "graphicsmagick/coder_DCM_fuzzer: Use-of-uninitialized-value in 863 DCM_PostRescaleImage". (Credit to OSS-Fuzz) 864 (DCM_ReadPlanarRGBImage): Force the image to DirectClass to avoid 865 later use of uninitialized indexes. 866 867 * coders/png.c (ReadMNGImage): Free chunk memory in error 868 reporting path to avoid leak. Fixes oss-fuzz 8721 869 "graphicsmagick/coder_MNG_fuzzer: Direct-leak in 870 ReadMNGImage". (Credit to OSS-Fuzz) 871 872 2018-06-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 873 874 * magick/constitute.c (ReadImage): Assure that an error exception 875 is thrown if coder returns null without properly reporting an 876 exception. 877 878 * magick/blob.c (BlobToImage): Assure that an error exception is 879 thrown if coder returns null without properly reporting an 880 exception. 881 882 * coders/png.c (ReadMNGImage): Disable mystery "linked list is 883 corrupted" code. Assure that exceptions are reported to the 884 correct place so they are not lost. Fixes oss-fuzz 8710 885 "graphicsmagick/coder_MNG_fuzzer: Indirect-leak in 886 AllocateImage". (Credit to OSS-Fuzz) 887 888 * coders/tiff.c (ReadTIFFImage): Initialize allocated scanline, 889 strip, or tile to zero in order to avoid complaint about use of 890 uninitialized data if libtiff fails to write all the bytes. Fixes 891 oss-fuzz 8551 "graphicsmagick/coder_TIFF_fuzzer: 892 Use-of-uninitialized-value in ImportGrayQuantumType". (Credit to 893 OSS-Fuzz) 894 895 * magick/annotate.c (RenderFreetype): Throw an exception if 896 DrawInfo font is null. Should fix oss-fuzz 8557 897 "graphicsmagick/coder_PCD_fuzzer: Unknown signal in 898 RenderFreetype" and may fix oss-fuzz 8544 899 "graphicsmagick/coder_PCD_fuzzer: Null-dereference READ in 900 RenderFreetype". (Credit to OSS-Fuzz) 901 902 * coders/jpeg.c (ReadGenericProfile): Add/improve tracing for 903 profile size and when JPEG header is being read. 904 905 2018-06-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 906 907 * coders/png.c (ReadOneJNGImage): Report a useful exception for 908 the case when the JNG file fails to provide the necessary image 909 chunks to allocate the color image. Inspired by oss-fuzz 8666 910 "graphicsmagick/coder_JNG_fuzzer: ASSERT: data != (const char *) 911 NULL" although the reported issue was not reproduced. 912 913 2018-05-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 914 915 * coders/png.c (ReadMNGImage): Fix off-by-one in length validation 916 for TERM chunk which allowed one byte heap read overflow. Fixes 917 oss-fuzz 8615 "graphicsmagick/coder_MNG_fuzzer: 918 Heap-buffer-overflow in mng_get_long". (Credit to OSS-Fuzz) 919 (ReadMNGImage): Fix leak of MngInfo in error reporting path. 920 Fixes oss-fuzz 8604 "graphicsmagick/coder_MNG_fuzzer: Direct-leak 921 in ReadMNGImage". (Credit to OSS-Fuzz) 922 (ReadMNGImage): Verify that claimed chunk size does not exceed 923 input size. Fixes oss-fuzz 8564 "graphicsmagick/coder_MNG_fuzzer: 924 Out-of-memory in graphicsmagick_coder_MNG_fuzzer". (Credit to 925 OSS-Fuzz) 926 927 * coders/tiff.c (ReadTIFFImage): Reject files with excessive 928 samples-per-pixel or extra-samples. Avoids potential issues 929 observed in oss-fuzz 8634 "graphicsmagick/coder_BIGTIFF_fuzzer: 930 Undefined-shift in ImportAlphaQuantumType". (Credit to OSS-Fuzz) 931 932 2018-05-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 933 934 * coders/png.c (ReadMNGImage): Assure that object id index is 935 always less than MNG_MAX_OBJECTS to avoid overflow. Fixes 936 oss-fuzz 8596 "graphicsmagick/coder_MNG_fuzzer: 937 Index-out-of-bounds in ReadMNGImage" and likely other issues yet 938 to be reported. (Credit to OSS-Fuzz) 939 940 2018-05-30 Greg Wolfe <gregory.wolfe@kodakalaris.com> 941 942 * magick/render.c (CompareEdges): Per ticket #562, 943 function CompareEdges() did not conform to the qsort() 944 requirement that if CompareEdges(edge0,edge1) returns 945 -1 (i.e., edge0 "less than" edge1), then 946 CompareEdges(edge1,edge0) should return 1 (edge1 947 "greater than" edge0). This has been fixed. 948 949 2018-05-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 950 951 * coders/png.c (ReadOneJNGImage): Deal with JDAA JNG chunk with 952 length zero. Fixes oss-fuzz 8562 953 "graphicsmagick/coder_JNG_fuzzer: ASSERT: data != (const char *) 954 NULL". (Credit to OSS-Fuzz) 955 956 * coders/tiff.c (ReadTIFFImage): Check that the bits-per-sample is 957 supported by the implementation before attempting to decode the 958 image. Fixes oss-fuzz 8554 "graphicsmagick/coder_BIGTIFF_fuzzer: 959 Undefined-shift in MagickBitStreamMSBWrite". (Credit to OSS-Fuzz) 960 961 * coders/png.c (ReadMNGImage): Eliminate use of uninitialized 962 header magic data by checking for EOF first. Fixes oss-fuzz 8597 963 "graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in 964 ReadMNGImage". (Credit to OSS-Fuzz) 965 966 2018-05-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 967 968 * fuzzing/oss-fuzz-build.sh: More fixes based on what is observed 969 in oss-fuzz build log. 970 971 2018-05-24 Fojtik Jaroslav <JaFojtik@seznam.cz> 972 973 * coders/jnx.c The attribute should belong to only one scene and 974 not to whole image list. 975 976 2018-05-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 977 978 * fuzzing/oss-fuzz-build.sh: Changes to add CPPFLAGS to configure 979 executions to hopefully get oss-fuzz build closer to success. 980 981 2018-05-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 982 983 * PerlMagick/t/jpeg/read.t: Add a JNX reader test case. 984 985 * coders/jnx.c (ReadJNXImage): JNX image depth should be 8. 986 987 * fuzzing/oss-fuzz-build.sh: Apply patch from Alex Gaynor to 988 switch libpng to autotools build system, as well as configure 989 GraphicsMagick with '--with-quantum-depth=16'. 990 991 2018-05-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 992 993 * coders/tiff.c (ReadTIFFImage): Validate tile memory requests for 994 the TIFFReadRGBATile() case in the same way as the TIFFReadTile() 995 case. Fixes oss-fuzz 8434 "graphicsmagick/coder_BIGTIFF_fuzzer: 996 Out-of-memory in graphicsmagick_coder_BIGTIFF_fuzzer". (Credit to 997 OSS-Fuzz) 998 999 2018-05-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1000 1001 * coders/tile.c (ReadTILEImage): Remove any existing size request 1002 when while image to tile. This avoids size being used for both 1003 the input image size and the tile image size. Fixes SourceForge 1004 issue #563 "tile:<image> appears to blow image up by 100% before 1005 applying tiling". 1006 1007 2018-05-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1008 1009 * fuzzing/oss-fuzz-build.sh: Patch from Paul Kehrer to disable 1010 libpng test programs and binaries while building libpng in support 1011 of oss-fuzz testing. 1012 1013 * coders/dcm.c (DCM_ReadGrayscaleImage): If a palette was 1014 provided, the image may be in PseudoClass but we need DirectClass 1015 for gray image when GRAYSCALE_USES_PALETTE is not defined. Fixes 1016 oss-fuzz 7550 "graphicsmagick/coder_DCM_fuzzer: 1017 Use-of-uninitialized-value in SyncImageCallBack". (Credit to 1018 OSS-Fuzz) 1019 (ReadDCMImage): Restore use of DCM_PostRescaleImage() in order to 1020 obtain suitably scaled DICOM again. Hopefully it is more robust 1021 now. 1022 (DCM_ReadPaletteImage): Assure that DirectClass pixels are 1023 initialized. 1024 1025 2018-05-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1026 1027 * coders/tiff.c (ReadTIFFImage): Remove strange addition of 1028 image->columns to pixel buffer offsets which now causes a heap 1029 overflow since the buffer has been right-sized. Perhaps the extra 1030 offset plus the over-sized allocation was some attempt to avoid 1031 buffer over/underflows due to bugs in libtiff. Fixes oss-fuzz 8384 1032 "graphicsmagick/coder_BIGTIFF_fuzzer: Heap-buffer-overflow in 1033 put1bitbwtile" which is described to be a regression. (Credit to 1034 OSS-Fuzz) 1035 1036 * magick/render.c (DrawImage): Fix wrong range checks which caused 1037 spurious "Parsing of SVG images fail with "Non-conforming drawing 1038 primitive definition (push)" failure. Fixes SourceForge issue 561 1039 "Parsing of SVG images fail with "Non-conforming drawing primitive 1040 definition (push)"" which is due to problems caused by the fix for 1041 SourceForge issue 517. 1042 1043 * coders/tiff.c (WritePTIFImage): Use '-define 1044 ptif:minimum-geometry=<geometry>' to specify the smallest 1045 subresolution frame which is produced by the PTIF (Pyramid TIFF) 1046 writer. 1047 1048 2018-05-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1049 1050 * coders/tiff.c (WritePTIFImage): Allow 1x1 input image to be 1051 supported. 1052 1053 * coders/png.c (ReadOneJNGImage): Unconditionally free JDAT chunk 1054 memory. Fixes oss-fuzz 8366 "graphicsmagick/coder_JNG_fuzzer: 1055 Direct-leak in ReadOneJNGImage". (Credit to OSS-Fuzz) 1056 1057 * coders/tiff.c (WritePTIFImage): Fix leak of pyramid Image list 1058 if ResizeImage() fails. Fixes oss-fuzz 8364 1059 "graphicsmagick/coder_PTIF_fuzzer: Indirect-leak in 1060 CloneImage". (Credit to OSS-Fuzz) 1061 1062 2018-05-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1063 1064 * coders/tiff.c (WriteTIFFImage): Add and use 1065 ThrowTIFFWriterException() macro to consistently clean-up when 1066 throwing writer exception. May fix oss-fuzz 8321 1067 "graphicsmagick/coder_EPT_fuzzer: Direct-leak in 1068 TIFFClientOpen". (Credit to OSS-Fuzz) 1069 (ReadTIFFImage): Add and use ThrowTIFFReaderException() macro to 1070 consistently clean-up when throwing reader exception. 1071 1072 2018-05-16 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1073 1074 * magick/alpha_composite.h (AlphaCompositePixel): The 1075 macro definition for MagickAlphaCompositeQuantum in 1076 alpha_composite.h computes an expression of the form: 1077 1078 a * b + c * d * e 1079 1080 Code in function AlphaCompositePixel() (also in 1081 alpha_composite.h) multiplies the result of this macro 1082 by variable "delta" as follows: 1083 1084 delta * a * b + c * d * e 1085 1086 However, the intended result is actually: 1087 1088 delta * ( a * b + c * d * e ) 1089 1090 The macro definition has been modified to enclose the 1091 entire expression in parentheses. 1092 1093 The effects of this bug were particularly evident at the 1094 boundary between a stroked polygon and a transparent 1095 black region. More generally, an incorrect composited 1096 pixel value was being computed by AlphaCompositePixel() 1097 whenever the output alpha value was not 100% opaque. 1098 1099 2018-05-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1100 1101 * tests/rwblob.tap: Add a test for PTIF format. 1102 1103 * coders/tiff.c (WritePTIFImage): Fix Image blob referencing in 1104 order to avoid double-free when writing PTIF to memory BLOB. Fixes 1105 oss-fuzz 8280 "graphicsmagick/coder_PTIF_fuzzer: Heap-double-free 1106 in Magick::BlobRef::~BlobRef". (Credit to OSS-Fuzz) 1107 1108 2018-05-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1109 1110 * coders/tiff.c (WriteTIFFImage): Use libtiff's 1111 TIFFDefaultStripSize() function rather than an old porting macro 1112 required by some defunct libtiff version. Expected to fix 1113 oss-fuzz 8248 "graphicsmagick/coder_EPT_fuzzer: 1114 Floating-point-exception in WriteTIFFImage". (Credit to OSS-Fuzz) 1115 1116 2018-05-13 Fojtik Jaroslav <JaFojtik@seznam.cz> 1117 1118 * coders/mat.c Fix potentional leak when compressed object is 1119 corrupted. Fixes oss-fuzz 8251 (Credit to OSS-Fuzz) 1120 1121 2018-05-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1122 1123 * coders/tiff.c (ReadTIFFImage): Fix leak of Image when 1124 TIFFReadRGBAImage() reports failure. Also harden buffer 1125 allocation calculation. Fixes oss-fuzz 8275 1126 "graphicsmagick/coder_BIGTIFF_fuzzer: Indirect-leak in 1127 AllocateImage". (Credit to OSS-Fuzz) 1128 1129 * coders/ept.c (ReadEPTImage): Add validations of 'count' and 1130 'filesize' read from EPT file. In response to oss-fuzz 8248 1131 "graphicsmagick/coder_EPT_fuzzer: Floating-point-exception in 1132 WriteTIFFImage" but we are unable to recreate the oss-fuzz issue 1133 since the EPT reader already immediately reports an EOF exception. 1134 1135 2018-05-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1136 1137 * fuzzing/oss-fuzz-build.sh: Apply SourceForge patch #57 "Add 1138 fuzzing support for jpeg + freetype delegates" by Alex Gaynor. 1139 1140 * coders/png.c (read_user_chunk_callback): Fix memory leak and use 1141 of uninitialized memory when handling eXIf chunk. Fixes oss-fuzz 1142 8247 "graphicsmagick/coder_PNG24_fuzzer: Direct-leak in 1143 png_malloc". (Credit to OSS-Fuzz) 1144 1145 2018-05-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1146 1147 * fuzzing/oss-fuzz-build.sh: Apply SourceForge patch #56 "Use a 1148 few delegate libraries in fuzzing" by Alex Gaynor. 1149 1150 2018-05-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1151 1152 * tests/rwfile.tap: MIFF zip and bzip compression tests do not 1153 fail if zlib and bzlib are not available because the compression 1154 request is silently changed to no compression. 1155 1156 2018-05-07 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1157 1158 * magick/render.c (DrawImage, InsertAttributeIntoInputStream): 1159 For a reference such as 'class="classname"', the "classname" 1160 is now allowed to be undefined. 1161 1162 * coders.svg.c (ProcessStyleClassDefs): Class definitions 1163 defined within a <style> block may now be empty. 1164 1165 * These relaxed conditions are not specifically called out in 1166 the SVG spec as being either acceptable or unacceptable, but 1167 other SVG renderers (e.g., Chrome) handle them this way. These 1168 changes do not resolve, but are related to, ticket #307. 1169 1170 2018-05-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1171 1172 * utilities/Makefile.am (utilities/tests/montage.log): Fix 1173 dependency rule so that effects.tap is fully executed before 1174 execution of montage.tap starts. 1175 1176 2018-05-04 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1177 1178 * magick/render.c (DrawImage, TraceXXX): The PrimitiveInfo 1179 array used to store points generated by TraceEllipse(), the 1180 other TraceXXX() functions, and DrawImage() was not always 1181 being expanded when needed, resulting in writes beyond the 1182 end of the currently allocated storage. To fix this problem, 1183 a new data structure PrimitiveInfoMgr, and an associated 1184 function, PrimtiveInfoRealloc(), were written to handle 1185 expanding the PrimitiveInfo array as needed. DrawImage() and 1186 the TraceXXX() functions were modified to prevent the out of 1187 bounds writes to memory. This fixes ticket #516. 1188 1189 2018-05-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1190 1191 * coders/png.c (ReadOneJNGImage): Add more JNG chunk 1192 validations. Fixes an issue reported by "Trace Probe" via a 1193 follow-up post to SourceForge issue 437 "assertion failure in 1194 WriteBlob", although the issue described was not reproduced. 1195 1196 * coders/meta.c (ReadMETAImage): Detect and report 8BIMTEXT and 1197 8BIMWTEXT decoding problems. Fixes oss-fuzz 8125 1198 "graphicsmagick/coder_8BIMTEXT_fuzzer: Use-of-uninitialized-value 1199 in format8BIM". (Credit to OSS-Fuzz) 1200 1201 2018-05-02 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1202 1203 * magick/render.c (TraceStrokePolygon): Excessively 1204 large values of stroke-width were cascading through 1205 other computations, causing the function to write beyond 1206 the end of it's array of points when the stroke-linejoin 1207 attribute value was "round". Code was added to reallocate 1208 the array of points as needed, and to limit the size of 1209 stroke-width (for computational purposes) to no more than 1210 approximately twice the diagonal size of the output image. 1211 Fixes ticket #515. 1212 1213 * The same limit on stroke-width was applied to all other 1214 instances of the same computation in render.c. 1215 1216 2018-05-01 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1217 1218 * This change set fixes ticket #471. 1219 1220 * magick/render.c (DrawImage): Polylines with fewer 1221 than two points were being flagged as an error. The 1222 SVG spec has no such restriction (fixed). 1223 1224 * coders/svg.c (SVGStartElement) Inner <svg> elements 1225 could modify the output image dimensions if a geometry 1226 string was supplied. Now the output image dimensions 1227 are determined by the outermost <svg> only. 1228 1229 2018-05-01 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1230 1231 * magick/render.c (TraceEllipse, TraceRectangle, 1232 TraceRoundRectangle): Per the SVG spec, rectangles and 1233 round rectangles having a width or height of zero are 1234 not rendered. Also per the spec, ellipses having an x 1235 or y radius of zero are not rendered. Fixes ticket #457. 1236 1237 2018-04-30 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1238 1239 * magick/render.h, (PrimitiveInfo), magick/render.c: Added 1240 member "flags" to PrimitiveInfo to support indicating closed 1241 shapes (e.g., rectangle, circle, path closed using 'z' or 'Z'). 1242 Updated code in render.c (functions TraceXXX) to indicate 1243 closed shapes. This replaces the previous policy of detecing 1244 closed shapes by comparing the first and last points to see if 1245 they are identical (within MagickEpsilon). The old policy 1246 prevented open subpaths with the same first and last point from 1247 being rendered properly (per the SVG spec) when round or square 1248 endcaps were enabled. Part of the fix for ticket #322. 1249 1250 * magick/render.c (ConvertPrimitiveToPath): Modified duplicate 1251 point elimination code so that the first and last points of 1252 a subpath are always preserved. Consequences: (1) Allows 1253 for the correct rendering of the sequence "move x1 y1 line 1254 x1 y1" with round or square endcaps. Part of the fix for 1255 ticket #322. (2) Fixes a bug in which eliminating the last 1256 point as a duplicate caused a closed shape to no longer be 1257 closed. This would manifest itself, for example, as a small 1258 "nub" on the boundary of a filled circle. 1259 1260 * magick/render.c (GetPixelOpacity): Fixed a bug in the 1261 code that computed the distance between a point and a 1262 segment (polygon edge). Prior to this fix, for zero length 1263 segments this code would generate a divide-by-zero and 1264 incorrect output. Part of the fix for ticket #322. 1265 1266 * magick/render.c (DrawPolygonPrimitive): Polygons/paths with 1267 zero or one points are no longer rendered per the SVG spec. 1268 1269 * magick/render.c (DrawStrokePolygon): Per the SVG spec, a 1270 polygon consisting of a single move-to command is not stroked. 1271 1272 * magick/render.c (TracePath): Per the SVG spec, if the 1273 endpoints (x1, y1) and (x2, y2) of an arc subpath are identical, 1274 then this is equivalent to omitting the elliptical arc segment 1275 entirely. For rendering purposes the zero length arc is 1276 treated like a zero length "line to" command to the current 1277 point. 1278 1279 * magick/render.c (TraceStrokePolygon): Added code to detect 1280 zero length open subpaths and return a stroked polygon containing 1281 no points when round or square endcaps are not enabled. This 1282 satisfies the SVG spec requirement that zero length subpaths are 1283 only stroked if the 'stroke-linecap' property has a value of 1284 round or square. 1285 1286 * magick/render.c (TracePath): Fixed a bug in which if a "move to" 1287 command was followed by additional pairs of points, indicating 1288 implied "line to" commands, each point was added twice. 1289 1290 2018-04-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1291 1292 * coders/pcx.c (ReadPCXImage): Colormap from PCX header is only 1293 used if colors <= 16. Determination of DirectClass image was 1294 wrong. Fixes oss-fuzz 8093 "graphicsmagick/coder_PCX_fuzzer: 1295 Use-of-uninitialized-value in IsMonochromeImage". (Credit to 1296 OSS-Fuzz) 1297 1298 2018-04-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1299 1300 * version.sh: Updates to prepare for the 1.3.29 release. 1301 1302 * coders/pict.c (DecodeImage): Assure that scanline is initialized 1303 to avoid use of uninitialized data. Fixes oss-fuzz 8063 1304 "graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value in 1305 ReadPICTImage". (Credit to OSS-Fuzz) 1306 1307 * coders/dpx.c (ReadDPXImage): Assure that NULL pixels is not 1308 used. Fixes oss-fuzz 8078 "graphicsmagick/coder_DPX_fuzzer: 1309 Null-dereference WRITE in ReadDPXImage". (Credit to OSS-Fuzz) 1310 1311 * NEWS.txt: Update NEWS file with information about changes since 1312 last release. 1313 1314 2018-04-28 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1315 1316 * coders/dib.c (ReadDIBImage): Disable EOF tests for "ICODIB" 1317 subformat due to icon file provided by SourceForge issue #557 1318 "ErrorCorruptImage: Magick: Unexpected end-of-file ()" where an 1319 EOF error was reported due to no mask data being supplied. 1320 1321 * coders/png.c (ReadOneJNGImage): The embedded JPEG image is 1322 required to have the same dimensions as the JNG image as provided 1323 by JHDR. Fixes SourceForge bug 555 "heap-buffer-overflow in 1324 AcquireCacheNexus when processing jng file". It is likely that 1325 this issue is precipitated by using 'montage' which seems to set a 1326 default non-zero image size. 1327 (ReadMNGImage): By default limit the maximum loops specifiable by 1328 the MNG LOOP chunk to 512 loops, but allow this to be modified by 1329 '-define mng:maximum-loops=value'. Also assure that the value is 1330 in the range of 0-2147483647 as per the MNG specification. This 1331 is to address the denial of service issue described by 1332 CVE-2018-10177. This problem was reported to us by Petr Gajdos 1333 via email on Fri, 20 Apr 2018. 1334 1335 * coders/dpx.c (ReadDPXImage): Move misplaced channel validation 1336 code. Fixes oss-fuzz 8041 "graphicsmagick/coder_DPX_fuzzer: 1337 Use-of-uninitialized-value in WriteDPXImage" and oss-fuzz 8055 1338 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1339 EnhanceImage". (Credit to OSS-Fuzz) 1340 1341 2018-04-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1342 1343 * coders/xpm.c (StringToListMod): Algorithm fixes to fix use of 1344 uninitialized data. Fixes oss-fuzz 8046 1345 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in 1346 StringToListMod". (Credit to OSS-Fuzz) 1347 1348 2018-04-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1349 1350 * coders/xpm.c (ReadXPMImage): Reduce memory consumption further. 1351 Hopefully fixes oss-fuzz 8013 "graphicsmagick/coder_XPM_fuzzer: 1352 Out-of-memory in graphicsmagick_coder_XPM_fuzzer". (Credit to 1353 OSS-Fuzz) 1354 1355 * magick/utility.c (StringToList): Only allocate the memory 1356 required when converting string to an ASCII list. May or may not 1357 fix oss-fuzz 8013 "graphicsmagick/coder_XPM_fuzzer: Out-of-memory 1358 in graphicsmagick_coder_XPM_fuzzer". (Credit to OSS-Fuzz) 1359 1360 2018-04-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1361 1362 * coders/bmp.c (ReadBMPImage): Fix benign use of uninitialized 1363 data when testing header magick. Fixes oss-fuzz 7980 1364 "graphicsmagick/coder_BMP_fuzzer: Use-of-uninitialized-value in 1365 LocaleNCompare". (Credit to OSS-Fuzz) 1366 1367 * coders/dpx.c (ReadDPXImage): ColorDifferenceCbCr does require 1368 even image width. Fixes oss-fuzz 7966 1369 "graphicsmagick/coder_DPX_fuzzer: Unknown signal in 1370 TentUpsampleChroma". (Credit to OSS-Fuzz) 1371 1372 2018-04-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1373 1374 * coders/dpx.c (ReadDPXImage): ColorDifferenceCbCr element 1375 requires two samples/pixel, not one. Fixes oss-fuzz 7951 1376 "graphicsmagick/coder_DPX_fuzzer: Heap-buffer-overflow in 1377 ReadDPXImage". (Credit to OSS-Fuzz) 1378 1379 2018-04-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1380 1381 * coders/pdb.c (ReadPDBImage): Assure that pixels buffer is 1382 initialized. Fixes oss-fuzz 7937 1383 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1384 ReadPDBImage". (Credit to OSS-Fuzz) 1385 1386 * coders/mvg.c (ReadMVGImage): Assure that MVG viewbox parameters 1387 were supplied. Fixes oss-fuzz 7936 1388 "graphicsmagick/coder_MVG_fuzzer: Use-of-uninitialized-value in 1389 ReadMVGImage". (Credit to OSS-Fuzz) 1390 1391 * coders/dpx.c (ReadDPXImage): Element descriptors CbYCrY422 and 1392 CbYACrYA4224 require that the image width be evenly divisible by 2 1393 so enforce that. Fixes oss-fuzz 7935 1394 "graphicsmagick/coder_DPX_fuzzer: Heap-buffer-overflow in 1395 ReadDPXImage". (Credit to OSS-Fuzz) 1396 1397 2018-04-21 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1398 1399 * coders/dpx.c (ReadDPXImage): Reject DPX files which claim to use 1400 signed data. Fixes oss-fuzz 7758 1401 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 1402 WriteDPXImage". (Credit to OSS-Fuzz) 1403 (ReadDPXImage): Validate that the image elements do update all of 1404 the channels, including the alpha channel. Now report an error if 1405 a color channel is missing. Fixes oss-fuzz 7758 1406 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 1407 WriteDPXImage". 1408 1409 * coders/gif.c (DecodeImage): Finally fix oss-fuzz 7732 1410 "graphicsmagick/coder_GIF_fuzzer: Heap-buffer-overflow in 1411 DecodeImage" which was not actually fixed with previous 1412 changes. (Credit to OSS-Fuzz) 1413 1414 2018-04-21 Fojtik Jaroslav <JaFojtik@seznam.cz> 1415 1416 * coders/topol.c Emit error when tile storage overflows image data; 1417 fixes oss-fuzz 7769 thanks to oss-fuzz. 1418 1419 2018-04-20 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1420 1421 * magick/render.c (ConvertPrimitiveToPath): Fixed a bug 1422 in which SVG paths containing multiple open subpaths were 1423 not being processed correctly, resulting in incorrect 1424 output. This fixes ticket #94. 1425 1426 2018-04-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1427 1428 * coders/gif.c (DecodeImage): Fix use of uninitialized memory 1429 during error condition in decoder. Fixes oss-fuzz 7732 1430 "graphicsmagick/coder_GIF_fuzzer: Heap-buffer-overflow in 1431 DecodeImage". (Credit to OSS-Fuzz) 1432 1433 * coders/txt.c (ReadTXTImage): Assure that all image pixels are 1434 initialized to black. 1435 1436 * Magick++/demo/zoom.cpp (main): Add a -read-blob option to read 1437 input file into a Blob so that it is read by the Blob reader 1438 rather than the file reader. Default the output Geometry to the 1439 input image geometry in case the user does not specify a resize 1440 resolution or geometry. 1441 1442 * Magick++/tests/readWriteBlob.cpp (main): Improve the quality of 1443 code which reads a file into memory for Blob testing. 1444 1445 * magick/blob.c (BlobToImage): Add exception reports for the cases 1446 where 'magick' was not set and the file format could not be 1447 deduced from its header. Previously a null Image pointer was 1448 being returned without any exception being thrown. 1449 1450 2018-04-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1451 1452 * coders/dpx.c (ReadDPXImage): Assure that CbCr layer initializes 1453 all channels if it is the first element of a planar DPX. Fixes 1454 oss-fuzz 7703 "graphicsmagick/coder_DPX_fuzzer: 1455 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz) 1456 1457 * coders/pict.c (ReadPICTImage): Don't refer to filename member of 1458 ImageInfo which was just destroyed. Much thanks to Alex Gaynor for 1459 finding this. Should fix oss-fuzz 6867 1460 "graphicsmagick/coder_PCT_fuzzer: Heap-use-after-free in 1461 GetLocaleExceptionMessage". (Credit to OSS-Fuzz). 1462 1463 2018-04-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1464 1465 * coders/sgi.c (ReadSGIImage): Assure that iris pixels are fully 1466 initialized. Fixes oss-fuzz 7543 1467 "graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in 1468 SGIEncode". (Credit to OSS-Fuzz). 1469 1470 * coders/xcf.c (ReadXCFImage): Restore SetImage() which was 1471 previously commented out. This is needed to assure initialized 1472 pixels. Fixes oss-fuzz 7430 "graphicsmagick/coder_XCF_fuzzer: 1473 Use-of-uninitialized-value in AlphaCompositePixel". (Credit to 1474 OSS-Fuzz). 1475 1476 * coders/pict.c (ReadPICTImage): Properly initialize "black 1477 canvas" that tiles may be composed on. Fixes oss-fuzz 7574 1478 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1479 EnhanceImage". (Credit to OSS-Fuzz). 1480 1481 * coders/rle.c (ReadRLEImage): Check for EOF when reading comment. 1482 Fixes oss-fuzz 7667 "graphicsmagick/coder_RLE_fuzzer: 1483 Use-of-uninitialized-value in ReadRLEImage". (Credit to OSS-Fuzz). 1484 1485 * coders/pdb.c (WritePDBImage): Avoid use of uninitialized 1486 bytes. Fixes oss-fuzz 7638 "graphicsmagick/coder_PDB_fuzzer: 1487 Use-of-uninitialized-value in WritePDBImage". (Credit to 1488 OSS-Fuzz). 1489 1490 * coders/rla.c (ReadRLAImage): Add many more validations, 1491 including scanline offsets and number of channels. Fixes oss-fuzz 1492 7653 "graphicsmagick/coder_RLA_fuzzer: Timeout in 1493 graphicsmagick_coder_RLA_fuzzer". (Credit to OSS-Fuzz). 1494 1495 * coders/txt.c (ReadTXTImage): Implement missing subrange logic to 1496 read only the specified range of frames. Limits frames read from 1497 oss-fuzz test case 1498 clusterfuzz-testcase-minimized-coder_TEXT_fuzzer-6061076048248832 1499 "graphicsmagick/coder_TEXT_fuzzer: Timeout in 1500 graphicsmagick_coder_TEXT_fuzzer". (Credit to OSS-Fuzz). 1501 1502 * Magick++/lib/Image.cpp (read): Set subrange = 1 since this 1503 interface is intended to read just one frame from the input file. 1504 Use the STL-based interfaces to read multiple frames. 1505 1506 * coders/fits.c (ReadFITSImage): Verify FITS header before reading 1507 further. Rejects file from oss-fuzz 7650 1508 "graphicsmagick/coder_FITS_fuzzer: Out-of-memory in 1509 graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz). 1510 1511 * PerlMagick/Magick.xs (Get): Fix PerlMagick compilation problem 1512 due to rename/repurposing of image->clip_mask. 1513 1514 2018-04-13 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1515 1516 * magick/image.c, magick/image.h: In order to be able to 1517 support SVG masks, and to be able to further extend the 1518 Image data structure without changing its size, new data 1519 structure ImageExtra (struct _ImageExtra) has been added. 1520 Header file image.h contains only a forward declaration; 1521 the members of ImageExtra are defined in file image.c. 1522 Image member variable Image * clip_mask has been replaced 1523 by ImageExtra * extra, and function prototypes that enable 1524 access to ImageExtra have been added to image.h. The 1525 clip_mask member variable now resides in ImageExtra. All 1526 references to Image::clip_mask in the GraphicsMagick 1527 source code have either been replaced with direct references 1528 to ImageExtra::clip_mask (image.c), or have been replaced 1529 with calls to access function ImageGetClipMask(). 1530 1531 * magick/render.c, magick/render.h: In order to be able to 1532 support SVG masks, and to be able to further extend the 1533 DrawInfo data structure without changing its size, new data 1534 structure DrawInfoExtra (struct _DrawInfoExtra) has been added. 1535 Header file render.h contains only a forward declaration; 1536 the members of DrawInfoExtra are defined in file render.c. 1537 DrawInfo member variable char * clip_path has been replaced by 1538 DrawInfoExtra * extra, and function prototypes that enable 1539 access to DrawInfoExtra have been added to render.h. The 1540 clip_path member variable now resides in ImageExtra. All 1541 references to DrawInfo::clip_path in the GraphicsMagick 1542 source code have either been replaced with direct references 1543 to DrawInfoExtra::clip_path (render.c), or have been 1544 replaced with calls to access function DrawInfoGetClipPath(). 1545 1546 * magick/image.c (new functions CompositePathImage, 1547 CompositeMaskImage, GetImageCompositeMask, 1548 SetImageCompositeMask): Defined new data structure ImageExtra, 1549 added create/destroy logic, and implemented associated access 1550 functions. Implemented SVG masks. 1551 1552 * magick/render.c (DrawImage, new function DrawCompositeMask): 1553 Defined new data structure DrawInfoExtra, added create/destroy 1554 logic, and implemented associated access functions. Impemented 1555 SVG masks. 1556 1557 * magick/pixel_cache.c (SyncCacheNexus, new function 1558 CompositeCacheNexus): Fixed references to Image::clip_mask. 1559 Implemented SVG masks. 1560 1561 * coders/svg.c (SVGStartElement, SVGEndElement): Implemented 1562 SVG masks. 1563 1564 * locale/c.mgk, magick/gm_messages.mc, magick/local_c.h: 1565 Added new error codes to support SVG masks. 1566 1567 * coders/ps3.c, magick/enhance.c: Fixed references to 1568 Image::clip_mask. 1569 1570 * magick/draw.c, wand/drawing_wand.c: Fixed references to 1571 DrawInfo::clip_path. 1572 1573 2018-04-13 Fojtik Jaroslav <JaFojtik@seznam.cz> 1574 1575 * coders/wpg.c Crash on row overflow fixed oss-fuzz 7639 thanks to oss-fuzz. 1576 1577 2018-04-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1578 1579 * coders/dpx.c (ReadDPXImage): Add more header validations. 1580 Always assure that scanline is initialized for Luma channel. Fixes 1581 oss-fuzz 7544 "graphicsmagick/coder_DPX_fuzzer: 1582 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz) 1583 1584 * coders/pdb.c (ReadPDBImage): Add more EOF checks to avoid benign 1585 use of uninitialized data. Fixes oss-fuzz 7545 1586 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1587 ReadPDBImage". 1588 1589 * coders/wpg.c (InsertRow, UnpackWPGRaster): x & y should be 1590 'unsigned long' to match type used by pixel cache APIs and image 1591 rows/columns. 1592 1593 2018-04-08 Fojtik Jaroslav <JaFojtik@seznam.cz> 1594 1595 * coders/wpg.c Stop reading when last row is reached. 1596 This should stop oss-fuzz 7528 thanks to oss-fuzz. 1597 1598 1599 2018-04-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1600 1601 * coders/xcf.c (ReadXCFImage): Fix use of uninitialized data in 1602 magick header string for runt file. Fixes oss-fuzz 7521 1603 "graphicsmagick/coder_XCF_fuzzer: Use-of-uninitialized-value in 1604 LocaleNCompare". (Credit to OSS-Fuzz). 1605 1606 2018-04-09 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1607 1608 * OVERVIEW: Change set 9aaeeca0224c modified the drawing 1609 of clipping paths to conform to the SVG spec. This change 1610 set restores the previous behavior for non-SVG clients of 1611 render.c, while still satisfying the SVG spec for SVG clients. 1612 1613 * magick/render.h (DrawInfo): Added a bit field in member 1614 "flags" to indicate that drawing should be SVG compliant. 1615 1616 * magick/render.c (DrawImage): Now recognizes keyword 1617 "svg-compliant", and tags DrawInfo accordingly. This 1618 allows for existing features in render.c to be changed 1619 to comply with the SVG spec without impacting the previous 1620 behavior expected by non-SVG clients. 1621 1622 * magick/render.c (DrawImage): Now uses DrawInfo "flags" 1623 bit for SVG compliance in conjunction with "flags" bit 1624 for "clipping path" to determine when to ignore changes 1625 to fill color, stroke color, etc. This restores the 1626 previous behavior for clipping paths for non-SVG clients. 1627 1628 * coders/svg.c (SVGStartElement): The initial set of 1629 MVG commands for rendering an SVG file now includes 1630 new keyword "svg-compliant" (to indicate that certain 1631 graphical elements should be drawn according to the 1632 SVG spec), and includes an intialization of the SVG 1633 "fill-rule" to "nonzero" (the SVG default) instead of 1634 the internally initialized value of "evenodd". 1635 1636 * coders/wpg.c: Fixed C99 "//" comments. 1637 1638 2018-04-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1639 1640 * coders/pict.c (ReadPICTImage): Copy tile exception info to main 1641 image and don't composite tile if it has a problem. Fixes 1642 oss-fuzz 7169 "graphicsmagick/enhance_fuzzer: 1643 Use-of-uninitialized-value in EnhanceImage". (Credit to OSS-Fuzz) 1644 1645 * coders/dib.c (ReadDIBImage): Do not increase decode bits/pixel 1646 if compression=2, but use it to increase pixel packet size when 1647 estimating bytes per line for decode buffer. Fixes oss-fuzz issue 1648 7324 "graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value 1649 in ReadDIBImage". (Credit to OSS-Fuzz) 1650 1651 * coders/dpx.c (ReadDPXImage): When handling the first element of 1652 a planar DPX, assure that the other channels are 1653 initialized. Fixes oss-fuzz 7841 "graphicsmagick/coder_DPX_fuzzer: 1654 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz) 1655 1656 * coders/tim.c (ReadTIMImage): Only 4 and 8 bit TIM requires a 1657 colormap. For other depths, force reading as DirectClass even if 1658 the TIM file provides a colormap. Fixes oss-fuzz 7407 1659 "graphicsmagick/coder_TIM_fuzzer: Use-of-uninitialized-value in 1660 SyncImageCallBack". (Credit to OSS-Fuzz) 1661 1662 2018-04-08 Fojtik Jaroslav <JaFojtik@seznam.cz> 1663 1664 * coders/mat.c The unread data contains crap in memory, 1665 erase current image data. This should mute oss-fuzz 6604. 1666 1667 * coders/wpg.c - condition "if(y<1) continue;" is redundant 1668 and could be removed completely. 1669 Allow logging in MatlabV4 module. 1670 1671 * coders/svg.c - Do not use C++ syntax in C code - removed. 1672 1673 2018-04-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1674 1675 * coders/wpg.c (UnpackWPGRaster): Fix uninitialized row 0 when 1676 row-based RLE is used. Fixes oss-fuzz 6603 1677 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1678 BlendCompositePixel". (Credit to OSS-Fuzz) 1679 1680 * coders/pcd.c: Fix many issues, including oss-fuzz 6016 1681 "graphicsmagick/coder_PCD_fuzzer: Heap-double-free in 1682 MagickRealloc" and oss-fuzz 6108 "graphicsmagick/coder_PCD_fuzzer: 1683 Unknown signal in AllocateThreadViewDataSet". (Credit to OSS-Fuzz) 1684 1685 2018-04-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1686 1687 * coders/dcm.c (funcDCM_BitsStored): Limit DICOM significant bits 1688 to 16. Otherwise rescale map code blows up. Fixes oss-fuzz 7435 1689 "graphicsmagick/coder_DCM_fuzzer: Out-of-memory in 1690 graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz) 1691 1692 * coders/pix.c (ReadPIXImage): Detect EOF. Reject RLE lenth of 1693 zero. Fixes oss-fuzz 7440 "graphicsmagick/coder_PIX_fuzzer: 1694 Out-of-memory in graphicsmagick_coder_PIX_fuzzer". (Credit to 1695 OSS-Fuzz) 1696 1697 2018-04-05 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1698 1699 * coders/dpx.c (ReadDPXImage): Insist on having an element 1700 descriptor we understand since otherwise we can not decode the 1701 image. Fixes oss-fuzz 7410 "graphicsmagick/coder_DPX_fuzzer: 1702 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz) 1703 1704 * coders/avs.c, etc... (WriteAVSImage): Cache image list length 1705 before writing image sequence so that progress monitor is 1706 scalable. Helps with oss-fuzz 7404 1707 "graphicsmagick/coder_AVS_fuzzer: Timeout in 1708 graphicsmagick_coder_AVS_fuzzer". (Credit to OSS-Fuzz) 1709 1710 2018-04-05 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1711 1712 * coders/svg.c (SVGStartElement, SVGEndElement), 1713 magick/render.c (DrawImage): The current text position 1714 is now maintained by DrawImage() instead of by 1715 SVGStartElement() and SVGEndElement(). This change was 1716 made to support the recently implmemented "use" and 1717 "class" elements, which may make changes to the font 1718 size that are not visible to the code in svg.c. 1719 1720 * coders/svg.c (GetStyleTokens, SVGStartElement): The 1721 list of SVG attributes is now reordered so that 1722 "font-size", "class", and "style" are processed first. 1723 This ensures that a change to the font size will be 1724 processed before any dimensional attribute whose value 1725 may depend on the font size (e.g., a width value 1726 specified in "em" units). 1727 1728 * coders/svg.c (ProcessStyleClassDefs): Fixed two memory 1729 leaks associated with making an early return when 1730 malformed input is detected. 1731 1732 * magick/render.c (ExtractTokensBetweenPushPop): Fixed 1733 an uninitialized variable condition which can occur when 1734 malformed input is detected. 1735 1736 * magick/render.h (DrawInfo), magick/render.c: DrawInfo 1737 member "unused1" has been renamed "flags". It is now 1738 used to tag a DrawInfo as being a clipping path or a 1739 compositing mask. 1740 1741 2018-04-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1742 1743 * coders/pdb.c (ReadPDBImage): Update DirectClass pixels to avoid 1744 use of uninitialized memory for 2 bits/pixel. Fixes oss-fuzz 7350 1745 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1746 WritePDBImage". (Credit to OSS-Fuzz) 1747 1748 * coders/palm.c (ReadPALMImage): Fix use of uninitialized memory. 1749 Fixes oss-fuzz 7325 "graphicsmagick/coder_PALM_fuzzer: 1750 Use-of-uninitialized-value in TransparentImageCallBack". (Credit 1751 to OSS-Fuzz) 1752 1753 * coders/dcm.c (DCM_ReadNonNativeImages): Break out of reading 1754 loop on EOF and properly report exception. Fixes oss-fuzz 7349 1755 "graphicsmagick/coder_DCM_fuzzer: Timeout in 1756 graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz) 1757 1758 2018-04-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1759 1760 * coders/xcf.c (ReadXCFImage): Require that XCF file offsets be in 1761 ascending order to avoid DOS. Fixes oss-fuzz 7333 1762 "graphicsmagick/coder_XCF_fuzzer: Out-of-memory in 1763 graphicsmagick_coder_XCF_fuzzer". (Credit to OSS-Fuzz) 1764 1765 * coders/wpg.c (UnpackWPGRaster): Fix memory leak in error return 1766 path. Fixes oss-fuzz 7338 "graphicsmagick/enhance_fuzzer: 1767 Direct-leak in UnpackWPGRaster". (Credit to OSS-Fuzz) 1768 1769 2018-04-03 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1770 1771 * coders/svg.c (SVGStartElement): This changeset adds 1772 support for SVG geometric transforms specified using the 1773 style="transform: ..." syntax. This syntax is sometimes 1774 used when exporting SVG files from Adobe Illustrator. 1775 1776 2018-04-02 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1777 1778 * coders/dpx.c (ReadDPXImage): Validate DPX packing method. Fixes 1779 oss-fuzz 7296 "graphicsmagick/coder_DPX_fuzzer: 1780 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz) 1781 1782 2018-04-02 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1783 1784 * coders/svg.c (SVGStartElement, SVGEndElement), 1785 magick/render.c (DrawImage): This changeset adds support for 1786 "class" styling attributes within a <style> section within 1787 the <defs> section, and the ability to reference them from 1788 other SVG elements by class="classname". SVG files exported 1789 from Adobe Illustrator make extensive use of "class" definitions. 1790 1791 2018-04-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1792 1793 * coders/pict.c (ReadPICTImage): Fix leak of tile image on EOF. 1794 This is a recent regression. Fixes oss-fuzz 7287 1795 "graphicsmagick/coder_PCT_fuzzer: Indirect-leak in 1796 CloneImage". (Credit to OSS-Fuzz) 1797 1798 * magick/pixel_cache.c (OpenCache): Use image->scene rather than 1799 GetImageIndexInList(image) for scene-id part of cache info file 1800 name. 1801 1802 * coders/txt.c (WriteTXTImage): Optimize the progress indicator 1803 since it is very inefficient with a large number of scenes and 1804 oss-fuzz 7090 "graphicsmagick/coder_TEXT_fuzzer: Timeout in 1805 graphicsmagick_coder_TEXT_fuzzer" consistently shows 1806 GetImageListLength() in its stack traces. 1807 1808 * coders/dcm.c (ReadDCMImage): DICOM reader was no longer 1809 immediately quitting with excessive samples per pixel. This 1810 caused spinning for a very long time when reading planar images 1811 with large samples per pixel. This is a regression due to recent 1812 changes. Fixes oss-fuzz 7269 "graphicsmagick/coder_DCM_fuzzer: 1813 Timeout in graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz) 1814 1815 * coders/xcf.c (ReadXCFImage): Destroy layer info before returning 1816 due to exception. This is a new regression due to adding more 1817 checks. Fixes oss-fuzz 7277 "graphicsmagick/coder_XCF_fuzzer: 1818 Direct-leak in ReadXCFImage". (Credit to OSS-Fuzz) 1819 1820 * coders/pdb.c (ReadPDBImage): Assure that all bytes of scanline 1821 are initialized while decoding. Fixes oss-fuzz 7051 1822 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1823 WritePDBImage". (Credit to OSS-Fuzz) 1824 1825 2018-03-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1826 1827 * coders/pcx.c (ReadPCXImage): Assure that scanline is 1828 initialized. Fixes oss-fuzz 6612 1829 "graphicsmagick/coder_PCX_fuzzer: Use-of-uninitialized-value in 1830 WriteRLEPixels". (Credit to OSS-Fuzz) 1831 1832 * coders/wpg.c (ReadWPGImage): Detect unexpected EOF and avoid use 1833 of uninitialized data. Fixes oss-fuzz 6601 1834 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1835 ImportIndexQuantumType". (Credit to OSS-Fuzz) 1836 1837 * coders/sgi.c (ReadSGIImage): Assure that RLE decode buffer is 1838 initialized. Fixes oss-fuzz 6599 1839 "graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in 1840 SyncImageCallBack" and oss-fuzz 6600 1841 "graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in 1842 SGIEncode". (Credit to OSS-Fuzz) 1843 1844 * coders/viff.c (ReadVIFFImage): Fix blob I/O size validation to 1845 avoid use of uninitialized data. Fixes oss-fuzz 6597 1846 "graphicsmagick/coder_VIFF_fuzzer: Use-of-uninitialized-value in 1847 ThresholdImage". (Credit to OSS-Fuzz) 1848 (ReadVIFFImage): Don't execute SetImageType(image,BilevelType) on 1849 an image which has no pixels yet in order to avoid use of 1850 uninitialized data. Fixes oss-fuzz 6597. (Credit to OSS-Fuzz) 1851 1852 * coders/wbmp.c (ReadWBMPImage): Fix blob I/O size validation to 1853 avoid use of uninitialized data. Fixes oss-fuzz 7047 1854 "graphicsmagick/coder_WBMP_fuzzer: Use-of-uninitialized-value in 1855 ReadWBMPImage". (Credit to OSS-Fuzz) 1856 1857 * coders/wpg.c (ExtractPostscript): Allow non-Postscript content 1858 but force reading using the magick we already detected. Also log 1859 the format that we detected. 1860 1861 * coders/xcf.c (ReadOneLayer): Reject layer size of 0x0. Fixes 1862 oss-fuzz 6636 "graphicsmagick/coder_XCF_fuzzer: Direct-leak in 1863 MagickMallocAligned". (Credit to OSS-Fuzz) 1864 (ReadXCFImage): Verify that seek offsets are within the bounds of 1865 the file data. Fixes oss-fuzz 6682 1866 "graphicsmagick/coder_XCF_fuzzer: Out-of-memory in 1867 graphicsmagick_coder_XCF_fuzzer". (Credit to OSS-Fuzz) 1868 1869 * magick/pixel_cache.c (ModifyCache): Destroy CacheInfo if 1870 OpenCache() fails so it is not leaked. 1871 1872 * coders/wpg.c (ExtractPostscript): Enforce that embedded file is 1873 a Postscript file. Fixes oss-fuzz 7235 1874 "graphicsmagick/coder_WPG_fuzzer: Indirect-leak in MagickRealloc". 1875 This is indicated to be a regression. (Credit to OSS-Fuzz) 1876 1877 2018-03-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1878 1879 * coders/pict.c (ReadPICTImage): Check image pixel limits before 1880 allocating memory for tile. Fixes oss-fuzz 7217 1881 "graphicsmagick/coder_PICT_fuzzer: Out-of-memory in 1882 graphicsmagick_coder_PICT_fuzzer". 1883 1884 2018-03-29 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1885 1886 * coders/pcd.c (ReadPCDImage): Add checks for EOF. Fixes oss-fuzz 1887 issue 7180 "graphicsmagick/coder_PCDS_fuzzer: Timeout in 1888 graphicsmagick_coder_PCDS_fuzzer". (Credit to OSS-Fuzz) 1889 1890 2018-03-29 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1891 1892 * coders/svg.c (SVGStartElement, SVGEndElement), 1893 magick/render.c (DrawImage): This changeset implements the SVG 1894 "use" element. Graphical elements (e.g., "rect", "text", etc.) 1895 can be tagged with an identifier using 'id="identifier"' when 1896 defined within the "defs" section. They can then be referenced 1897 elsewhere in the SVG file using: 1898 1899 <use xlink:href="#identifier" ... /> 1900 1901 When referencing a graphical element by its identifier, the 1902 following syntaxes are now treated as being the same: 1903 1904 href="#identifier" 1905 href="url(#identifier)" 1906 xlink:href="#identifier" 1907 xlink:href="url(#identifier)" 1908 1909 2018-03-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1910 1911 * coders/tim.c (ReadTIMImage): Reader was not observing subimage 1912 and subrange to quit after the specified frame range. Inspired by 1913 oss-fuzz 7132 "graphicsmagick/coder_TIM_fuzzer: Timeout in 1914 graphicsmagick_coder_TIM_fuzzer" (Credit to OSS-Fuzz) 1915 1916 2018-03-27 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1917 1918 * coders/svg.c (SVGStartElement): Enable setting the 1919 background color from the SVG file when the client 1920 specifies style="background:color" inside the <svg> 1921 ... </svg> element. 1922 1923 2018-03-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1924 1925 * coders/mtv.c (ReadMTVImage): Add some elementary tracing to MTV 1926 reader. 1927 1928 * coders/png.c (ReadMNGImage): Fix SourceForge issue 554 1929 "Divide-by-zero in ReadMNGImage (coders/png.c)". (Credit to Trace 1930 Probe) 1931 1932 * coders/bmp.c (ReadBMPImage): Assure that start position always 1933 advances to avoid looping BMPs. Fixes oss-fuzz 7045 1934 "graphicsmagick/coder_BMP_fuzzer: Timeout in 1935 graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz) 1936 1937 * coders/pict.c (DecodeImage): Verify that sufficient backing data 1938 exists before allocating memory to read it. Fixes oss-fuzz 6629 1939 "graphicsmagick/coder_PCT_fuzzer: Out-of-memory in 1940 graphicsmagick_coder_PCT_fuzzer". 1941 (ReadPICTImage): Destroy tile_image in ThrowPICTReaderException() 1942 macro to simplify logic. 1943 1944 2018-03-25 Fojtik Jaroslav <JaFojtik@seznam.cz> 1945 1946 * coders/mat.c Check whether datablock is really read. 1947 Fixes oss-fuzz 7056 (Credit to OSS-Fuzz) 1948 1949 * coders/txt.c Duplicate image check for data with fixed geometry 1950 previous check is skipped. Fixes oss-fuzz 7090. 1951 1952 2018-03-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1953 1954 * coders/dcm.c (ReadDCMImage): Validate that samples per pixel is 1955 in valid range. Fixes oss-fuzz 6260 1956 "graphicsmagick/coder_DCM_fuzzer: Out-of-memory in 1957 graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz) 1958 1959 * coders/meta.c (format8BIM): Allocate space for null termination 1960 and null terminate string. Fixes oss-fuzz 5985 1961 "graphicsmagick/coder_8BIMTEXT_fuzzer: Heap-buffer-overflow in 1962 formatIPTCfromBuffer". (Credit to OSS-Fuzz) 1963 1964 * coders/fits.c (ReadFITSImage): Include number of FITS scenes in 1965 file size validations. Fixes oss-fuzz 6781 1966 "graphicsmagick/coder_FITS_fuzzer: Timeout in 1967 graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz) 1968 1969 2018-03-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 1970 1971 * coders/meta.c (format8BIM): Validate size request prior to 1972 allocation. Fixes oss-fuzz issue 5974 1973 "graphicsmagick/coder_8BIMTEXT_fuzzer: Out-of-memory in 1974 graphicsmagick_coder_8BIMTEXT_fuzzer". (Credit to OSS-Fuzz) 1975 1976 2018-03-23 Fojtik Jaroslav <JaFojtik@seznam.cz> 1977 1978 * coders/mat.c Fix forged amount of frames 7076. (Credit to OSS-Fuzz) 1979 1980 * coders/topol.c Check for forged image that overflows file size 1981 (fuzz 6836). 1982 1983 2018-03-23 Greg Wolfe <gregory.wolfe@kodakalaris.com> 1984 1985 * magick/render.c, render.h (DrawInfo, CloneDrawInfo, 1986 DrawClipPath, DrawImage, GetDrawInfo): According to the SVG 1987 spec, a clipping path is defined only by the geometry of its 1988 constituent elements, and is not dependent on fill color/opacity, 1989 stroke color/opacity, or stroke width. To ensure conformity 1990 with the spec, when a clipping path is created, these SVG 1991 elements are set to appropriate values, and any attempt to 1992 modify them is ignored. 1993 1994 Also, whenever a clipping path is drawn, the associated image 1995 attributes are now updated from the parent image structure. 1996 This ensures that any added or modified attributes are up to 1997 date. 1998 1999 2018-03-22 Fojtik Jaroslav <JaFojtik@seznam.cz> 2000 2001 * coders/topol.c Use rather MagickSwabArrayOfUInt32() to 2002 flip all array elements at once. 2003 2004 * magick/annotate.c Compilation issue - using C++ syntax in C code. 2005 2006 2018-03-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2007 2008 * coders/dpx.c (ReadDPXImage): Validate header length and offset 2009 properties. Fixes oss-fuzz "graphicsmagick/coder_DPX_fuzzer: 2010 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz) 2011 2012 2018-03-20 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2013 2014 * magick/annotate.c (RenderType): According to the SVG 2015 spec, the 'font-family' element can be a comma-separated 2016 list of one or more font family names. Function RenderType 2017 in file annotate.c has been modified to support multiple 2018 font family names as follows. The comma-separated list is 2019 processed until the first available font family is found. 2020 If no font family is found, or if font substitution occurred, 2021 then the entire font family string is tested to see if it 2022 exactly matches a font name, or if the font family string 2023 with blanks changed to hypens exactly matches a font name. 2024 If a font name match is found, the matched font overrides 2025 the font substution. The font name matching functionality 2026 is beyond what's in the SVG spec and is provided as a 2027 convenience to the user. 2028 2029 2018-03-20 Fojtik Jaroslav <JaFojtik@seznam.cz> 2030 2031 * coders/mat.c Fix forged amount of frames 6755. (Credit to OSS-Fuzz) 2032 2033 2018-03-20 Fojtik Jaroslav <JaFojtik@seznam.cz> 2034 2035 * coders/topol.c Redesign ReadBlobDwordLSB() to be more effective. 2036 2037 2018-03-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2038 2039 * coders/xpm.c (ReadXPMImage): Reject XPM if its condensed version 2040 contains non-whitespace control characters. Fixes oss-fuzz 7027 2041 "graphicsmagick/coder_XPM_fuzzer: Timeout in 2042 graphicsmagick_coder_XPM_fuzzer". (Credit to OSS-Fuzz) 2043 2044 2018-03-19 Fojtik Jaroslav <JaFojtik@seznam.cz> 2045 2046 * coders/topol.c Fix tile index overflow fuzz 6634. (Credit to OSS-Fuzz) 2047 2048 2018-03-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2049 2050 * coders/dcm.c (DCM_ReadGrayscaleImage): Don't use rescale map if 2051 it was not allocated. This issue was induced in this development 2052 cycle due to disabling generating the rescale map. Fixes oss-fuzz 2053 7021 "graphicsmagick/coder_DCM_fuzzer: Null-dereference READ in 2054 DCM_ReadGrayscaleImage". (Credit to OSS-Fuzz) 2055 2056 2018-03-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2057 2058 * magick/color_lookup.c (QueryColorDatabase): Defend against 2059 partial scanf() expression matching, resulting in use of 2060 uninitialized data. Likely fixes oss-fuzz 6596 2061 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in 2062 IsMonochromeImage". (Credit to OSS-Fuzz) 2063 2064 * coders/rle.c (ReadRLEImage): Validate number of colormap bits to 2065 avoid undefined shift behavior. Fixes oss-fuzz 6630 2066 "graphicsmagick/enhance_fuzzer: Undefined-shift in 2067 ReadRLEImage". (Credit to OSS-Fuzz) 2068 2069 * coders/dcm.c (DCM_ReadRGBImage): Don't use rescale map if it was 2070 not allocated. This issue was induced in this development cycle 2071 due to disabling generating the rescale map. Fixes oss-fuzz 6995 2072 "graphicsmagick/coder_DCM_fuzzer: Null-dereference READ in 2073 DCM_ReadRGBImage". (Credit to OSS-Fuzz) 2074 2075 * coders/dib.c (DecodeImage): Report failure to decode to expected 2076 amount of pixel data as an error. Fixes oss-fuzz 7007 2077 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 2078 EnhanceImage". (Credit to OSS-Fuzz) 2079 2080 * coders/bmp.c (ReadBMPImage): Add file size and offset/seek 2081 validations. Fixes oss-fuzz 6623 2082 "graphicsmagick/coder_BMP_fuzzer: Timeout in 2083 graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz) 2084 2085 2018-03-17 Fojtik Jaroslav <JaFojtik@seznam.cz> 2086 2087 * dcraw/dcraw.c Updated to version 9.27 2088 2089 2018-03-15 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2090 2091 * coders/gif.c (ReadGIFImage): Fix botched fixes for use of 2092 uninitialized data when reading GIF extension blocks. Hopefully 2093 ok now. 2094 2095 2018-03-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2096 2097 * coders/gif.c (ReadGIFImage): Fix use of uninitialized data when 2098 reading GIF extension blocks. Fixes oss-fuzz 6609 2099 "graphicsmagick/coder_GIF_fuzzer: Use-of-uninitialized-value in 2100 MagickArraySize". This seems to be a totally benign issue. (Credit 2101 to OSS-Fuzz) 2102 2103 * magick/magick.c (MagickSignal): Use an alternate signal stack, 2104 if available. This is required for Go lang C language extensions 2105 since Go lang requests an alternate signal sack, and uses small 2106 stacks for its threads. If the library user has not allocated an 2107 alternate signal stack, then behavior should be just as before. 2108 Issue was originally reported by yzh杨振宏 on March 1, 2018 via 2109 the graphicsmagick-help SourceForge mailing list. 2110 2111 2018-02-28 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2112 2113 * magick/pixel_cache.c (AcquireCacheNexus): Add a check that the 2114 pixel cache is compatible with the image dimensions. Fixes 2115 oss-fuzz issues 5978 5988 5989 5990 5993 6016, and 6056, which are 2116 all related to the PICT writer. (Credit to OSS-Fuzz) 2117 2118 * magick/draw.c (DrawGetStrokeDashArray): Check for failure to 2119 allocate memory. Patch submited by Petr Gajdos via email on 2120 February 28, 2018. 2121 2122 2018-02-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2123 2124 * coders/fits.c (ReadFITSImage): Fix signed integer overflow when 2125 computing pixels size. Fixes oss-fuzz 6586 2126 "graphicsmagick/coder_FITS_fuzzer: Integer-overflow in 2127 ReadFITSImage". (Credit to OSS-Fuzz) 2128 2129 2018-02-27 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2130 2131 * coders/svg.c (SVGStartElement, SVGEndElement): From the 2132 SVG spec: "The 'foreignObject' element allows for inclusion 2133 of a foreign namespace which has its graphical content drawn 2134 by a different user agent." Code has been added to consume 2135 and discard the 'foreignObject' element and any settings (e.g., 2136 fill color) internal to it. Previously, settings internal 2137 to the 'foreignObject' element would persist and "leak" into 2138 the graphic elements that followed it, resulting in undesired 2139 side effects (e.g., fill color other than the expected default). 2140 2141 2018-02-27 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2142 2143 * magick/render.c (DrawPolygonPrimitive): Fixed a bug 2144 introduced by changeset 39102dd1d456. For SVG, this 2145 changeset applied both the group AND the fill opacity 2146 values to fill patterns (similarly for stroke). For WMF, 2147 however, this caused the fill pattern to be rendered as 2148 100% transparent. A closer reading of the SVG spec does 2149 NOT show that the fill opacity should be applied to the 2150 fill pattern, so as of this latest changeset only the group 2151 opacity value is applied to fill and stroke patterns. 2152 2153 2018-02-27 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2154 2155 * coders/bmp.c (ReadBMPImage): Fix divide by zero regression added 2156 by latest fixes. Fixes oss-fuzz 6583 2157 "graphicsmagick/coder_BMP_fuzzer: Divide-by-zero in ReadBMPImage". 2158 (Credit to OSS-Fuzz) 2159 2160 2018-02-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2161 2162 * coders/pict.c (ReadPICTImage): Validate that PICT rectangles do 2163 not have zero dimensions. Specify expected file type when reading 2164 from a temporary file. Trace PICT rectangle dimensions. More 2165 detection of blob EOF and more error handling. Fixes oss-fuzz 2166 issue 6193 "graphicsmagick/coder_PCT_fuzzer: Unknown signal in 2167 AllocateImageColormap" and likely many oss-fuzz ASAN/UBSAN issues 2168 reported against "PCT" and "PICT" since this one problem appears 2169 to be causing a spew of reports. 2170 2171 * coders/png.c (ReadMNGImage): Detect and handle failure to 2172 allocate global PLTE. Problem was reported via email from Petr 2173 Gajdos on February 26, 2018. 2174 2175 2018-02-25 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2176 2177 * magick/blob.c (ReadBlobLSBDouble): Make sure imported double is 2178 a normal value. 2179 (ReadBlobLSBDoubles): Make sure imported doubles are normal 2180 values. 2181 (ReadBlobLSBFloat): Make sure imported float is a normal value. 2182 (ReadBlobLSBFloats): Make sure imported floats are normal values. 2183 (ReadBlobMSBFloat): Make sure imported float is a normal value. 2184 (ReadBlobMSBFloats): Make sure imported floats are normal values. 2185 (ReadBlobMSBDouble): Make sure imported double is a normal value. 2186 (ReadBlobMSBDoubles): Make sure imported doubles are normal 2187 values. 2188 2189 * magick/import.c (ImportFloat32Quantum): Make sure imported float 2190 is a normal value. 2191 (ImportFloat64Quantum): Make sure imported double is a normal 2192 value. 2193 2194 * magick/image.h (RoundDoubleToQuantum): Restore previous behavior 2195 (from earlier today). 2196 (RoundFloatToQuantum): Restore previous behavior (from earlier 2197 today). 2198 2199 * coders/bmp.c (ReadBMPImage): Fix UBSAN runtime error: left shift 2200 of 205 by 24 places cannot be represented in type 'int'. 2201 2202 * coders/ept.c (ReadEPTImage): Fix dereference of NULL pointer 2203 which was detected by UBSAN in the test suite. 2204 2205 * magick/image.h (RoundDoubleToQuantum): Check double value for 2206 NaN and infinity in order to avoid undefined behavior. 2207 (RoundFloatToQuantum): Check float value for NaN and infinity in 2208 order to avoid undefined behavior. 2209 2210 * magick/common.h (MAGICK_ISNAN): Add a isnan() wrapper macro. 2211 (MAGICK_ISINF): Add a isinf() wrapper macro. 2212 2213 2018-02-25 Fojtik Jaroslav <JaFojtik@seznam.cz> 2214 2215 * coders/mat.c Fix oss-fuzz issue 6273 - Heap-use-after-free in 2216 GetLocaleExceptionMessage. (Credit to OSS-Fuzz) 2217 2218 2018-02-24 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2219 2220 * coders/dcm.c (DCM_PostRescaleImage): Remove use of 2221 DCM_PostRescaleImage() since its implementation is wrong and 2222 accesses non-allocated heap memory. Problem was reported by Petr 2223 Gajdos via email on February 8, 2018. 2224 2225 * coders/jp2.c (ReadJP2Image): Use a ThrowJP2ReaderException macro 2226 to automatically clean up when throwing an exception. 2227 2228 * coders/bmp.c (ReadBMPImage): Report an error if RLE decode does 2229 not produce the expected number of bytes. Fixes oss-fuzz issue 2230 6015 "graphicsmagick/coder_BMP_fuzzer: Out-of-memory in 2231 graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz) 2232 2233 2018-02-23 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2234 2235 * magick/render.c (DrawImage): Fixed a bug in which graphical 2236 elements defined within <defs> ... </defs> were being rendered, 2237 contrary to the SVG spec. 2238 2239 2018-02-23 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2240 2241 * magick/render.c (DrawPolygonPrimitive): When filling or 2242 stroking a polygon using a pattern, the fill (or stroke) 2243 and group/object opacity values were not being applied to 2244 the pattern (fixed). 2245 2246 2018-02-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2247 2248 * coders/bmp.c (ReadBMPImage): Fix SeekBlob() return value checks. 2249 Add more EOF checks. Require that a provided ba_offset be a 2250 forward seek in order to avoid the possibility of endless looping. 2251 2252 2018-02-23 Fojtik Jaroslav <JaFojtik@seznam.cz> 2253 2254 * coders/mat.c Fix oss-fuzz issue 6301. (Credit to OSS-Fuzz) 2255 2256 2018-02-22 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2257 2258 * magick/alpha_composite.c (BlendQuantumOpacity): The 2259 pixel compositing equation used when compositing an 2260 image into the output was incorrect and has been fixed. 2261 2262 * magick/render.c (DrawPolygonPrimitive): When 2263 compositing polygon edge pixels over a transparent 2264 black background, the code would composite as if the 2265 background were opaque black, resulting in the edge 2266 pixels being too dark (fixed). 2267 2268 2018-02-21 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2269 2270 * magick/render.c (DrawImage): Per the SVG spec, opacity, 2271 fill-opacity, and stroke-opacity values are now clamped 2272 to [0,1]. 2273 2274 Also fixed two bugs introduced by changeset 91de8039f27d 2275 (dated 2018-02-12): (1) a group/object opacity value 2276 specified using a percentage was not being converted to a 2277 value in [0,1]; (2) if fill-opacity or stroke-opacity was 2278 1, and the group/object opacity value was set to 1, the 2279 resulting fill-opacity or stroke-opacity value would be 2280 set to 0 instead of 1. 2281 2282 2018-02-19 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2283 2284 * coders/viff.c (ReadVIFFImage): Fix excessive memory usage. 2285 Fixes oss-fuzz 6006 "graphicsmagick/coder_XV_fuzzer: Out-of-memory 2286 in graphicsmagick_coder_XV_fuzzer". (Credit to OSS-Fuzz) 2287 2288 * coders/txt.c (ReadInt): Avoid benign signed integer overflow due 2289 to accepting an arbitrary number of digits. Fixes oss-fuzz 6002 2290 "graphicsmagick/coder_TEXT_fuzzer: Integer-overflow in 2291 ReadInt". (Credit to OSS-Fuzz) 2292 2293 * coders/viff.c (ReadVIFFImage): Verify that there is sufficient 2294 data to back up colormap allocation request. Fixes oss-fuzz 5986 2295 "graphicsmagick/coder_VIFF_fuzzer: Out-of-memory in 2296 graphicsmagick_coder_VIFF_fuzzer". (Credit to OSS-Fuzz) 2297 2298 * magick/memory.c: Define MAGICK_MEMORY_HARD_LIMIT=value to abort 2299 when memory request exceeds value. Useful to find location of 2300 excessive memory requests. 2301 2302 2018-02-19 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2303 2304 * coders/svg.c (SVGStartElement): Per the SVG spec, the 2305 SVG coder now initializes the MVG coder (which renders 2306 SVG graphical elements) with the the SVG defaults for 2307 fill color, fill-opacity, stroke color, stroke-opacity, 2308 and stroke-width. This makes the SVG coder independent 2309 of the MVG coder intial state. 2310 2311 2018-02-19 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2312 2313 * coders/svg.c (SVGStartElement): Fixed initialization of 2314 x and y attributes per the SVG spec: for graphical elements 2315 "image", "pattern", "text", "rect", and "use", if the x or y 2316 attribute is not specified, the effect is as if a value of 2317 "0" were specified. 2318 2319 2018-02-18 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2320 2321 * coders/sun.c (ReadSUNImage): Fix edge case which broke file-size 2322 validation logic. Fixes oss-fuzz issue 5981 2323 "graphicsmagick/coder_SUN_fuzzer: Out-of-memory in 2324 graphicsmagick_coder_SUN_fuzzer". (Credit to OSS-Fuzz) 2325 2326 * coders/txt.c (ReadTXTImage): Validate that file size is 2327 sufficient for claimed image properties. Fixes oss-fuzz issue 2328 5960 "graphicsmagick/coder_TXT_fuzzer: Out-of-memory in 2329 graphicsmagick_coder_TXT_fuzzer". (Credit to OSS-Fuzz) 2330 2331 * coders/tga.c (ReadTGAImage): Only allow 1 and 8 bit 2332 colormapped/grey images. Fixes oss-fuzz issue 6314 2333 "graphicsmagick/coder_ICB_fuzzer: Undefined-shift in 2334 ReadTGAImage". (Credit to OSS-Fuzz) 2335 2336 * coders/bmp.c (ReadBMPImage): Detect and report when BMP height 2337 value is out of range (too negative). Fixes oss-fuzz issue 6394 2338 "graphicsmagick/coder_BMP_fuzzer: Integer-overflow in 2339 ReadBMPImage". (Credit to OSS-Fuzz) 2340 2341 * coders/rla.c (ReadRLAImage): Detect when RLE decoding is 2342 producing too many samples and report as an error. Fixes oss-fuzz 2343 issue 6312 "graphicsmagick/coder_RLA_fuzzer: Timeout in 2344 graphicsmagick_coder_RLA_fuzzer". (Credit to OSS-Fuzz) 2345 2346 * coders/fits.c (ReadFITSImage): Validate that file size is 2347 sufficient for claimed image properties. Fixes oss-fuzz issue 2348 6429 "graphicsmagick/coder_FITS_fuzzer: Timeout in 2349 graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz) 2350 2351 * magick/image.c (CloneImage): Check image pixel limits in 2352 CloneImage() when it is used to change the image dimensions. This 2353 avoids depending on the using code to detect and report such 2354 issues. 2355 2356 * coders/xcf.c (ReadXCFImage): Check image pixel limits after each 2357 CloneImage() to assure that image is within specified resource 2358 limits. Fixes oss-fuzz issue 6399 "graphicsmagick/enhance_fuzzer: 2359 Timeout in graphicsmagick_enhance_fuzzer". (Credit to OSS-Fuzz) 2360 2361 2018-02-16 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2362 2363 * magick/render.c (TracePath): TracePath() was not 2364 correctly processing multiple sets of cubic or quadratic 2365 Bezier coordinates when the previous path data command was 2366 not a cubic or quadratic Bezier command. This would result 2367 in the first control point being equal to the current path 2368 point instead of being computed using the current path 2369 point and the second control point of the previous Bezier 2370 command. 2371 2372 2018-02-15 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2373 2374 * magick/render.c (TracePath): TracePath() was not 2375 consuming commas (if present) at the end of a set of 2376 points when multiple sets of points were specified for 2377 various path commands (e.g., line, Bezier). This 2378 resulted in the remaining sets of points being ignored 2379 (fixed). 2380 2381 2018-02-15 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2382 2383 * magick/render.c (TraceArcPath): No points are generated 2384 by TraceArcPath() if the starting and ending arc points 2385 are the same. For this case, the coordinate count was not 2386 being set to zero before returning (fixed). 2387 2388 2018-02-15 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2389 2390 * magick/render.c (DrawImage): Clipping of polygons in 2391 DrawImage() would sometime result in a starting pixel 2392 location that was greater than the ending pixel location, 2393 causing a subsequent call to GetImagePixelsEx() to fail 2394 due a column count <= 0. Modified the clipping code to 2395 eliminate this condition, and also to return early if 2396 the polygon lies completely outside the image boundaries. 2397 Also fixed variable declarations from a previous commit 2398 that were causing problems for the C89 compiler. 2399 2400 2018-02-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2401 2402 * coders/topol.c (ReadTOPOLImage): Detect EOF immediately rather 2403 than spinning. Fixes oss-fuzz issue 6303 2404 "graphicsmagick/coder_TOPOL_fuzzer: Timeout in 2405 graphicsmagick_coder_TOPOL_fuzzer". (Credit to OSS-Fuzz) 2406 2407 * coders/dcm.c (DCM_SetupRescaleMap): Avoid excessive left shift. 2408 Fixes oss-fuzz issue 6256 "graphicsmagick/coder_DCM_fuzzer: 2409 Undefined-shift in DCM_SetupRescaleMap". (Credit to OSS-Fuzz) 2410 2411 2018-02-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2412 2413 * coders/wpg.c (ExtractPostscript): Detect EOF on input while 2414 transferring bytes to Postscript file. Fixes oss-fuzz issue 6087 2415 "graphicsmagick/coder_WPG_fuzzer: NULL". Later identified to be 2416 CVE-2017-17682 as previously discovered in ImageMagick. (Credit to 2417 OSS-Fuzz) 2418 2419 * coders/pdb.c (ReadPDBImage): Quit attempting to read image data 2420 immediately at EOF. Fixes oss-fuzz issue 6252 2421 "graphicsmagick/coder_PDB_fuzzer: Timeout in 2422 graphicsmagick_coder_PDB_fuzzer". (Credit to OSS-Fuzz) 2423 2424 2018-02-12 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2425 2426 * coders/topol.c (ReadTOPOLImage): Avoid index out of bounds when 2427 input filename does not use a file extension. Fixes oss-fuzz issue 2428 6237 "graphicsmagick/coder_TOPOL_fuzzer: Index-out-of-bounds in 2429 ReadTOPOLImage". (Credit to OSS-Fuzz) 2430 2431 2018-02-12 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2432 2433 * magick/render.c (DrawImage): Object/group opacity, 2434 when set in DrawImage(), would overwrite the fill 2435 and stroke opacities. This has been fixed so that 2436 the object opacity is now combined with the fill 2437 and stroke opacities per the SVG spec. 2438 2439 2018-02-12 Fojtik Jaroslav <JaFojtik@seznam.cz> 2440 2441 * coders/mat.c Fix oss-fuzz issue 6021. (Credit to OSS-Fuzz) 2442 2443 2018-02-11 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2444 2445 * coders/dcm.c (ReadDCMImage): Avoid undefined left shift of 2446 short. Fix memory leaks in error reporting paths. Fixes oss-fuzz 2447 issue 6217 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in 2448 ReadDCMImage". (Credit to OSS-Fuzz) 2449 2450 * coders/dpx.c (ReadDPXImage): Avoid divide by zero exception in 2451 the case where reference high equals reference low. Fixes oss-fuzz 2452 issue 6215 "graphicsmagick/coder_DPX_fuzzer: Divide-by-zero in 2453 ReadDPXImage". (Credit to OSS-Fuzz) 2454 2455 * coders/topol.c (ReadTOPOLImage): Avoid index out of bounds when 2456 input filename does not use a file extension. 2457 2458 * coders/cut.c (ReadCUTImage): Avoid index out of bounds when 2459 input filename does not use a file extension. Fixes oss-fuzz issue 2460 6218 "graphicsmagick/coder_CUT_fuzzer: Index-out-of-bounds in 2461 ReadCUTImage". (Credit to OSS-Fuzz) 2462 2463 * coders/pwp.c (ReadPWPImage): Force temporary file to be read as 2464 a SFW file rather than autodetecting the format. Fixes oss-fuzz 2465 issue 6220 "graphicsmagick/coder_PWP_fuzzer: Indirect-leak in 2466 AllocateImage". (Credit to OSS-Fuzz) 2467 2468 2018-02-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2469 2470 * coders/pdf.c (WritePDFImage): Assure that xref memory is not 2471 leaked if an exception is thrown. Fixes oss-fuzz issue 5968 2472 "graphicsmagick/coder_EPDF_fuzzer: Direct-leak in MagickRealloc". 2473 (Credit to OSS-Fuzz) 2474 2475 * coders/tim.c (ReadTIMImage): Verify that 4/8 bit PSX TIM 2476 provides a CLUT and verify indexes. Fixes oss-fuzz issue 5972 2477 "graphicsmagick/coder_TIM_fuzzer: Null-dereference WRITE in 2478 ReadTIMImage". (Credit to OSS-Fuzz) 2479 2480 * coders/topol.c (ReadTOPOLImage): Add additional header 2481 validations. Fixes oss-fuzz issue 5975 2482 "graphicsmagick/coder_TOPOL_fuzzer: Floating-point-exception in 2483 ReadTOPOLImage". (Credit to OSS-Fuzz) 2484 2485 * coders/bmp.c (ReadBMPImage): Avoid possible division by zero 2486 when decoding CIE primary values. (Credit to OSS-Fuzz) 2487 2488 * magick/export.c (ExportViewPixelArea): Only compute 2489 unsigned_maxvalue if sample_bits <= 32. 2490 2491 * magick/import.c (ImportViewPixelArea): Assure that 2492 double_maxvalue minus double_minvalue is not zero, or excessively 2493 close to zero to avoid divide by zero exception or impossible 2494 scaling factor. (Credit to OSS-Fuzz) 2495 (ImportViewPixelArea): Only compute unsigned_maxvalue if 2496 sample_bits <= 32. 2497 2498 2018-02-09 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2499 2500 * coders/dib.c (ReadDIBImage): Validate that image width is not 2501 too negative such that it's absolute value can not fit in 32-bit 2502 unsigned width. Resolves oss-fuzz issue 6179 2503 "graphicsmagick/coder_ICO_fuzzer: Integer-overflow in 2504 ReadDIBImage". (Credit to OSS-Fuzz) 2505 2506 * coders/dcm.c (funcDCM_BitsStored): Validate DICOM datum size. 2507 Use a different means to determine the maximum value which does 2508 not use excessive shifting. Resolves oss-fuzz issue 6165 2509 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in 2510 funcDCM_BitsStored". (Credit to OSS-Fuzz) 2511 2512 2018-02-08 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2513 2514 * coders/dpx.c (ReadWordU32BE): Add casts to avoid default type 2515 promotion from unsigned char to 'int' leading to undefined 2516 behavior for 24 bit shift. Fixes oss-fuzz issue 6058 2517 "graphicsmagick/coder_DPX_fuzzer: Undefined-shift in 2518 ReadWordU32BE". (Credit to OSS-Fuzz) 2519 (ReadDPXImage): Require that the file has at least one element. 2520 Add bountiful casts for values which are left-shifted. Fixes 2521 oss-fuzz issue 5962 "graphicsmagick/coder_DPX_fuzzer: 2522 Undefined-shift in ReadDPXImage". (Credit to OSS-Fuzz) 2523 2524 * coders/dcm.c (DCM_ReadOffsetTable): Add casts Add casts to avoid 2525 default type promotion from unsigned char to 'int' leading to 2526 undefined behavior for 16 bit shift. Fixes oss-fuzz issue 5980 2527 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in 2528 DCM_ReadOffsetTable". (Credit to OSS-Fuzz) 2529 2530 * magick/module_aliases.h (ModuleAliases): Add missing mapping 2531 from "ICODIB" format to "DIB" module. 2532 2533 * magick/import.c (ImportUInt32Quantum): Add casts to avoid 2534 default type promotion from unsigned char to 'int' leading to 2535 undefined behavior for 24 bit shift. Fixes oss-fuzz 2536 "graphicsmagick/coder_P7_fuzzer: Undefined-shift in 2537 ImportRGBQuantumType". (Credit to OSS-Fuzz) 2538 2539 2018-02-07 Fojtik Jaroslav <JaFojtik@seznam.cz> 2540 2541 * coders/wpg.c Fix oss-fuzz issue 5964 2542 "graphicsmagick/coder_MAT_fuzzer: Heap-use-after-free in 2543 GetLocaleExceptionMessage". (Credit to OSS-Fuzz) 2544 2545 2018-02-07 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2546 2547 * magick/render.c (IsPoint): Fixed a bug in which 2548 IsPoint() would reject as a valid coordinate value 2549 strings that did not begin with an integer: e.g., 2550 "0.25" would be accepted, but ".25" would not. 2551 2552 2018-02-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2553 2554 * coders/cut.c (ReadCUTImage): Fix DestroyImageInfo() of NULL 2555 pointer leading to assertion. Fixes oss-fuzz issue 6067 2556 "graphicsmagick/coder_CUT_fuzzer: Unknown signal in 2557 DestroyImageInfo". 2558 2559 * coders/tga.c (ReadTGAImage): Throw exception rather than 2560 assertion for unexpected comment size. Fixes oss-fuzz issue 5961 2561 "graphicsmagick/coder_ICB_fuzzer: ASSERT: (size_t) 2562 (tga_info.id_length+1) == commentsize". 2563 2564 2018-02-06 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2565 2566 * coders/pdf.c (WritePDFImage): Free 'xref' allocation before 2567 error return. Fixes oss-fuzz issue 5968 2568 "graphicsmagick/coder_EPDF_fuzzer: Direct-leak in MagickRealloc". 2569 2570 2018-02-04 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2571 2572 * coders/pdb.c (ReadPDBImage): Fix heap buffer overflow if blob is 2573 already at EOF when comment is read. Fixes oss-fuzz issue 5997 2574 "graphicsmagick/coder_PDB_fuzzer: Heap-buffer-overflow in 2575 SetImageAttribute". 2576 2577 * coders/dpx.c (ReadDPXImage): Fix memory leak of user data if 2578 user data is truncated. Fix consumption of one uninitialized 2579 stack bytes. Fixes oss-fuzz issue 5973: 2580 graphicsmagick/enhance_fuzzer: Direct-leak in ReadDPXImage. 2581 2582 * coders/pnm.c (ReadPNMImage): Detect and avoid division by zero. 2583 Fixes Issue 5959 in oss-fuzz: graphicsmagick/coder_P7_fuzzer: 2584 Divide-by-zero in ReadPNMImage 2585 2586 * magick/xwindow.c (MagickXClientMessage): Eliminate valgrind 2587 gripe about use of uninitialized stack data by clearing allocation 2588 to zero. 2589 (MagickXMakeImage): Eliminate valgrind gripe about use of 2590 uninitialized heap data by clearing allocation to zero. 2591 2592 * coders/pwp.c (ReadPWPImage): Remove bogus EOF test on an image 2593 with a closed blob. Fixes Issue 5957 in oss-fuzz: 2594 graphicsmagick/coder_PWP_fuzzer: ASSERT: image->blob->type != 2595 UndefinedStream. 2596 2597 * www/Changes.rst: Fix typo with spelling "ChangeLog-2017.html". 2598 Resolves SourceForge issue #544 "dead link 2017 changelog page on 2599 GraphicsMagick web site". 2600 2601 2018-02-03 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2602 2603 * magick/static.c (OpenModule): Assure that status is initialized. 2604 Resolves Coverity 261207 "Uninitialized scalar variable". 2605 2606 * wand/magick_wand.c (MagickHasColormap): New function to test if 2607 the image has a colormap. 2608 (MagickIsGrayImage): New function to test if the image uses only 2609 gray pixels. 2610 (MagickIsMonochromeImage): New function to test if the image uses 2611 only monochrome pixels. 2612 (MagickIsOpaqueImage): New function to test if the image uses only 2613 opaque pixels. 2614 (MagickIsPaletteImage): New function to test if the image is based 2615 on a color palette. Above functions are written by Troy Patteson 2616 and submitted via SourceForge patch #54 "Wand API patches: has 2617 colormap, is gray image, is monochrome image, is opaque image, is 2618 palette image". 2619 2620 * fuzzing: Added initial OSS-Fuzz integration by Alex Gaynor. 2621 From SourceForge patch #55 "OSS-Fuzz integration" 2622 2623 * coders/png.c (ReadMNGImage): Fix free using possibly unallocated 2624 pointer value. 2625 2626 * magick/blob.c (SeekBlob): Remove implicit extension of blob 2627 allocation size based on seek offset. Besides making an 2628 assumption about how the blob memory was allocated, this 2629 reallocation feature provides a memory DOS opportunity. Resolves 2630 issue reported by Alex Gaynor via email entitled "Security issue 2631 with memory management in Magick++" to the graphicsmagick-security 2632 list on 31 Jan 2018. 2633 (SeekBlob): 2634 2635 * coders/jpeg.c (ReadIPTCProfile): Revert inadvertent wrong return 2636 codes added by change on December 9, 2017. Fixes SourceForge bug 2637 542 "Improper call to JPEG library in state 201" since 1.3.28. 2638 2639 2018-02-01 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2640 2641 * magick/annotate.c (RenderFreetype): Fixed the text 2642 opacity computation in RenderFreeType(). This bug caused 2643 the text fill color to bleed into the character cell when 2644 the SVG "fill-opacity" is less than 1.0. 2645 2646 2018-02-01 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2647 2648 * magick/attribute.c (CloneImageAttributes): Fixed a bug 2649 in which the source image attributes would always replace 2650 the destination image attributes instead of being appended 2651 to them, and the destination image attributes would become 2652 a memory leak. 2653 2654 2018-01-31 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2655 2656 * coders/svg.c (SVGStartElement): Fixed a bug in which the 2657 x,y location values for a <text> or <tspan> were overwritten 2658 by the x,y values for the next <tspan> before the previous 2659 values were used. This caused the text associated with the 2660 previous <text> or <tspan> to appear at the location 2661 specified for the next <tspan>. 2662 2663 2018-01-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2664 2665 * magick/static.c: Use !defined(SupportMagickModules) to enable 2666 static module loader. Fixes SourceForge bug #543 "Multiple 2667 definition of "OpenModule" (etc) when cross-compiling shared". 2668 2669 2018-01-29 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2670 2671 * coders/svg.c (SVGStartElement): A terminating '>' in 2672 a geometry string is interpreted to mean that the dimensions 2673 of an image should only be changed if its width or height 2674 exceeds the geometry specification. For an unapparent and 2675 undocumented reason, a terminating '>', if present, was 2676 being nulled out, making this feature unusable for SVG files 2677 (now fixed). 2678 2679 2018-01-29 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2680 2681 * coders/svg.c (ReadSVGImage): If there is a geometry string 2682 in image_info->size (e.g., gm convert -size "50x50%" in.svg 2683 out.png), AllocateImage() sets image->columns and image->rows 2684 to the width and height values from the size string. However, 2685 this makes no sense if the size string was something like 2686 "50x50%" (we'll get columns = rows = 50). So we set columns 2687 and rows to 0 after AllocateImage(), which is the same as if 2688 no size string was supplied by the client. This also results 2689 in svg_info.bounds to be set to 0,0 (i.e., unknown), so that 2690 svg_info.bounds will later be set using the image size 2691 information from either the svg "canvas" width/height or from 2692 the viewbox. Later, variable "page" is set from 2693 svg_info->bounds. Then the geometry string in image_info->size 2694 gets applied to the (now known) "page" width and height when 2695 SvgStartElement() calls GetMagickGeometry(), and the intended 2696 result is obtained. 2697 2698 2699 2018-01-24 Greg Wolfe <gregory.wolfe@kodakalaris.com> 2700 2701 * coders/svg.c (SVGStartElement): When the density (DPI) 2702 is specified using the ImageInfo::density member, the derived 2703 scale factor is incorrectly applied a second time to the 2704 width and height members of variable RectangleInfo page. 2705 Fixes SourceForge ticket #451. 2706 2707 2018-01-23 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2708 2709 * magick/static.c: Use a lazy-loader for static modules with the 2710 same external interface as the lazy-loader for dynamic modules. 2711 2712 2018-01-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2713 2714 * NEWS.txt: Prepare for 1.3.28 release. 2715 2716 2018-01-17 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2717 2718 * NEWS.txt: Update with changes since previous release. 2719 2720 2018-01-14 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2721 2722 * PerlMagick/Magick.xs: Compiler warnings reduction. 2723 2724 * magick/pixel_cache.h: Mark GetPixels(), GetIndexes(), and 2725 GetOnePixel() as deprecated. Compilers may produce a warning if 2726 these functions are used. 2727 2728 * magick/pixel_cache.c (InterpolateColor): Return black pixel if 2729 InterpolateViewColor() reports failure. 2730 2731 * coders/png.c (ReadMNGImage): Fix memory leak of chunk and 2732 mng_info in error path. 2733 2734 * coders/gif.c (ReadGIFImage): Fix memory leak of global colormap. 2735 2736 2018-01-13 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2737 2738 * magick/symbols.h: Fix SourceForge issue #538 "13 symbols in 2739 common with ImageMagick despite --enable-symbol-prefix". 2740 2741 * coders/bmp.c (ReadBMPImage): Fix non-terminal loop due to 2742 unexpected bit-field mask value. Fixes SourceForge issue #541 2743 "Infinite Loop in ReadBMPImage (coders/bmp.c)". 2744 2745 * coders/jpeg.c (JPEGMessageHandler): Revert code added on 2746 2017-07-08 to promote certain warnings from libjpeg to errors. 2747 Add code to rationalize claimed image dimensions based on file 2748 size. Resolves SourceForge issue #539 "Images with libjpeg 2749 warnings result in error". 2750 2751 2018-01-11 Fojtik Jaroslav <JaFojtik@seznam.cz> 2752 2753 * coders/wpg.c Recursive ReadImage could return multiple scenes 2754 fixed. 2755 2756 2018-01-07 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2757 2758 * coders/png.c (ReadOnePNGImage): Quit 'passes' loop if we 2759 encountered an error 2760 2761 * magick/pixel_cache.c (SetNexus): Fix heap overwrite in 2762 AcquireCacheNexus() due to SetNexus() not using an allocated 2763 staging area for the pixels like it should. This problem impacts 2764 all 1.3.X releases. Resolves SourceForge issues 532 2765 "heap-buffer-overflow bug in ReadWPGImage" and #531 2766 "heap-buffer-overflow in AcquireCacheNexus". 2767 2768 * magick/pixel_cache.c (InterpolateViewColor): Now returns 2769 MagickPassFail rather than void. Code using this function is 2770 updated to check the return status. 2771 2772 2018-01-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2773 2774 * magick/describe.c (DescribeImage): Discriminate between 2775 AcquireImagePixels() returning NULL or finding a transparent 2776 pixel. This avoids use of a null pointer in the case where 2777 AcquireImagePixels() returns NULL. 2778 2779 2017-12-31 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2780 2781 * magick/static.c: Change static module initialization to be based 2782 on an initialized list rather than a squence of function calls in 2783 order to simplify maintenance and possibly address future 2784 requirements. 2785 2786 2017-12-30 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> 2787 2788 * Copyright.txt: Bump copyright years and rotate ChangeLog.