github.com/kaydxh/golang@v0.0.131/pkg/gocv/cgo/third_path/graphics-magick/share/doc/GraphicsMagick/www/ChangeLog-2018.html (about) 1 <?xml version="1.0" encoding="utf-8" ?> 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> 4 <head> 5 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 6 <meta name="generator" content="Docutils 0.15.2: http://docutils.sourceforge.net/" /> 7 <title>ChangeLog-2018.rst</title> 8 <link rel="stylesheet" href="docutils-articles.css" type="text/css" /> 9 </head> 10 <body> 11 12 <div class="banner"> 13 <img src="images/gm-107x76.png" alt="GraphicMagick logo" width="107" height="76" /> 14 <span class="title">GraphicsMagick</span> 15 <form action="http://www.google.com/search"> 16 <input type="hidden" name="domains" value="www.graphicsmagick.org" /> 17 <input type="hidden" name="sitesearch" value="www.graphicsmagick.org" /> 18 <span class="nowrap"><input type="text" name="q" size="25" maxlength="255" /> <input type="submit" name="sa" value="Search" /></span> 19 </form> 20 </div> 21 22 <div class="navmenu"> 23 <ul> 24 <li><a href="index.html">Home</a></li> 25 <li><a href="project.html">Project</a></li> 26 <li><a href="download.html">Download</a></li> 27 <li><a href="README.html">Install</a></li> 28 <li><a href="Hg.html">Source</a></li> 29 <li><a href="NEWS.html">News</a> </li> 30 <li><a href="utilities.html">Utilities</a></li> 31 <li><a href="programming.html">Programming</a></li> 32 <li><a href="reference.html">Reference</a></li> 33 </ul> 34 </div> 35 <div class="document"> 36 37 38 <p>2018-12-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 39 <blockquote> 40 <ul class="simple"> 41 <li>coders/jpeg.c (ReadJPEGImage): Move return point for 'ping' mode 42 until after jpeg_start_decompress() and after JPEG compression 43 properties have been estimated. Fixes SourceForge issue #578 "gm 44 identify with format "%[JPEG-Colorspace-Name]" does not work" and 45 #586 "Identify returning wrong compression values".</li> 46 </ul> 47 </blockquote> 48 <p>2018-12-18 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 49 <blockquote> 50 <ul> 51 <li><p class="first">coders/gif.c (ReadGIFImage): Don't throw an error if opacity is 52 outside of the range of the image colors. Fix suggested by 莫红波 53 <<a class="reference external" href="mailto:hongbo.mo%40upai.com">hongbo<span>.</span>mo<span>@</span>upai<span>.</span>com</a>> on the graphicsmagick-bugs mailinb list on 54 Fri, 9 Oct 2015.</p> 55 </li> 56 <li><p class="first">magick/memory.h (MagickAllocateClearedArray): New macro for 57 allocating a cleared array.</p> 58 </li> 59 <li><p class="first">magick/resize.c (ScaleImage): Patch by Troy Patteson which 60 resolves SourceForge issue #381 "Artifacts when scaling a PNG with 61 semi-transparent pixels".</p> 62 <p>ScaleImage() suffers from two problems related to the blending of 63 fully transparent pixels with non-fully transparent pixels during 64 the scaling operation.</p> 65 <p>The first is that the colour values for fully transparent pixels 66 are contributing to the colour values of the blended pixels when 67 they should not.</p> 68 <p>The second is that the colour values of pixels blended with fully 69 and non-fully transparent pixels are scaled as though the fully 70 transparent pixels contribute to the blended pixels' colour values 71 when they should not. For example, if blending 10% of a fully 72 opaque white pixel with 90% of a fully transparent black pixel one 73 would expect the blended pixel RGBA values to be 255,255,255,25.5 74 assuming 8 bit colour but they are in fact 25.5,25.5,25.5,25.5.</p> 75 <p>The provided patch solves the first issue by treating the colour 76 values of fully transparent pixels as zero and the second issue by 77 recording the volume of each blended pixel made up of pxiels that 78 are not fully transparent (0.1 in the above example) and then 79 scaling the blended pixel RGB values by dividing by that 80 amount. In the above example, 25.5/0.1 = 255.</p> 81 </li> 82 </ul> 83 </blockquote> 84 <p>2018-12-16 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 85 <blockquote> 86 <ul class="simple"> 87 <li>coders/dib.c (ReadDIBImage): DIB images claiming more than 88 8-bits per pixel are not colormapped. Reject such files. Fixes 89 SourceForge issue #585 "Assertion Failure in coders/png.c:7503". 90 The problem is in the DIB reader rather than PNG.</li> 91 <li>coders/miff.c (ReadMIFFImage): Detect and reject zero-length 92 deflate-encoded row in MIFF version 0. Fixes oss-fuzz 11876 93 "graphicsmagick/coder_MIFF_fuzzer: Use-of-uninitialized-value in 94 deflate_slow". (Credit to OSS-Fuzz)</li> 95 <li>configure.ac: Improve search for true Microsoft Windows fonts 96 and provide better indication of results. Fix a typo which caused 97 DcrawExtraOptions not to be evaluated correctly.</li> 98 </ul> 99 </blockquote> 100 <p>2018-12-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 101 <blockquote> 102 <ul class="simple"> 103 <li>coders/tiff.c (QuantumTransferMode): Be more strict about the 104 requirements for CIE Log2(L) and LOGLUV images. 105 (ReadTIFFImage): Apply memory resource limits to strip and tile 106 allocations. 107 (ReadTIFFImage): Rationalize tile width/height to reject large 108 tile sizes which are much larger than the image dimensions. Fixes 109 oss-fuzz 11824 "graphicsmagick/coder_BIGTIFF_fuzzer: Out-of-memory 110 in graphicsmagick_coder_BIGTIFF_fuzzer". (Credit to OSS-Fuzz) 111 (ReadTIFFImage): Return with error if TIFFClientOpen() reports 112 errors yet still returns a TIFF handle.</li> 113 </ul> 114 </blockquote> 115 <p>2018-12-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 116 <blockquote> 117 <ul class="simple"> 118 <li>coders/tga.c (WriteTGAImage): Image rows/columns must not be 119 larger than 65535. Fixes SourceForge #583 "heap-buffer-overflow in 120 WriteTGAImage of tga.c".</li> 121 </ul> 122 </blockquote> 123 <p>2018-12-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 124 <blockquote> 125 <ul class="simple"> 126 <li>coders/bmp.c (ReadBMPImage): Fix heap overflow in 32-bit build 127 due to arithmetic overflow. Only happens if limits are changed 128 from defaults. Fixes SourceForge #582 "heap-buffer-overflow in 129 ReadBMPImage of bmp.c".</li> 130 </ul> 131 </blockquote> 132 <p>2018-12-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 133 <blockquote> 134 <ul class="simple"> 135 <li>common.shi.in (MAGICK_FONT): The test suite must pass even on 136 systems where we don't find any fonts.</li> 137 </ul> 138 </blockquote> 139 <p>2018-12-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 140 <blockquote> 141 <ul class="simple"> 142 <li>coders/miff.c (ReadMIFFImage): Sanitize claimed profile size 143 before allocating memory for it. Fixes oss-fuzz 11781 144 "graphicsmagick/coder_MIFF_fuzzer: Out-of-memory in 145 graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz)</li> 146 </ul> 147 </blockquote> 148 <p>2018-12-05 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 149 <blockquote> 150 <ul class="simple"> 151 <li>coders/png.c (ReadMNGImage): Fix non-terminal MNG looping. 152 Fixes oss-fuzz 11596 "graphicsmagick/coder_MNG_fuzzer: Timeout in 153 graphicsmagick_coder_MNG_fuzzer". (Credit to OSS-Fuzz)</li> 154 </ul> 155 </blockquote> 156 <p>2018-12-04 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 157 <blockquote> 158 <ul class="simple"> 159 <li>coders/xpm.c (WriteXPMImage): Assure that added colormap entry 160 for transparent XPM is initialized. Fixes oss-fuzz 11617 161 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in 162 QueryColorname". (Credit to OSS-Fuzz)</li> 163 <li>coders/miff.c (ReadMIFFImage): Fix memory leak of profiles 164 'name' when claimed length is zero. Fixes oss-fuzz 11710 165 "graphicsmagick/coder_MIFF_fuzzer: Direct-leak in AllocateString". 166 and oss-fuzz 11688 "graphicsmagick/coder_MIFF_fuzzer: 167 Out-of-memory in graphicsmagick_coder_MIFF_fuzzer". (Credit to 168 OSS-Fuzz)</li> 169 </ul> 170 </blockquote> 171 <p>2018-12-02 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 172 <blockquote> 173 <ul class="simple"> 174 <li>fuzzing/oss-fuzz-build.sh: Apply patch from Alex Gaynor to add 175 Zstd to the oss-fuzz build.</li> 176 </ul> 177 </blockquote> 178 <p>2018-12-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 179 <blockquote> 180 <ul class="simple"> 181 <li>configure.ac (DcrawExtraOptions): For QuantumDepth > 8 pass -6 182 option to dcraw. Fixes SourceForge issue #568 "dcraw not 183 returning 16 bit image even though quantum depth is set to 16".</li> 184 <li>fuzzing/oss-fuzz-build.sh (PKG_CONFIG_PATH): Build WebP prior to 185 libtiff so that libtiff has a chance to find it.</li> 186 </ul> 187 </blockquote> 188 <p>2018-11-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 189 <blockquote> 190 <ul class="simple"> 191 <li>magick/command.c (TimeImageCommand): Time command now shows 6 192 digits of elapsed time indication since this precision is often 193 now available and it is useful to see.</li> 194 </ul> 195 </blockquote> 196 <p>2018-11-29 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 197 <blockquote> 198 <ul class="simple"> 199 <li>Magick++/lib/Magick++/Drawable.h: Fix use of clang diagnostic 200 syntax. Addresses SourceForge bug #579 "'diagnostic pop' pragma 201 without 'diagnostic push' in Drawable.h.".</li> 202 </ul> 203 </blockquote> 204 <p>2018-11-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 205 <blockquote> 206 <ul class="simple"> 207 <li>magick/constitute.c (WriteImage): Eliminate use of just-freed 208 memory in clone_info->magick when throwing exception due to no 209 support for format. Fixes SourceForge issue #576 "heap 210 use-after-freee when convert one format into another format".</li> 211 <li>magick/command.c (BenchmarkImageCommand): Benchmark command now 212 shows 6 digits of elapsed time indication since this precision is 213 often now available and it is useful to see.</li> 214 </ul> 215 </blockquote> 216 <p>2018-11-21 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 217 <blockquote> 218 <ul class="simple"> 219 <li>wand/wand_api.h ("C"): magick/api.h should be included prior to 220 wand/wand_symbols.h. Change made due to report by yzh杨振宏 on 221 Wed, 21 Nov 2018 via the graphicsmagick-bugs mailing list.</li> 222 </ul> 223 </blockquote> 224 <p>2018-11-20 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 225 <blockquote> 226 <ul class="simple"> 227 <li>magick/nt_base.c Fix a bug when OS does not support performance counter.</li> 228 </ul> 229 </blockquote> 230 <p>2018-11-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 231 <blockquote> 232 <ul class="simple"> 233 <li>magick/nt_base.c (NTElapsedTime): Use 234 QueryPerformanceFrequency() and QueryPerformanceCounter() to 235 measure elapsed time for Windows.</li> 236 </ul> 237 </blockquote> 238 <p>2018-11-19 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 239 <blockquote> 240 <ul class="simple"> 241 <li>tiff/port/snprintf.c Fix for older Microsoft Visual Studio</li> 242 </ul> 243 </blockquote> 244 <p>2018-11-17 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 245 <blockquote> 246 <ul class="simple"> 247 <li>www/index.rst: Update in preparation for 1.3.31 release.</li> 248 <li>version.sh: Update library versioning in preparation for 249 1.3.31 release.</li> 250 <li>NEWS.txt: Update news in preparation for 1.3.31 release.</li> 251 </ul> 252 </blockquote> 253 <p>2018-11-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 254 <blockquote> 255 <ul class="simple"> 256 <li>magick/command.c (BenchmarkUsage): Document the benchmark 257 command better.</li> 258 </ul> 259 </blockquote> 260 <p>2018-11-14 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 261 <blockquote> 262 <ul class="simple"> 263 <li>magick/resize.c (HorizontalFilter, VerticalFilter): quantum is a 264 pointer so it's value can not be usefully flushed. Use a local 265 variable and then update quantum pointer when done.</li> 266 </ul> 267 </blockquote> 268 <p>2018-11-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 269 <blockquote> 270 <ul class="simple"> 271 <li>magick/*: Changed row_count tallying to use 'omp atomic' and 272 status update to use 'omp flush' for progress and error 273 indication. This replaces most use of 'omp critical' for this 274 purpose. Changed some lumpy algorithms which were using 'static' 275 scheduling to 'guided' scheduling due to observing better results. 276 Also added prolific 'restrict' annotations where they were 277 missing.</li> 278 <li>www/security.rst: Documented a PGP private key for file signing 279 or private correspondence.</li> 280 </ul> 281 </blockquote> 282 <p>2018-11-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 283 <blockquote> 284 <ul class="simple"> 285 <li>www/authors.rst: Moved "Glenn Randers-Pehrson" and "Gregory J 286 Wolfe" to the "Former Contributor" category.</li> 287 </ul> 288 </blockquote> 289 <p>2018-11-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 290 <blockquote> 291 <ul class="simple"> 292 <li>Added many GCC function annotations in the libraries and coders.</li> 293 </ul> 294 </blockquote> 295 <p>2018-11-07 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 296 <blockquote> 297 <ul class="simple"> 298 <li>configure.ac: Use printf rather than echo to portably expand tab 299 requests in configuration summary.</li> 300 </ul> 301 </blockquote> 302 <p>2018-11-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 303 <blockquote> 304 <ul class="simple"> 305 <li>configure.ac: Use pkg-config data as the initial choice when 306 configuring for FreeType 2.0 and libxml-2.0. Only fall back to 307 invoking an external script (and then traditional methods) if 308 pkg-config fails.</li> 309 <li>coders/msl.c (ProcessMSLScript): Release msl_image if OpenBlob 310 fails. Similar to ImageMagick CVE-2018-18544. Problem was 311 reported to us via email from Petr Gajdos on Thu, 1 Nov 2018.</li> 312 </ul> 313 </blockquote> 314 <p>2018-10-27 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 315 <blockquote> 316 <ul class="simple"> 317 <li>coders/miff.c (WriteMIFFImage): Only run 318 strlen(attribute->value) once per attribute since the length won't 319 change. May address oss-fuzz 11158 320 "graphicsmagick/coder_MIFF_fuzzer: Timeout in 321 graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz)</li> 322 <li>Fix compilation warnings observed with GCC 8.2.0.</li> 323 </ul> 324 </blockquote> 325 <p>2018-10-26 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 326 <blockquote> 327 <ul class="simple"> 328 <li>magick/pixel_iterator.c (PixelIterateMonoModifyImplementation): 329 Use atomic and flush rather than critical construct for a small 330 speedup.</li> 331 <li>magick/monitor.c (MagickMonitorFormatted): Serialize calls to 332 the progress monitor so that the caller does not need to perform 333 this serialization. 334 (MagickMonitor): Serialize calls to the progress monitor so that 335 the caller does not need to perform this serialization. This 336 function is now marked as deprecated. 337 (InitializeMagickMonitor): New private function to initialize 338 monitor functionality. 339 (DestroyMagickMonitor): New private function to destroy monitor 340 functionality.</li> 341 </ul> 342 </blockquote> 343 <p>2018-10-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 344 <blockquote> 345 <ul class="simple"> 346 <li>coders/gif.c (ReadGIFImage): Improve the efficiency of storing a 347 GIF comment in order to avoid a DOS opportunity. Fixes oss-fuzz 348 11096 "graphicsmagick/coder_GIF_fuzzer: Timeout in 349 graphicsmagick_coder_GIF_fuzzer". (Credit to OSS-Fuzz)</li> 350 </ul> 351 </blockquote> 352 <p>2018-10-21 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 353 <blockquote> 354 <ul class="simple"> 355 <li>PerlMagick/Makefile.PL.in: Use MAGICK_API_LIBS to obtain the 356 list of libraries to use when linking.</li> 357 <li>configure.ac: OpenMP library is normally supplied due to a 358 CFLAGS option so only supply it in cases where the CFLAGS option 359 may be lost or it might not be used. Otherwise the compiler may 360 apply the library twice when linking.</li> 361 </ul> 362 </blockquote> 363 <p>2018-10-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 364 <blockquote> 365 <ul class="simple"> 366 <li>configure.ac: Remove Ghostscript library support (--with-gslib) 367 from configure script. The 'HasGS' pre-processor defines which 368 were enabled by this remain in the source code so it is still 369 possible to use this library if absolutely necessary 370 (e.g. CPPFLAGS=-DHasGS LIBS=-lgs).</li> 371 <li>tests/rwfile.tap: Test TIFF format with all supported 372 compression options.</li> 373 <li>tests/{rwblob.c, rwfile.c} (main): Use StringToCompressionType() 374 to parse compression option. Also consider requested compression 375 algorithm when deciding if format is lossy.</li> 376 <li>coders/tiff.c (WriteTIFFImage): WebP compression needs 377 PHOTOMETRIC_RGB. Fix wrong rows-per-strip calculation when using 378 LZMA compression.</li> 379 <li>tests/rwblob.tap: Added a rwblob test to verify that lower-case 380 magick works.</li> 381 <li>magick/static.c (OpenModule): Upper case magick string before 382 searching static modules list. Fixes Debian bug 911386 383 "libgraphicsmagick-q16-3: graphicsmagick 1.3.30 has made formats 384 case-sensitive at the API level".</li> 385 <li>filters/analyze.c (AnalyzeImage): X and y should be unsigned 386 long to match image rows/columns type. Calculate total pixels by 387 simple multiplication rather than counting.</li> 388 </ul> 389 </blockquote> 390 <p>2018-10-14 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 391 <blockquote> 392 <ul class="simple"> 393 <li>coders/tiff.c (WriteTIFFImage): Support WebP compression in 394 TIFF. This requires a libtiff release after 4.0.9.</li> 395 <li>magick/image.h ("C"): WebPCompression added to CompressionType 396 enumeration.</li> 397 </ul> 398 </blockquote> 399 <p>2018-10-13 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 400 <blockquote> 401 <ul class="simple"> 402 <li>configure.ac: Configure for the Zstd library. Use 403 --without-zstd to disable searching for this library. Libtiff may 404 require this library to successfully link so static linkage could 405 fail if searching for libzstd is disabled.</li> 406 <li>magick/image.h ("C"): ZSTDCompression added to CompressionType 407 enumeration.</li> 408 <li>coders/tiff.c (WriteTIFFImage): Support Zstd compression in 409 TIFF. This requires a libtiff release after 4.0.9.</li> 410 </ul> 411 </blockquote> 412 <p>2018-10-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 413 <blockquote> 414 <ul class="simple"> 415 <li>magick/command.c (GMCommandSingle): Add 'compare' to the list of 416 command names that gm will support as a command if copied to or 417 linked from that name. There was already a 'compare' link 418 installed when the '--enable-magick-compat' configure option is 419 used, but it could not possibly function without being blessed by 420 this list. Related to Debian bug #910652 421 "graphicsmagick-imagemagick-compat: Doesn't ship a compare tool".</li> 422 </ul> 423 </blockquote> 424 <p>2018-09-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 425 <blockquote> 426 <ul class="simple"> 427 <li>Magick++/lib/Magick++/Drawable.h: Block unused-private-field 428 warnings from Clang due to _dummy members which were intentionally 429 included in some parent class definitions.</li> 430 <li>magick/widget.c (XEditText): Fix compilation warnings about 431 cases which fall-through.</li> 432 <li>magick/display.c (MagickXAnnotateEditImage): Fix compilation 433 warnings about cases which fall-through.</li> 434 <li>coders/pict.c (WritePICTImage): Add more checks to memory 435 allocation calculations.</li> 436 <li>magick/pixel_cache.c (DestroyCacheInfo): Eliminate intentional 437 fall-through logic in switch statement which results in compiler 438 warnings. Eliminate switch statements entirely and split 439 unrelated logic.</li> 440 <li>coders/txt.c (ReadTXTImage): Fix comparison between pointer and 441 '0' rather than NULL as was obviously intended.</li> 442 <li>coders/msl.c (MSLStartElement): Add missing 'break' statements 443 after ThrowException() calls. Otherwise execution falls through 444 into unrelated switch cases and throws a redundant exception.</li> 445 </ul> 446 </blockquote> 447 <p>2018-09-29 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 448 <blockquote> 449 <ul class="simple"> 450 <li>coders/meta.c (parse8BIM): Eliminate repeated use of strlen() 451 which scans the entire remaining string on each cycle. Fixes 452 oss-fuzz 10667 "graphicsmagick/coder_IPTCTEXT_fuzzer: Timeout in 453 graphicsmagick_coder_IPTCTEXT_fuzzer". (Credit to OSS-Fuzz)</li> 454 </ul> 455 </blockquote> 456 <p>2018-09-26 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 457 <blockquote> 458 <ul class="simple"> 459 <li>magick/utility.c (MagickGetToken): Fix possible read up to four 460 bytes beyond end of stack allocated token buffer. Fixes oss-fuzz 461 10653 "graphicsmagick/coder_MVG_fuzzer: Stack-buffer-overflow in 462 MagickGetToken". (Credit to OSS-Fuzz)</li> 463 </ul> 464 </blockquote> 465 <p>2018-09-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 466 <blockquote> 467 <ul class="simple"> 468 <li>fuzzing/coder_fuzzer.cc (LLVMFuzzerTestOneInput): Limit the 469 maximum number of JPEG progressive scans to 50.</li> 470 <li>coders/jpeg.c (ReadJPEGImage): Apply a default limit of 100 471 progressive scans before the reader quits with an error. This 472 limit may be adjusted using the -define mechanism like -define 473 JPEG:max-scan-number=500. Also respond more quickly to files 474 which exceed the maximum image dimensions. Fixes oss-fuzz 10258 475 "graphicsmagick/coder_JPEG_fuzzer: Timeout in 476 graphicsmagick_coder_JPEG_fuzzer". (Credit to OSS-Fuzz)</li> 477 </ul> 478 </blockquote> 479 <p>2018-09-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 480 <blockquote> 481 <ul class="simple"> 482 <li>coders/png.c (ReadMNGImage): mng_LOOP chunk must be at least 5 483 bytes long. Fixes oss-fuzz 10455 484 "graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in 485 ReadMNGImage". (Credit to OSS-Fuzz)</li> 486 </ul> 487 </blockquote> 488 <p>2018-09-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 489 <blockquote> 490 <ul class="simple"> 491 <li>magick/render.c (TraceEllipse): Detect arithmetic overflow when 492 computing the number of points to allocate for an ellipse. Fixes 493 oss-fuzz 10306 "graphicsmagick/coder_MVG_fuzzer: 494 Heap-buffer-overflow in TracePoint". (Credit to OSS-Fuzz)</li> 495 </ul> 496 </blockquote> 497 <p>2018-09-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 498 <blockquote> 499 <ul class="simple"> 500 <li>magick/attribute.c (GenerateEXIFAttribute): Eliminate undefined 501 shift. Also right-sized involved data types. Fixes oss-fuzz 502 10309 "graphicsmagick/coder_JPG_fuzzer: Undefined-shift in 503 Read32s". (Credit to OSS-Fuzz)</li> 504 </ul> 505 </blockquote> 506 <p>2018-09-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 507 <blockquote> 508 <ul class="simple"> 509 <li>magick/render.c (DrawClipPath): Fix Coverity 319663 "Null 510 pointer dereferences". Totally insignificant.</li> 511 <li>coders/wpg.c (ReadWPGImage): Mask/fix Coverity 319664 "Error 512 handling issues".</li> 513 <li>magick/attribute.c (FindEXIFAttribute): Change size types from 514 signed to unsigned and check for unsigned overflow. 515 (GenerateEXIFAttribute): Change size types from signed to unsigned 516 and check for unsigned overflow. Fixes oss-fuzz 10283 517 "graphicsmagick/coder_JPG_fuzzer: Integer-overflow in 518 GenerateEXIFAttribute". (Credit to OSS-Fuzz)</li> 519 <li>coders/sfw.c (ReadSFWImage): Enforce that file is read using the 520 JPEG reader. (Credit to OSS-Fuzz)</li> 521 <li>coders/miff.c (ReadMIFFImage): Fix leak of 'values' buffer due 522 to change made yesterday.</li> 523 <li>coders/mpc.c (ReadMPCImage): Fix leak of 'values' buffer due to 524 change made yesterday. Fixes oss-fuzz 10277 525 "graphicsmagick/coder_MPC_fuzzer: Direct-leak in 526 ReadMPCImage". (Credit to OSS-Fuzz)</li> 527 </ul> 528 </blockquote> 529 <p>2018-09-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 530 <blockquote> 531 <ul class="simple"> 532 <li>coders/miff.c (ReadMIFFImage): Support legacy keyword 533 'color-profile' for ICC color profile as was used by ImageMagick 534 4.2.9.</li> 535 <li>coders/mpc.c (ReadMPCImage): Require that first keyword/value be 536 id=MagickCache</li> 537 <li>coders/miff.c (ReadMIFFImage): Require that first keyword/value 538 be id=ImageMagick.</li> 539 </ul> 540 </blockquote> 541 <p>2018-09-06 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 542 <blockquote> 543 <ul class="simple"> 544 <li>coders/dcm.c (DCM_ReadElement): Add more size checks.</li> 545 <li>coders/jnx.c (ExtractTileJPG): Enforce that JPEG tiles are read 546 by the JPEG coder. Fixes oss-fuzz 10147 547 "graphicsmagick/coder_JNX_fuzzer: Use-of-uninitialized-value in 548 funcDCM_PhotometricInterpretation". (Credit to OSS-Fuzz)</li> 549 </ul> 550 </blockquote> 551 <p>2018-09-10 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 552 <blockquote> 553 <ul class="simple"> 554 <li>coders/wpg.c Zero fill raster error recovery.</li> 555 </ul> 556 </blockquote> 557 <p>2018-08-29 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 558 <blockquote> 559 <ul class="simple"> 560 <li>magick/render.c (ConvertPrimitiveToPath): Second attempt to 561 prevent heap write overflow of PathInfo array. Fixes oss-fuzz 562 10096 "Heap-buffer-overflow in ConvertPrimitiveToPath". (Credit to 563 OSS-Fuzz)</li> 564 </ul> 565 </blockquote> 566 <p>2018-08-25 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 567 <blockquote> 568 <ul class="simple"> 569 <li>coders/tiff.c ("QuantumTransferMode"): CIE Log images with an 570 alpha channel are not supported. Fixes oss-fuzz 10013 571 "graphicsmagick/coder_TIFF_fuzzer: Use-of-uninitialized-value in 572 DisassociateAlphaRegion". (Credit to OSS-Fuzz)</li> 573 <li>magick/render.c (DrawImage): SetImageAttribute() appends new 574 text to any existing value, leading to every increasing memory 575 consumption if the existing value is not deleted first by the 576 unwary. Fixes oss-fuzz 9983 "graphicsmagick/coder_MVG_fuzzer: 577 Timeout in graphicsmagick_coder_MVG_fuzzer" and oss-fuzz 10016 578 "graphicsmagick/coder_MVG_fuzzer: Out-of-memory in 579 graphicsmagick_coder_MVG_fuzzer". (Credit to OSS-Fuzz)</li> 580 <li>magick/utility.c (TranslateTextEx): Fix off-by-one in loop 581 bounds check which allowed a one-byte stack write overflow. Fixes 582 oss-fuzz 10055 "graphicsmagick/coder_MVG_fuzzer: 583 Stack-buffer-overflow in TranslateTextEx". (Credit to OSS-Fuzz)</li> 584 <li>magick/render.c (DrawImage): Be more precise about error 585 detection and reporting, and return from an error more quickly. 586 Also added MAX_DRAWIMAGE_RECURSION pre-processor definition to 587 allow adjusting the drawing recursion limit. The drawing 588 recursion limit is still 100, which seems exceptionally generous.</li> 589 <li>magick/constitute.c (WriteImage): Produce a more useful error 590 message if an encoding delegate is not available.</li> 591 <li>magick/nt_base.h (isnan): Try adding a MSVC replacement for 592 missing isnan() function. Not yet tested.</li> 593 </ul> 594 </blockquote> 595 <p>2018-08-25 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 596 <blockquote> 597 <ul class="simple"> 598 <li>coders/wpg.c This should fix intentional 64 bit file offset 599 overflow as depictedin OSS-fuzz-9936. Thanks to OSS-Fuzz.</li> 600 </ul> 601 </blockquote> 602 <p>2018-08-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 603 <blockquote> 604 <ul class="simple"> 605 <li>magick/render.c (ConvertPrimitiveToPath): Need to enlarge 606 PathInfo array allocation to avoid possible heap write overflow. 607 Fixes oss-fuzz 9651 "graphicsmagick/coder_MVG_fuzzer: 608 Heap-buffer-overflow in ConvertPrimitiveToPath". (Credit to 609 OSS-Fuzz)</li> 610 </ul> 611 </blockquote> 612 <p>2018-08-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 613 <blockquote> 614 <ul class="simple"> 615 <li>coders/mpc.c (ReadMPCImage): Insist that the format be 616 identified prior to any comment, and that there is only one 617 comment.</li> 618 <li>coders/miff.c (ReadMIFFImage): Insist that the format be 619 identified prior to any comment, and that there is only one 620 comment. Fixes oss-fuzz 9979 "graphicsmagick/coder_MIFF_fuzzer: 621 Timeout in graphicsmagick_coder_MIFF_fuzzer". This is not a 622 serious issue, but the code runs slowly under UBSAN. (Credit to 623 OSS-Fuzz)</li> 624 </ul> 625 </blockquote> 626 <p>2018-08-19 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 627 <blockquote> 628 <ul class="simple"> 629 <li>magick/utility.c (MagickAtoFChk): Add additional validation 630 checks for floating point values. NAN and +/- INFINITY values 631 also map to 0.0. Fixes oss-fuzz 9630 632 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in 633 IsNexusInCore" and oss-fuzz 9612 "graphicsmagick/coder_MVG_fuzzer: 634 Integer-overflow in SetCacheNexus". (Credit to OSS-Fuzz)</li> 635 <li>magick/render.c (DrawImage): Add missing error-reporting logic 636 to return immediately upon memory reallocation failure. Apply 637 memory resource limits to PrimitiveInfo array allocation. Fixes 638 oss-fuzz 9576 "graphicsmagick/coder_MVG_fuzzer: Null-dereference 639 READ in DrawImage", oss-fuzz 9593 640 "graphicsmagick/coder_MVG_fuzzer: Out-of-memory in 641 graphicsmagick_coder_MVG_fuzzer", oss-fuzz 9648 642 "graphicsmagick/coder_MVG_fuzzer: Unknown signal in 643 DrawImage". (Credit to OSS-Fuzz)</li> 644 </ul> 645 </blockquote> 646 <p>2018-08-16 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 647 <blockquote> 648 <ul class="simple"> 649 <li>coder/mat.c Explicitly reject non-seekable streams.</li> 650 </ul> 651 </blockquote> 652 <p>2018-08-15 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 653 <blockquote> 654 <ul class="simple"> 655 <li>coder/mat.c Correctly check GetBlobSize(image) even for zipstreams.</li> 656 </ul> 657 </blockquote> 658 <p>2018-08-14 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 659 <blockquote> 660 <ul class="simple"> 661 <li>coders/mat.c More aggresive data corruption checking.</li> 662 </ul> 663 </blockquote> 664 <p>2018-08-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 665 <blockquote> 666 <ul class="simple"> 667 <li>coders/xbm.c (XBMInteger): Limit the number of hex digits parsed 668 to avoid signed integer overflow. Fixes oss-fuzz 9746 669 "graphicsmagick/coder_XBM_fuzzer: Undefined-shift in 670 XBMInteger". (Credit to OSS-Fuzz)</li> 671 </ul> 672 </blockquote> 673 <p>2018-08-07 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 674 <blockquote> 675 <ul class="simple"> 676 <li>coders/mat.c Typecast difference to quantum.</li> 677 </ul> 678 </blockquote> 679 <p>2018-08-05 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 680 <blockquote> 681 <ul class="simple"> 682 <li>coders/mat.c (InsertComplexFloatRow): Avoid signed 683 overflow. Fixes oss-fuzz 9667 "graphicsmagick/coder_MAT_fuzzer: 684 Integer-overflow in InsertComplexFloatRow". (Credit to OSS-Fuzz)</li> 685 <li>coders/xbm.c (ReadXBMImage): Add validations for row and column 686 dimensions. Fixes oss-fuzz 9736 "graphicsmagick/coder_XBM_fuzzer: 687 Out-of-memory in graphicsmagick_coder_XBM_fuzzer". (Credit to 688 OSS-Fuzz)</li> 689 </ul> 690 </blockquote> 691 <p>2018-08-04 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 692 <blockquote> 693 <ul class="simple"> 694 <li>coders/wpg.c Add mechanism to approve embedded subformats in 695 WPG. This should mute oss-fuzz 9559. (Credit to OSS-Fuzz)</li> 696 </ul> 697 </blockquote> 698 <p>2018-07-24 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 699 <blockquote> 700 <ul class="simple"> 701 <li>coders/mvg.c (ReadMVGImage): Fix memory leak added on 702 2018-07-21. Fixes oss-fuzz 9548 "graphicsmagick/coder_MVG_fuzzer: 703 Direct-leak in CloneDrawInfo". (Credit to OSS-Fuzz)</li> 704 </ul> 705 </blockquote> 706 <p>2018-07-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 707 <blockquote> 708 <ul class="simple"> 709 <li>coders/cineon.c (ReadCINEONImage): Fix SourceForge issue 571 710 "Unexpected hang on a crafted Cineon image" by detecting and 711 quitting on EOF appropriately, and verifying that file size is 712 sufficient for claimed pixel dimensions when possible.</li> 713 <li>fuzzing/oss-fuzz-build.sh, fuzzing/dictionaries/MVG.dict: Added 714 MVG fuzzing dictionary by Alex Gaynor.</li> 715 </ul> 716 </blockquote> 717 <p>2018-07-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 718 <blockquote> 719 <ul class="simple"> 720 <li>magick/pixel_cache.c (SetNexus): For requests one pixel tall, 721 SetNexus() was wrongly using pixels in-core rather than using a 722 staging area for the case where the nexus rows extend beyond the 723 image raster boundary, leading to heap overflow. This can happen 724 when virtual pixels outside the image bounds are accessed. Fixes 725 oss-fuzz 9512 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: 726 Heap-buffer-overflow in AcquireCacheNexus". (Credit to OSS-Fuzz)</li> 727 <li>magick/render.c (ExtractTokensBetweenPushPop): 728 ExtractTokensBetweenPushPop() needs to always return a valid 729 pointer into the primitive string. Fixes oss-fuzz 9511 730 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Null-dereference 731 READ in DrawImage". (Credit to OSS-Fuzz) 732 (DrawPolygonPrimitive): Fix leak of polygon set when object is 733 completely outside image. Fixes oss-fuzz 9513 734 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Direct-leak in 735 AllocateThreadViewDataSet". (Credit to OSS-Fuzz)</li> 736 </ul> 737 </blockquote> 738 <p>2018-07-21 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 739 <blockquote> 740 <ul class="simple"> 741 <li>magick/blob.c (FileToBlob): Use confirm access APIs to verify 742 that read access to this path is allowed by policy. Check that 743 file is a regular file before proceeding to open and read from it.</li> 744 <li>coders/mvg.c (ReadMVGImage): Don't allow MVG files to side-load 745 a file as the drawing primitive using '@' syntax. Fixes oss-fuzz 746 9494 "graphicsmagick/coder_MVG_fuzzer: Sanitizer CHECK failure in 747 "((0)) != (0)" (0x0, 0x0)". (Credit to OSS-Fuzz)</li> 748 </ul> 749 </blockquote> 750 <p>2018-07-19 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 751 <blockquote> 752 <ul class="simple"> 753 <li>coders/mvg.c (ReadMVGImage): Don't assume that in-memory MVG 754 blob is a null-terminated C string. Fixes oss-fuzz 9469 755 "graphicsmagick/coder_MVG_fuzzer: Heap-buffer-overflow in 756 AllocateString". (Credit to OSS-Fuzz)</li> 757 </ul> 758 </blockquote> 759 <p>2018-07-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 760 <blockquote> 761 <ul class="simple"> 762 <li>coders/miff.c (ReadMIFFImage): Detect EOF when reading using 763 ReadBlobZC() and avoid subsequent heap read overflow. Fixes 764 oss-fuzz 9357 "graphicsmagick/coder_MIFF_fuzzer: 765 Heap-buffer-overflow in ImportRGBQuantumType". (Credit to 766 OSS-Fuzz)</li> 767 </ul> 768 </blockquote> 769 <p>2018-07-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 770 <blockquote> 771 <ul class="simple"> 772 <li>fuzzing/oss-fuzz-build.sh (CFLAGS): Try disabling SIMD 773 instructions in libjpeg-turbo build.</li> 774 </ul> 775 </blockquote> 776 <p>2018-07-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 777 <blockquote> 778 <ul class="simple"> 779 <li>coders/png.c (WriteOnePNGImage): Free png_pixels as soon as 780 possible. This might help with oss-fuzz 9334 781 "graphicsmagick/coder_PNG8_fuzzer: Direct-leak in 782 WriteOnePNGImage", which we have yet to reproduce. It is not 783 clear if png_pixels is being clobbered by longjmp or if something 784 else is going on.</li> 785 </ul> 786 </blockquote> 787 <p>2018-06-26 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 788 <blockquote> 789 <ul class="simple"> 790 <li>coders/jpeg.c (ReadJPEGImage): Provide a memory resource limit 791 (of 1/5th the memory resource limit for Graphicsmagick) to libjpeg 792 to limit how much memory it might consume for itself while reading 793 a file. Fixes oss-fuzz 9096 "graphicsmagick/coder_JPEG_fuzzer: 794 Timeout in graphicsmagick_coder_JPEG_fuzzer". (Credit to 795 OSS-Fuzz) 796 (ReadJPEGImage): Make sure that JPEG pixels array is initialized 797 in case libjpeg fails to completely initialize it. May fix 798 oss-fuzz 9115 "graphicsmagick/coder_JPEG_fuzzer: 799 Use-of-uninitialized-value in ReadJPEGImage". We are not sure 800 since the problem was not reproduced. (Credit to OSS-Fuzz)</li> 801 </ul> 802 </blockquote> 803 <p>2018-06-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 804 <blockquote> 805 <ul class="simple"> 806 <li>version.sh: Update library versioning for 1.3.30 release.</li> 807 <li>NEWS.txt: Update news for 1.3.30 release.</li> 808 </ul> 809 </blockquote> 810 <p>2018-06-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 811 <blockquote> 812 <ul class="simple"> 813 <li>coders/dpx.c (ReadDPXImage): Report exception on EOF file 814 reading DPX pixel data. Fixes oss-fuzz 8104 815 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 816 WriteDPXImage", oss-fuzz 8297 "graphicsmagick/enhance_fuzzer: 817 Use-of-uninitialized-value in EnhanceImage", and oss-fuzz 8133 818 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 819 RGBTransformPackets". (Credit to OSS-Fuzz)</li> 820 </ul> 821 </blockquote> 822 <p>2018-06-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 823 <blockquote> 824 <ul class="simple"> 825 <li>coders/cmyk.c (ReadCMYKImage): Free scanline buffer in error 826 path. Fixes SourceForge issue #567 "small memory leak in rgb.c, 827 gray.c and cmyk.c" reported by Petr Gajdos.</li> 828 <li>coders/gray.c (ReadGRAYImage): Free scanline buffer in error 829 path. Fixes SourceForge issue #567 "small memory leak in rgb.c, 830 gray.c and cmyk.c" reported by Petr Gajdos.</li> 831 <li>coders/rgb.c (ReadRGBImage): Free scanline buffer in error 832 path. Fixes SourceForge issue #567 "small memory leak in rgb.c, 833 gray.c and cmyk.c" reported by Petr Gajdos.</li> 834 <li>coders/jpeg.c (ReadJPEGImage): Avoid memory leak of profile 835 buffer when longjmp-based exception is thrown while reading a 836 profile. Fixes oss-fuzz 8957 "graphicsmagick/enhance_fuzzer: 837 Direct-leak in ReadGenericProfile". (Credit to OSS-Fuzz)</li> 838 </ul> 839 </blockquote> 840 <p>2018-06-17 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 841 <blockquote> 842 <ul class="simple"> 843 <li>coders/xcf.c (load_level): Make sure to free 'tile_image' before 844 returning exception. Fixes oss-fuzz 8935 845 "graphicsmagick/coder_XCF_fuzzer: Indirect-leak in 846 CloneImage". (Credit to OSS-Fuzz)</li> 847 <li>coders/jpeg.c (ReadJPEGImage): Allow three warnings of any given 848 type before promoting the next warning of the same type to a hard 849 error. The warning limit may be adjusted by the user using 850 -define jpeg:max-warnings=<value>. Fixes oss-fuzz 8704 851 "graphicsmagick/coder_JPG_fuzzer: Out-of-memory in 852 graphicsmagick_coder_JPG_fuzzer". (Credit to OSS-Fuzz)</li> 853 <li>coders/png.c (ReadPNGImage): Detect EOF when reading 854 magic_number. Fixes oss-fuzz 8944 855 "graphicsmagick/coder_PNG_fuzzer: Use-of-uninitialized-value in 856 ReadPNGImage". (Credit to OSS-Fuzz) 857 (ReadPNGImage, ReadJNGImage): Makes sure that return value of 858 ReadBlob() is always checked to detect EOF.</li> 859 </ul> 860 </blockquote> 861 <p>2018-06-16 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 862 <blockquote> 863 <ul class="simple"> 864 <li>coders/tiff.c (ReadTIFFImage): Re-structure exception reporting 865 so that QuantumTransferMode() exceptions thrown for 866 PLANARCONFIG_SEPARATE images are handled immediately. Fixes 867 oss-fuzz 8896 "graphicsmagick/coder_BIGTIFF_fuzzer: 868 Use-of-uninitialized-value in DisassociateAlphaRegion". (Credit to 869 OSS-Fuzz) 870 (ReadTIFFImage): tsize_t is a signed type so be prepared for 871 unexpected negative values produced by libtiff size functions. 872 Fixes oss-fuzz 8934 "graphicsmagick/coder_TIFF_fuzzer: Sanitizer 873 CHECK failure in "((0)) != (0)" (0x0, 0x0)". (Credit to OSS-Fuzz)</li> 874 </ul> 875 </blockquote> 876 <p>2018-06-16 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 877 <blockquote> 878 <ul class="simple"> 879 <li>coders/wpg.c Fix oss-fuzz 7735 "graphicsmagick/coder_WPG_fuzzer: 880 Use-of-uninitialized-value in ReadWPGImage". (Credit to OSS-Fuzz)</li> 881 </ul> 882 </blockquote> 883 <p>2018-06-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 884 <blockquote> 885 <ul class="simple"> 886 <li>coders/png.c (ReadMNGImage): ENDL chunk must be at least one 887 byte in size. Fixes oss-fuzz 8832 888 "graphicsmagick/coder_MNG_fuzzer: Null-dereference READ in 889 ReadMNGImage". (Credit to OSS-Fuzz) 890 (ReadMNGImage): Length of DISC chunk must be evenly divisible by 891 2. Fixes oss-fuzz 8834 "graphicsmagick/coder_MNG_fuzzer: 892 Heap-buffer-overflow in ReadMNGImage". (Credit to OSS-Fuzz)</li> 893 </ul> 894 </blockquote> 895 <p>2018-06-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 896 <blockquote> 897 <ul class="simple"> 898 <li>coders/mpc.c (ReadMPCImage): Detect end of file while reading 899 image directory. Similar to MIFF fixes for ImageMagick 900 CVE-2017-18272. 901 (RegisterMPCImage): Require seekable stream since MPC is strictly 902 a file-based format and so GetBlobSize() is assured to work. 903 Similar to MIFF behavior. Claimed to be part of the resolution 904 for ImageMagick CVE CVE-2017-11449. Suggested by Petr Gajdos via 905 email on January 3, 2018.</li> 906 </ul> 907 </blockquote> 908 <p>2018-06-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 909 <blockquote> 910 <ul class="simple"> 911 <li>coders/miff.c (ReadMIFFImage): Detect end of file while reading 912 image directory. Fixes SourceForge issue 565 "ImageMagick 913 CVE-2017-18272 applies to GraphicsMagick". Thanks to Petr Gajdos 914 for reporting this issue to us.</li> 915 <li>magick/import.c (ImportViewPixelArea): Use appropriate 916 bits_per_sample validations for FloatQuantumSampleType. Fixes 917 oss-fuzz 8780 "graphicsmagick/coder_PTIF_fuzzer: 918 Use-of-uninitialized-value in HorizontalFilter". (Credit to 919 OSS-Fuzz)</li> 920 </ul> 921 </blockquote> 922 <p>2018-06-09 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 923 <blockquote> 924 <ul class="simple"> 925 <li>coders/mat.c More than 4GiB are not supported in MAT!</li> 926 </ul> 927 </blockquote> 928 <p>2018-06-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 929 <blockquote> 930 <ul class="simple"> 931 <li>coders/mat.c (ReadMATImage): Add casts to avoid arithmetic 932 overflow when computing size and offsets. Fixes oss-fuzz 8801 933 "graphicsmagick/coder_MAT_fuzzer: Timeout in 934 graphicsmagick_coder_MAT_fuzzer". (Credit to OSS-Fuzz)</li> 935 <li>magick/blob.c (ReadBlobLSBDoubles, ReadBlobMSBDoubles): Only 936 byte-swap doubles or test doubles for NAN if we have read enough 937 bytes for at least one double value. 938 (ReadBlob): Add an assertion to enforce that ReadBlob() will never 939 report reading more bytes than requested due to some 940 implementation issue.</li> 941 </ul> 942 </blockquote> 943 <p>2018-06-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 944 <blockquote> 945 <ul class="simple"> 946 <li>magick/blob.c (ReadBlob, WriteBlob): gzread(), BZ2_bzread(), 947 gzwrite(), BZ2_bzwrite() return type 'int' rather than 'size_t' 948 like their stdio equivalents. Use correct signed type to avoid 949 returning a negative value into an unsigned type, forming a huge 950 positive value. Fixes oss-fuzz 8600 951 "graphicsmagick/coder_MAT_fuzzer: Heap-buffer-overflow in 952 ReadBlobLSBDoubles". (Credit to OSS-Fuzz)</li> 953 </ul> 954 </blockquote> 955 <p>2018-06-07 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 956 <blockquote> 957 <ul class="simple"> 958 <li>coders/png.c (png_read_raw_profile): Try to shore up parsing of 959 raw profile reading to avoid heap read overruns. Fixes oss-fuzz 960 8763 "graphicsmagick/coder_PNG32_fuzzer: Heap-buffer-overflow in 961 png_read_raw_profile". (Credit to OSS-Fuzz)</li> 962 </ul> 963 </blockquote> 964 <p>2018-06-07 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 965 <blockquote> 966 <ul class="simple"> 967 <li>coders/mat.c Reduce stack usage for 64 bit architecture.</li> 968 </ul> 969 </blockquote> 970 <p>2018-06-06 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 971 <blockquote> 972 <ul class="simple"> 973 <li>coders/wpg.c Check return values of SeekBlob for more safety.</li> 974 </ul> 975 </blockquote> 976 <p>2018-06-06 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 977 <blockquote> 978 <ul class="simple"> 979 <li>coders/png.c (ReadOneJNGImage): Use DestroyImageList() rather 980 than DestroyImage() on returned Image from supposed read of JPEG 981 data, in case multiple frames were unexpectedly returned. Also 982 add "JPEG:" prefix to filename when reading from temporary file to 983 force that it can only be read as a JPEG file, disabling format 984 auto-detection based on file header. Fixes oss-fuzz 8755 985 "graphicsmagick/coder_JNG_fuzzer: Indirect-leak in 986 AllocateImage". (Credit to OSS-Fuzz)</li> 987 </ul> 988 </blockquote> 989 <p>2018-06-05 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 990 <blockquote> 991 <ul class="simple"> 992 <li>magick/blob.c (EOFBlob): Implement EOF detection for ZipStream. 993 Does some archaic zlib not provide gzeof()? Fixes oss-fuzz 8550 994 "graphicsmagick/coder_MAT_fuzzer: Timeout in 995 graphicsmagick_coder_MAT_fuzzer". (Credit to OSS-Fuzz)</li> 996 </ul> 997 </blockquote> 998 <p>2018-06-04 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 999 <blockquote> 1000 <ul class="simple"> 1001 <li>coders/png.c (ReadOnePNGImage): Skip adding empty raw profile. 1002 Fixes oss-fuzz "graphicsmagick/coder_PNG_fuzzer: 1003 Heap-buffer-overflow in png_read_raw_profile". (Credit to 1004 OSS-Fuzz)</li> 1005 </ul> 1006 </blockquote> 1007 <p>2018-06-03 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1008 <blockquote> 1009 <ul class="simple"> 1010 <li>NEWS.txt: Update NEWS with latest changes.</li> 1011 <li>coders/dcm.c (DCM_ReadRGBImage): Force the image to DirectClass 1012 to avoid later use of uninitialized indexes. Fixes oss-fuzz 8602 1013 "graphicsmagick/coder_DCM_fuzzer: Use-of-uninitialized-value in 1014 DCM_PostRescaleImage". (Credit to OSS-Fuzz) 1015 (DCM_ReadPlanarRGBImage): Force the image to DirectClass to avoid 1016 later use of uninitialized indexes.</li> 1017 <li>coders/png.c (ReadMNGImage): Free chunk memory in error 1018 reporting path to avoid leak. Fixes oss-fuzz 8721 1019 "graphicsmagick/coder_MNG_fuzzer: Direct-leak in 1020 ReadMNGImage". (Credit to OSS-Fuzz)</li> 1021 </ul> 1022 </blockquote> 1023 <p>2018-06-02 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1024 <blockquote> 1025 <ul class="simple"> 1026 <li>magick/constitute.c (ReadImage): Assure that an error exception 1027 is thrown if coder returns null without properly reporting an 1028 exception.</li> 1029 <li>magick/blob.c (BlobToImage): Assure that an error exception is 1030 thrown if coder returns null without properly reporting an 1031 exception.</li> 1032 <li>coders/png.c (ReadMNGImage): Disable mystery "linked list is 1033 corrupted" code. Assure that exceptions are reported to the 1034 correct place so they are not lost. Fixes oss-fuzz 8710 1035 "graphicsmagick/coder_MNG_fuzzer: Indirect-leak in 1036 AllocateImage". (Credit to OSS-Fuzz)</li> 1037 <li>coders/tiff.c (ReadTIFFImage): Initialize allocated scanline, 1038 strip, or tile to zero in order to avoid complaint about use of 1039 uninitialized data if libtiff fails to write all the bytes. Fixes 1040 oss-fuzz 8551 "graphicsmagick/coder_TIFF_fuzzer: 1041 Use-of-uninitialized-value in ImportGrayQuantumType". (Credit to 1042 OSS-Fuzz)</li> 1043 <li>magick/annotate.c (RenderFreetype): Throw an exception if 1044 DrawInfo font is null. Should fix oss-fuzz 8557 1045 "graphicsmagick/coder_PCD_fuzzer: Unknown signal in 1046 RenderFreetype" and may fix oss-fuzz 8544 1047 "graphicsmagick/coder_PCD_fuzzer: Null-dereference READ in 1048 RenderFreetype". (Credit to OSS-Fuzz)</li> 1049 <li>coders/jpeg.c (ReadGenericProfile): Add/improve tracing for 1050 profile size and when JPEG header is being read.</li> 1051 </ul> 1052 </blockquote> 1053 <p>2018-06-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1054 <blockquote> 1055 <ul class="simple"> 1056 <li>coders/png.c (ReadOneJNGImage): Report a useful exception for 1057 the case when the JNG file fails to provide the necessary image 1058 chunks to allocate the color image. Inspired by oss-fuzz 8666 1059 "graphicsmagick/coder_JNG_fuzzer: ASSERT: data != (const char *) 1060 NULL" although the reported issue was not reproduced.</li> 1061 </ul> 1062 </blockquote> 1063 <p>2018-05-31 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1064 <blockquote> 1065 <ul class="simple"> 1066 <li>coders/png.c (ReadMNGImage): Fix off-by-one in length validation 1067 for TERM chunk which allowed one byte heap read overflow. Fixes 1068 oss-fuzz 8615 "graphicsmagick/coder_MNG_fuzzer: 1069 Heap-buffer-overflow in mng_get_long". (Credit to OSS-Fuzz) 1070 (ReadMNGImage): Fix leak of MngInfo in error reporting path. 1071 Fixes oss-fuzz 8604 "graphicsmagick/coder_MNG_fuzzer: Direct-leak 1072 in ReadMNGImage". (Credit to OSS-Fuzz) 1073 (ReadMNGImage): Verify that claimed chunk size does not exceed 1074 input size. Fixes oss-fuzz 8564 "graphicsmagick/coder_MNG_fuzzer: 1075 Out-of-memory in graphicsmagick_coder_MNG_fuzzer". (Credit to 1076 OSS-Fuzz)</li> 1077 <li>coders/tiff.c (ReadTIFFImage): Reject files with excessive 1078 samples-per-pixel or extra-samples. Avoids potential issues 1079 observed in oss-fuzz 8634 "graphicsmagick/coder_BIGTIFF_fuzzer: 1080 Undefined-shift in ImportAlphaQuantumType". (Credit to OSS-Fuzz)</li> 1081 </ul> 1082 </blockquote> 1083 <p>2018-05-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1084 <blockquote> 1085 <ul class="simple"> 1086 <li>coders/png.c (ReadMNGImage): Assure that object id index is 1087 always less than MNG_MAX_OBJECTS to avoid overflow. Fixes 1088 oss-fuzz 8596 "graphicsmagick/coder_MNG_fuzzer: 1089 Index-out-of-bounds in ReadMNGImage" and likely other issues yet 1090 to be reported. (Credit to OSS-Fuzz)</li> 1091 </ul> 1092 </blockquote> 1093 <p>2018-05-30 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1094 <blockquote> 1095 <ul class="simple"> 1096 <li>magick/render.c (CompareEdges): Per ticket #562, 1097 function CompareEdges() did not conform to the qsort() 1098 requirement that if CompareEdges(edge0,edge1) returns 1099 -1 (i.e., edge0 "less than" edge1), then 1100 CompareEdges(edge1,edge0) should return 1 (edge1 1101 "greater than" edge0). This has been fixed.</li> 1102 </ul> 1103 </blockquote> 1104 <p>2018-05-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1105 <blockquote> 1106 <ul class="simple"> 1107 <li>coders/png.c (ReadOneJNGImage): Deal with JDAA JNG chunk with 1108 length zero. Fixes oss-fuzz 8562 1109 "graphicsmagick/coder_JNG_fuzzer: ASSERT: data != (const char *) 1110 NULL". (Credit to OSS-Fuzz)</li> 1111 <li>coders/tiff.c (ReadTIFFImage): Check that the bits-per-sample is 1112 supported by the implementation before attempting to decode the 1113 image. Fixes oss-fuzz 8554 "graphicsmagick/coder_BIGTIFF_fuzzer: 1114 Undefined-shift in MagickBitStreamMSBWrite". (Credit to OSS-Fuzz)</li> 1115 <li>coders/png.c (ReadMNGImage): Eliminate use of uninitialized 1116 header magic data by checking for EOF first. Fixes oss-fuzz 8597 1117 "graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in 1118 ReadMNGImage". (Credit to OSS-Fuzz)</li> 1119 </ul> 1120 </blockquote> 1121 <p>2018-05-25 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1122 <blockquote> 1123 <ul class="simple"> 1124 <li>fuzzing/oss-fuzz-build.sh: More fixes based on what is observed 1125 in oss-fuzz build log.</li> 1126 </ul> 1127 </blockquote> 1128 <p>2018-05-24 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 1129 <blockquote> 1130 <ul class="simple"> 1131 <li>coders/jnx.c The attribute should belong to only one scene and 1132 not to whole image list.</li> 1133 </ul> 1134 </blockquote> 1135 <p>2018-05-24 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1136 <blockquote> 1137 <ul class="simple"> 1138 <li>fuzzing/oss-fuzz-build.sh: Changes to add CPPFLAGS to configure 1139 executions to hopefully get oss-fuzz build closer to success.</li> 1140 </ul> 1141 </blockquote> 1142 <p>2018-05-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1143 <blockquote> 1144 <ul class="simple"> 1145 <li>PerlMagick/t/jpeg/read.t: Add a JNX reader test case.</li> 1146 <li>coders/jnx.c (ReadJNXImage): JNX image depth should be 8.</li> 1147 <li>fuzzing/oss-fuzz-build.sh: Apply patch from Alex Gaynor to 1148 switch libpng to autotools build system, as well as configure 1149 GraphicsMagick with '--with-quantum-depth=16'.</li> 1150 </ul> 1151 </blockquote> 1152 <p>2018-05-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1153 <blockquote> 1154 <ul class="simple"> 1155 <li>coders/tiff.c (ReadTIFFImage): Validate tile memory requests for 1156 the TIFFReadRGBATile() case in the same way as the TIFFReadTile() 1157 case. Fixes oss-fuzz 8434 "graphicsmagick/coder_BIGTIFF_fuzzer: 1158 Out-of-memory in graphicsmagick_coder_BIGTIFF_fuzzer". (Credit to 1159 OSS-Fuzz)</li> 1160 </ul> 1161 </blockquote> 1162 <p>2018-05-21 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1163 <blockquote> 1164 <ul class="simple"> 1165 <li>coders/tile.c (ReadTILEImage): Remove any existing size request 1166 when while image to tile. This avoids size being used for both 1167 the input image size and the tile image size. Fixes SourceForge 1168 issue #563 "tile:<image> appears to blow image up by 100% before 1169 applying tiling".</li> 1170 </ul> 1171 </blockquote> 1172 <p>2018-05-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1173 <blockquote> 1174 <ul class="simple"> 1175 <li>fuzzing/oss-fuzz-build.sh: Patch from Paul Kehrer to disable 1176 libpng test programs and binaries while building libpng in support 1177 of oss-fuzz testing.</li> 1178 <li>coders/dcm.c (DCM_ReadGrayscaleImage): If a palette was 1179 provided, the image may be in PseudoClass but we need DirectClass 1180 for gray image when GRAYSCALE_USES_PALETTE is not defined. Fixes 1181 oss-fuzz 7550 "graphicsmagick/coder_DCM_fuzzer: 1182 Use-of-uninitialized-value in SyncImageCallBack". (Credit to 1183 OSS-Fuzz) 1184 (ReadDCMImage): Restore use of DCM_PostRescaleImage() in order to 1185 obtain suitably scaled DICOM again. Hopefully it is more robust 1186 now. 1187 (DCM_ReadPaletteImage): Assure that DirectClass pixels are 1188 initialized.</li> 1189 </ul> 1190 </blockquote> 1191 <p>2018-05-19 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1192 <blockquote> 1193 <ul class="simple"> 1194 <li>coders/tiff.c (ReadTIFFImage): Remove strange addition of 1195 image->columns to pixel buffer offsets which now causes a heap 1196 overflow since the buffer has been right-sized. Perhaps the extra 1197 offset plus the over-sized allocation was some attempt to avoid 1198 buffer over/underflows due to bugs in libtiff. Fixes oss-fuzz 8384 1199 "graphicsmagick/coder_BIGTIFF_fuzzer: Heap-buffer-overflow in 1200 put1bitbwtile" which is described to be a regression. (Credit to 1201 OSS-Fuzz)</li> 1202 <li>magick/render.c (DrawImage): Fix wrong range checks which caused 1203 spurious "Parsing of SVG images fail with "Non-conforming drawing 1204 primitive definition (push)" failure. Fixes SourceForge issue 561 1205 "Parsing of SVG images fail with "Non-conforming drawing primitive 1206 definition (push)"" which is due to problems caused by the fix for 1207 SourceForge issue 517.</li> 1208 <li>coders/tiff.c (WritePTIFImage): Use '-define 1209 ptif:minimum-geometry=<geometry>' to specify the smallest 1210 subresolution frame which is produced by the PTIF (Pyramid TIFF) 1211 writer.</li> 1212 </ul> 1213 </blockquote> 1214 <p>2018-05-18 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1215 <blockquote> 1216 <ul class="simple"> 1217 <li>coders/tiff.c (WritePTIFImage): Allow 1x1 input image to be 1218 supported.</li> 1219 <li>coders/png.c (ReadOneJNGImage): Unconditionally free JDAT chunk 1220 memory. Fixes oss-fuzz 8366 "graphicsmagick/coder_JNG_fuzzer: 1221 Direct-leak in ReadOneJNGImage". (Credit to OSS-Fuzz)</li> 1222 <li>coders/tiff.c (WritePTIFImage): Fix leak of pyramid Image list 1223 if ResizeImage() fails. Fixes oss-fuzz 8364 1224 "graphicsmagick/coder_PTIF_fuzzer: Indirect-leak in 1225 CloneImage". (Credit to OSS-Fuzz)</li> 1226 </ul> 1227 </blockquote> 1228 <p>2018-05-17 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1229 <blockquote> 1230 <ul class="simple"> 1231 <li>coders/tiff.c (WriteTIFFImage): Add and use 1232 ThrowTIFFWriterException() macro to consistently clean-up when 1233 throwing writer exception. May fix oss-fuzz 8321 1234 "graphicsmagick/coder_EPT_fuzzer: Direct-leak in 1235 TIFFClientOpen". (Credit to OSS-Fuzz) 1236 (ReadTIFFImage): Add and use ThrowTIFFReaderException() macro to 1237 consistently clean-up when throwing reader exception.</li> 1238 </ul> 1239 </blockquote> 1240 <p>2018-05-16 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1241 <blockquote> 1242 <ul> 1243 <li><p class="first">magick/alpha_composite.h (AlphaCompositePixel): The 1244 macro definition for MagickAlphaCompositeQuantum in 1245 alpha_composite.h computes an expression of the form:</p> 1246 <p>a * b + c * d * e</p> 1247 <p>Code in function AlphaCompositePixel() (also in 1248 alpha_composite.h) multiplies the result of this macro 1249 by variable "delta" as follows:</p> 1250 <p>delta * a * b + c * d * e</p> 1251 <p>However, the intended result is actually:</p> 1252 <p>delta * ( a * b + c * d * e )</p> 1253 <p>The macro definition has been modified to enclose the 1254 entire expression in parentheses.</p> 1255 <p>The effects of this bug were particularly evident at the 1256 boundary between a stroked polygon and a transparent 1257 black region. More generally, an incorrect composited 1258 pixel value was being computed by AlphaCompositePixel() 1259 whenever the output alpha value was not 100% opaque.</p> 1260 </li> 1261 </ul> 1262 </blockquote> 1263 <p>2018-05-16 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1264 <blockquote> 1265 <ul class="simple"> 1266 <li>tests/rwblob.tap: Add a test for PTIF format.</li> 1267 <li>coders/tiff.c (WritePTIFImage): Fix Image blob referencing in 1268 order to avoid double-free when writing PTIF to memory BLOB. Fixes 1269 oss-fuzz 8280 "graphicsmagick/coder_PTIF_fuzzer: Heap-double-free 1270 in Magick::BlobRef::~BlobRef". (Credit to OSS-Fuzz)</li> 1271 </ul> 1272 </blockquote> 1273 <p>2018-05-14 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1274 <blockquote> 1275 <ul class="simple"> 1276 <li>coders/tiff.c (WriteTIFFImage): Use libtiff's 1277 TIFFDefaultStripSize() function rather than an old porting macro 1278 required by some defunct libtiff version. Expected to fix 1279 oss-fuzz 8248 "graphicsmagick/coder_EPT_fuzzer: 1280 Floating-point-exception in WriteTIFFImage". (Credit to OSS-Fuzz)</li> 1281 </ul> 1282 </blockquote> 1283 <p>2018-05-13 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 1284 <blockquote> 1285 <ul class="simple"> 1286 <li>coders/mat.c Fix potentional leak when compressed object is 1287 corrupted. Fixes oss-fuzz 8251 (Credit to OSS-Fuzz)</li> 1288 </ul> 1289 </blockquote> 1290 <p>2018-05-13 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1291 <blockquote> 1292 <ul class="simple"> 1293 <li>coders/tiff.c (ReadTIFFImage): Fix leak of Image when 1294 TIFFReadRGBAImage() reports failure. Also harden buffer 1295 allocation calculation. Fixes oss-fuzz 8275 1296 "graphicsmagick/coder_BIGTIFF_fuzzer: Indirect-leak in 1297 AllocateImage". (Credit to OSS-Fuzz)</li> 1298 <li>coders/ept.c (ReadEPTImage): Add validations of 'count' and 1299 'filesize' read from EPT file. In response to oss-fuzz 8248 1300 "graphicsmagick/coder_EPT_fuzzer: Floating-point-exception in 1301 WriteTIFFImage" but we are unable to recreate the oss-fuzz issue 1302 since the EPT reader already immediately reports an EOF exception.</li> 1303 </ul> 1304 </blockquote> 1305 <p>2018-05-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1306 <blockquote> 1307 <ul class="simple"> 1308 <li>fuzzing/oss-fuzz-build.sh: Apply SourceForge patch #57 "Add 1309 fuzzing support for jpeg + freetype delegates" by Alex Gaynor.</li> 1310 <li>coders/png.c (read_user_chunk_callback): Fix memory leak and use 1311 of uninitialized memory when handling eXIf chunk. Fixes oss-fuzz 1312 8247 "graphicsmagick/coder_PNG24_fuzzer: Direct-leak in 1313 png_malloc". (Credit to OSS-Fuzz)</li> 1314 </ul> 1315 </blockquote> 1316 <p>2018-05-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1317 <blockquote> 1318 <ul class="simple"> 1319 <li>fuzzing/oss-fuzz-build.sh: Apply SourceForge patch #56 "Use a 1320 few delegate libraries in fuzzing" by Alex Gaynor.</li> 1321 </ul> 1322 </blockquote> 1323 <p>2018-05-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1324 <blockquote> 1325 <ul class="simple"> 1326 <li>tests/rwfile.tap: MIFF zip and bzip compression tests do not 1327 fail if zlib and bzlib are not available because the compression 1328 request is silently changed to no compression.</li> 1329 </ul> 1330 </blockquote> 1331 <p>2018-05-07 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1332 <blockquote> 1333 <ul class="simple"> 1334 <li>magick/render.c (DrawImage, InsertAttributeIntoInputStream): 1335 For a reference such as 'class="classname"', the "classname" 1336 is now allowed to be undefined.</li> 1337 <li>coders.svg.c (ProcessStyleClassDefs): Class definitions 1338 defined within a <style> block may now be empty.</li> 1339 <li>These relaxed conditions are not specifically called out in 1340 the SVG spec as being either acceptable or unacceptable, but 1341 other SVG renderers (e.g., Chrome) handle them this way. These 1342 changes do not resolve, but are related to, ticket #307.</li> 1343 </ul> 1344 </blockquote> 1345 <p>2018-05-05 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1346 <blockquote> 1347 <ul class="simple"> 1348 <li>utilities/Makefile.am (utilities/tests/montage.log): Fix 1349 dependency rule so that effects.tap is fully executed before 1350 execution of montage.tap starts.</li> 1351 </ul> 1352 </blockquote> 1353 <p>2018-05-04 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1354 <blockquote> 1355 <ul class="simple"> 1356 <li>magick/render.c (DrawImage, TraceXXX): The PrimitiveInfo 1357 array used to store points generated by TraceEllipse(), the 1358 other TraceXXX() functions, and DrawImage() was not always 1359 being expanded when needed, resulting in writes beyond the 1360 end of the currently allocated storage. To fix this problem, 1361 a new data structure PrimitiveInfoMgr, and an associated 1362 function, PrimtiveInfoRealloc(), were written to handle 1363 expanding the PrimitiveInfo array as needed. DrawImage() and 1364 the TraceXXX() functions were modified to prevent the out of 1365 bounds writes to memory. This fixes ticket #516.</li> 1366 </ul> 1367 </blockquote> 1368 <p>2018-05-03 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1369 <blockquote> 1370 <ul class="simple"> 1371 <li>coders/png.c (ReadOneJNGImage): Add more JNG chunk 1372 validations. Fixes an issue reported by "Trace Probe" via a 1373 follow-up post to SourceForge issue 437 "assertion failure in 1374 WriteBlob", although the issue described was not reproduced.</li> 1375 <li>coders/meta.c (ReadMETAImage): Detect and report 8BIMTEXT and 1376 8BIMWTEXT decoding problems. Fixes oss-fuzz 8125 1377 "graphicsmagick/coder_8BIMTEXT_fuzzer: Use-of-uninitialized-value 1378 in format8BIM". (Credit to OSS-Fuzz)</li> 1379 </ul> 1380 </blockquote> 1381 <p>2018-05-02 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1382 <blockquote> 1383 <ul class="simple"> 1384 <li>magick/render.c (TraceStrokePolygon): Excessively 1385 large values of stroke-width were cascading through 1386 other computations, causing the function to write beyond 1387 the end of it's array of points when the stroke-linejoin 1388 attribute value was "round". Code was added to reallocate 1389 the array of points as needed, and to limit the size of 1390 stroke-width (for computational purposes) to no more than 1391 approximately twice the diagonal size of the output image. 1392 Fixes ticket #515.</li> 1393 <li>The same limit on stroke-width was applied to all other 1394 instances of the same computation in render.c.</li> 1395 </ul> 1396 </blockquote> 1397 <p>2018-05-01 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1398 <blockquote> 1399 <ul class="simple"> 1400 <li>This change set fixes ticket #471.</li> 1401 <li>magick/render.c (DrawImage): Polylines with fewer 1402 than two points were being flagged as an error. The 1403 SVG spec has no such restriction (fixed).</li> 1404 <li>coders/svg.c (SVGStartElement) Inner <svg> elements 1405 could modify the output image dimensions if a geometry 1406 string was supplied. Now the output image dimensions 1407 are determined by the outermost <svg> only.</li> 1408 </ul> 1409 </blockquote> 1410 <p>2018-05-01 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1411 <blockquote> 1412 <ul class="simple"> 1413 <li>magick/render.c (TraceEllipse, TraceRectangle, 1414 TraceRoundRectangle): Per the SVG spec, rectangles and 1415 round rectangles having a width or height of zero are 1416 not rendered. Also per the spec, ellipses having an x 1417 or y radius of zero are not rendered. Fixes ticket #457.</li> 1418 </ul> 1419 </blockquote> 1420 <p>2018-04-30 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1421 <blockquote> 1422 <ul class="simple"> 1423 <li>magick/render.h, (PrimitiveInfo), magick/render.c: Added 1424 member "flags" to PrimitiveInfo to support indicating closed 1425 shapes (e.g., rectangle, circle, path closed using 'z' or 'Z'). 1426 Updated code in render.c (functions TraceXXX) to indicate 1427 closed shapes. This replaces the previous policy of detecing 1428 closed shapes by comparing the first and last points to see if 1429 they are identical (within MagickEpsilon). The old policy 1430 prevented open subpaths with the same first and last point from 1431 being rendered properly (per the SVG spec) when round or square 1432 endcaps were enabled. Part of the fix for ticket #322.</li> 1433 <li>magick/render.c (ConvertPrimitiveToPath): Modified duplicate 1434 point elimination code so that the first and last points of 1435 a subpath are always preserved. Consequences: (1) Allows 1436 for the correct rendering of the sequence "move x1 y1 line 1437 x1 y1" with round or square endcaps. Part of the fix for 1438 ticket #322. (2) Fixes a bug in which eliminating the last 1439 point as a duplicate caused a closed shape to no longer be 1440 closed. This would manifest itself, for example, as a small 1441 "nub" on the boundary of a filled circle.</li> 1442 <li>magick/render.c (GetPixelOpacity): Fixed a bug in the 1443 code that computed the distance between a point and a 1444 segment (polygon edge). Prior to this fix, for zero length 1445 segments this code would generate a divide-by-zero and 1446 incorrect output. Part of the fix for ticket #322.</li> 1447 <li>magick/render.c (DrawPolygonPrimitive): Polygons/paths with 1448 zero or one points are no longer rendered per the SVG spec.</li> 1449 <li>magick/render.c (DrawStrokePolygon): Per the SVG spec, a 1450 polygon consisting of a single move-to command is not stroked.</li> 1451 <li>magick/render.c (TracePath): Per the SVG spec, if the 1452 endpoints (x1, y1) and (x2, y2) of an arc subpath are identical, 1453 then this is equivalent to omitting the elliptical arc segment 1454 entirely. For rendering purposes the zero length arc is 1455 treated like a zero length "line to" command to the current 1456 point.</li> 1457 <li>magick/render.c (TraceStrokePolygon): Added code to detect 1458 zero length open subpaths and return a stroked polygon containing 1459 no points when round or square endcaps are not enabled. This 1460 satisfies the SVG spec requirement that zero length subpaths are 1461 only stroked if the 'stroke-linecap' property has a value of 1462 round or square.</li> 1463 <li>magick/render.c (TracePath): Fixed a bug in which if a "move to" 1464 command was followed by additional pairs of points, indicating 1465 implied "line to" commands, each point was added twice.</li> 1466 </ul> 1467 </blockquote> 1468 <p>2018-04-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1469 <blockquote> 1470 <ul class="simple"> 1471 <li>coders/pcx.c (ReadPCXImage): Colormap from PCX header is only 1472 used if colors <= 16. Determination of DirectClass image was 1473 wrong. Fixes oss-fuzz 8093 "graphicsmagick/coder_PCX_fuzzer: 1474 Use-of-uninitialized-value in IsMonochromeImage". (Credit to 1475 OSS-Fuzz)</li> 1476 </ul> 1477 </blockquote> 1478 <p>2018-04-29 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1479 <blockquote> 1480 <ul class="simple"> 1481 <li>version.sh: Updates to prepare for the 1.3.29 release.</li> 1482 <li>coders/pict.c (DecodeImage): Assure that scanline is initialized 1483 to avoid use of uninitialized data. Fixes oss-fuzz 8063 1484 "graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value in 1485 ReadPICTImage". (Credit to OSS-Fuzz)</li> 1486 <li>coders/dpx.c (ReadDPXImage): Assure that NULL pixels is not 1487 used. Fixes oss-fuzz 8078 "graphicsmagick/coder_DPX_fuzzer: 1488 Null-dereference WRITE in ReadDPXImage". (Credit to OSS-Fuzz)</li> 1489 <li>NEWS.txt: Update NEWS file with information about changes since 1490 last release.</li> 1491 </ul> 1492 </blockquote> 1493 <p>2018-04-28 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1494 <blockquote> 1495 <ul class="simple"> 1496 <li>coders/dib.c (ReadDIBImage): Disable EOF tests for "ICODIB" 1497 subformat due to icon file provided by SourceForge issue #557 1498 "ErrorCorruptImage: Magick: Unexpected end-of-file ()" where an 1499 EOF error was reported due to no mask data being supplied.</li> 1500 <li>coders/png.c (ReadOneJNGImage): The embedded JPEG image is 1501 required to have the same dimensions as the JNG image as provided 1502 by JHDR. Fixes SourceForge bug 555 "heap-buffer-overflow in 1503 AcquireCacheNexus when processing jng file". It is likely that 1504 this issue is precipitated by using 'montage' which seems to set a 1505 default non-zero image size. 1506 (ReadMNGImage): By default limit the maximum loops specifiable by 1507 the MNG LOOP chunk to 512 loops, but allow this to be modified by 1508 '-define mng:maximum-loops=value'. Also assure that the value is 1509 in the range of 0-2147483647 as per the MNG specification. This 1510 is to address the denial of service issue described by 1511 CVE-2018-10177. This problem was reported to us by Petr Gajdos 1512 via email on Fri, 20 Apr 2018.</li> 1513 <li>coders/dpx.c (ReadDPXImage): Move misplaced channel validation 1514 code. Fixes oss-fuzz 8041 "graphicsmagick/coder_DPX_fuzzer: 1515 Use-of-uninitialized-value in WriteDPXImage" and oss-fuzz 8055 1516 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1517 EnhanceImage". (Credit to OSS-Fuzz)</li> 1518 </ul> 1519 </blockquote> 1520 <p>2018-04-27 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1521 <blockquote> 1522 <ul class="simple"> 1523 <li>coders/xpm.c (StringToListMod): Algorithm fixes to fix use of 1524 uninitialized data. Fixes oss-fuzz 8046 1525 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in 1526 StringToListMod". (Credit to OSS-Fuzz)</li> 1527 </ul> 1528 </blockquote> 1529 <p>2018-04-26 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1530 <blockquote> 1531 <ul class="simple"> 1532 <li>coders/xpm.c (ReadXPMImage): Reduce memory consumption further. 1533 Hopefully fixes oss-fuzz 8013 "graphicsmagick/coder_XPM_fuzzer: 1534 Out-of-memory in graphicsmagick_coder_XPM_fuzzer". (Credit to 1535 OSS-Fuzz)</li> 1536 <li>magick/utility.c (StringToList): Only allocate the memory 1537 required when converting string to an ASCII list. May or may not 1538 fix oss-fuzz 8013 "graphicsmagick/coder_XPM_fuzzer: Out-of-memory 1539 in graphicsmagick_coder_XPM_fuzzer". (Credit to OSS-Fuzz)</li> 1540 </ul> 1541 </blockquote> 1542 <p>2018-04-24 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1543 <blockquote> 1544 <ul class="simple"> 1545 <li>coders/bmp.c (ReadBMPImage): Fix benign use of uninitialized 1546 data when testing header magick. Fixes oss-fuzz 7980 1547 "graphicsmagick/coder_BMP_fuzzer: Use-of-uninitialized-value in 1548 LocaleNCompare". (Credit to OSS-Fuzz)</li> 1549 <li>coders/dpx.c (ReadDPXImage): ColorDifferenceCbCr does require 1550 even image width. Fixes oss-fuzz 7966 1551 "graphicsmagick/coder_DPX_fuzzer: Unknown signal in 1552 TentUpsampleChroma". (Credit to OSS-Fuzz)</li> 1553 </ul> 1554 </blockquote> 1555 <p>2018-04-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1556 <blockquote> 1557 <ul class="simple"> 1558 <li>coders/dpx.c (ReadDPXImage): ColorDifferenceCbCr element 1559 requires two samples/pixel, not one. Fixes oss-fuzz 7951 1560 "graphicsmagick/coder_DPX_fuzzer: Heap-buffer-overflow in 1561 ReadDPXImage". (Credit to OSS-Fuzz)</li> 1562 </ul> 1563 </blockquote> 1564 <p>2018-04-22 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1565 <blockquote> 1566 <ul class="simple"> 1567 <li>coders/pdb.c (ReadPDBImage): Assure that pixels buffer is 1568 initialized. Fixes oss-fuzz 7937 1569 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1570 ReadPDBImage". (Credit to OSS-Fuzz)</li> 1571 <li>coders/mvg.c (ReadMVGImage): Assure that MVG viewbox parameters 1572 were supplied. Fixes oss-fuzz 7936 1573 "graphicsmagick/coder_MVG_fuzzer: Use-of-uninitialized-value in 1574 ReadMVGImage". (Credit to OSS-Fuzz)</li> 1575 <li>coders/dpx.c (ReadDPXImage): Element descriptors CbYCrY422 and 1576 CbYACrYA4224 require that the image width be evenly divisible by 2 1577 so enforce that. Fixes oss-fuzz 7935 1578 "graphicsmagick/coder_DPX_fuzzer: Heap-buffer-overflow in 1579 ReadDPXImage". (Credit to OSS-Fuzz)</li> 1580 </ul> 1581 </blockquote> 1582 <p>2018-04-21 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1583 <blockquote> 1584 <ul class="simple"> 1585 <li>coders/dpx.c (ReadDPXImage): Reject DPX files which claim to use 1586 signed data. Fixes oss-fuzz 7758 1587 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 1588 WriteDPXImage". (Credit to OSS-Fuzz) 1589 (ReadDPXImage): Validate that the image elements do update all of 1590 the channels, including the alpha channel. Now report an error if 1591 a color channel is missing. Fixes oss-fuzz 7758 1592 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in 1593 WriteDPXImage".</li> 1594 <li>coders/gif.c (DecodeImage): Finally fix oss-fuzz 7732 1595 "graphicsmagick/coder_GIF_fuzzer: Heap-buffer-overflow in 1596 DecodeImage" which was not actually fixed with previous 1597 changes. (Credit to OSS-Fuzz)</li> 1598 </ul> 1599 </blockquote> 1600 <p>2018-04-21 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 1601 <blockquote> 1602 <ul class="simple"> 1603 <li><dl class="first docutils"> 1604 <dt>coders/topol.c Emit error when tile storage overflows image data;</dt> 1605 <dd>fixes oss-fuzz 7769 thanks to oss-fuzz.</dd> 1606 </dl> 1607 </li> 1608 </ul> 1609 </blockquote> 1610 <p>2018-04-20 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1611 <blockquote> 1612 <ul class="simple"> 1613 <li>magick/render.c (ConvertPrimitiveToPath): Fixed a bug 1614 in which SVG paths containing multiple open subpaths were 1615 not being processed correctly, resulting in incorrect 1616 output. This fixes ticket #94.</li> 1617 </ul> 1618 </blockquote> 1619 <p>2018-04-18 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1620 <blockquote> 1621 <ul class="simple"> 1622 <li>coders/gif.c (DecodeImage): Fix use of uninitialized memory 1623 during error condition in decoder. Fixes oss-fuzz 7732 1624 "graphicsmagick/coder_GIF_fuzzer: Heap-buffer-overflow in 1625 DecodeImage". (Credit to OSS-Fuzz)</li> 1626 <li>coders/txt.c (ReadTXTImage): Assure that all image pixels are 1627 initialized to black.</li> 1628 <li>Magick++/demo/zoom.cpp (main): Add a -read-blob option to read 1629 input file into a Blob so that it is read by the Blob reader 1630 rather than the file reader. Default the output Geometry to the 1631 input image geometry in case the user does not specify a resize 1632 resolution or geometry.</li> 1633 <li>Magick++/tests/readWriteBlob.cpp (main): Improve the quality of 1634 code which reads a file into memory for Blob testing.</li> 1635 <li>magick/blob.c (BlobToImage): Add exception reports for the cases 1636 where 'magick' was not set and the file format could not be 1637 deduced from its header. Previously a null Image pointer was 1638 being returned without any exception being thrown.</li> 1639 </ul> 1640 </blockquote> 1641 <p>2018-04-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1642 <blockquote> 1643 <ul class="simple"> 1644 <li>coders/dpx.c (ReadDPXImage): Assure that CbCr layer initializes 1645 all channels if it is the first element of a planar DPX. Fixes 1646 oss-fuzz 7703 "graphicsmagick/coder_DPX_fuzzer: 1647 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)</li> 1648 <li>coders/pict.c (ReadPICTImage): Don't refer to filename member of 1649 ImageInfo which was just destroyed. Much thanks to Alex Gaynor for 1650 finding this. Should fix oss-fuzz 6867 1651 "graphicsmagick/coder_PCT_fuzzer: Heap-use-after-free in 1652 GetLocaleExceptionMessage". (Credit to OSS-Fuzz).</li> 1653 </ul> 1654 </blockquote> 1655 <p>2018-04-14 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1656 <blockquote> 1657 <ul class="simple"> 1658 <li>coders/sgi.c (ReadSGIImage): Assure that iris pixels are fully 1659 initialized. Fixes oss-fuzz 7543 1660 "graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in 1661 SGIEncode". (Credit to OSS-Fuzz).</li> 1662 <li>coders/xcf.c (ReadXCFImage): Restore SetImage() which was 1663 previously commented out. This is needed to assure initialized 1664 pixels. Fixes oss-fuzz 7430 "graphicsmagick/coder_XCF_fuzzer: 1665 Use-of-uninitialized-value in AlphaCompositePixel". (Credit to 1666 OSS-Fuzz).</li> 1667 <li>coders/pict.c (ReadPICTImage): Properly initialize "black 1668 canvas" that tiles may be composed on. Fixes oss-fuzz 7574 1669 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1670 EnhanceImage". (Credit to OSS-Fuzz).</li> 1671 <li>coders/rle.c (ReadRLEImage): Check for EOF when reading comment. 1672 Fixes oss-fuzz 7667 "graphicsmagick/coder_RLE_fuzzer: 1673 Use-of-uninitialized-value in ReadRLEImage". (Credit to OSS-Fuzz).</li> 1674 <li>coders/pdb.c (WritePDBImage): Avoid use of uninitialized 1675 bytes. Fixes oss-fuzz 7638 "graphicsmagick/coder_PDB_fuzzer: 1676 Use-of-uninitialized-value in WritePDBImage". (Credit to 1677 OSS-Fuzz).</li> 1678 <li>coders/rla.c (ReadRLAImage): Add many more validations, 1679 including scanline offsets and number of channels. Fixes oss-fuzz 1680 7653 "graphicsmagick/coder_RLA_fuzzer: Timeout in 1681 graphicsmagick_coder_RLA_fuzzer". (Credit to OSS-Fuzz).</li> 1682 <li>coders/txt.c (ReadTXTImage): Implement missing subrange logic to 1683 read only the specified range of frames. Limits frames read from 1684 oss-fuzz test case 1685 clusterfuzz-testcase-minimized-coder_TEXT_fuzzer-6061076048248832 1686 "graphicsmagick/coder_TEXT_fuzzer: Timeout in 1687 graphicsmagick_coder_TEXT_fuzzer". (Credit to OSS-Fuzz).</li> 1688 <li>Magick++/lib/Image.cpp (read): Set subrange = 1 since this 1689 interface is intended to read just one frame from the input file. 1690 Use the STL-based interfaces to read multiple frames.</li> 1691 <li>coders/fits.c (ReadFITSImage): Verify FITS header before reading 1692 further. Rejects file from oss-fuzz 7650 1693 "graphicsmagick/coder_FITS_fuzzer: Out-of-memory in 1694 graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz).</li> 1695 <li>PerlMagick/Magick.xs (Get): Fix PerlMagick compilation problem 1696 due to rename/repurposing of image->clip_mask.</li> 1697 </ul> 1698 </blockquote> 1699 <p>2018-04-13 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1700 <blockquote> 1701 <ul class="simple"> 1702 <li>magick/image.c, magick/image.h: In order to be able to 1703 support SVG masks, and to be able to further extend the 1704 Image data structure without changing its size, new data 1705 structure ImageExtra (struct _ImageExtra) has been added. 1706 Header file image.h contains only a forward declaration; 1707 the members of ImageExtra are defined in file image.c. 1708 Image member variable Image * clip_mask has been replaced 1709 by ImageExtra * extra, and function prototypes that enable 1710 access to ImageExtra have been added to image.h. The 1711 clip_mask member variable now resides in ImageExtra. All 1712 references to Image::clip_mask in the GraphicsMagick 1713 source code have either been replaced with direct references 1714 to ImageExtra::clip_mask (image.c), or have been replaced 1715 with calls to access function ImageGetClipMask().</li> 1716 <li>magick/render.c, magick/render.h: In order to be able to 1717 support SVG masks, and to be able to further extend the 1718 DrawInfo data structure without changing its size, new data 1719 structure DrawInfoExtra (struct _DrawInfoExtra) has been added. 1720 Header file render.h contains only a forward declaration; 1721 the members of DrawInfoExtra are defined in file render.c. 1722 DrawInfo member variable char * clip_path has been replaced by 1723 DrawInfoExtra * extra, and function prototypes that enable 1724 access to DrawInfoExtra have been added to render.h. The 1725 clip_path member variable now resides in ImageExtra. All 1726 references to DrawInfo::clip_path in the GraphicsMagick 1727 source code have either been replaced with direct references 1728 to DrawInfoExtra::clip_path (render.c), or have been 1729 replaced with calls to access function DrawInfoGetClipPath().</li> 1730 <li>magick/image.c (new functions CompositePathImage, 1731 CompositeMaskImage, GetImageCompositeMask, 1732 SetImageCompositeMask): Defined new data structure ImageExtra, 1733 added create/destroy logic, and implemented associated access 1734 functions. Implemented SVG masks.</li> 1735 <li>magick/render.c (DrawImage, new function DrawCompositeMask): 1736 Defined new data structure DrawInfoExtra, added create/destroy 1737 logic, and implemented associated access functions. Impemented 1738 SVG masks.</li> 1739 <li>magick/pixel_cache.c (SyncCacheNexus, new function 1740 CompositeCacheNexus): Fixed references to Image::clip_mask. 1741 Implemented SVG masks.</li> 1742 <li>coders/svg.c (SVGStartElement, SVGEndElement): Implemented 1743 SVG masks.</li> 1744 <li>locale/c.mgk, magick/gm_messages.mc, magick/local_c.h: 1745 Added new error codes to support SVG masks.</li> 1746 <li>coders/ps3.c, magick/enhance.c: Fixed references to 1747 Image::clip_mask.</li> 1748 <li>magick/draw.c, wand/drawing_wand.c: Fixed references to 1749 DrawInfo::clip_path.</li> 1750 </ul> 1751 </blockquote> 1752 <p>2018-04-13 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 1753 <blockquote> 1754 <ul class="simple"> 1755 <li>coders/wpg.c Crash on row overflow fixed oss-fuzz 7639 thanks to oss-fuzz.</li> 1756 </ul> 1757 </blockquote> 1758 <p>2018-04-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1759 <blockquote> 1760 <ul class="simple"> 1761 <li>coders/dpx.c (ReadDPXImage): Add more header validations. 1762 Always assure that scanline is initialized for Luma channel. Fixes 1763 oss-fuzz 7544 "graphicsmagick/coder_DPX_fuzzer: 1764 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)</li> 1765 <li>coders/pdb.c (ReadPDBImage): Add more EOF checks to avoid benign 1766 use of uninitialized data. Fixes oss-fuzz 7545 1767 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1768 ReadPDBImage".</li> 1769 <li>coders/wpg.c (InsertRow, UnpackWPGRaster): x & y should be 1770 'unsigned long' to match type used by pixel cache APIs and image 1771 rows/columns.</li> 1772 </ul> 1773 </blockquote> 1774 <p>2018-04-08 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 1775 <blockquote> 1776 <ul class="simple"> 1777 <li>coders/wpg.c Stop reading when last row is reached. 1778 This should stop oss-fuzz 7528 thanks to oss-fuzz.</li> 1779 </ul> 1780 </blockquote> 1781 <p>2018-04-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1782 <blockquote> 1783 <ul class="simple"> 1784 <li>coders/xcf.c (ReadXCFImage): Fix use of uninitialized data in 1785 magick header string for runt file. Fixes oss-fuzz 7521 1786 "graphicsmagick/coder_XCF_fuzzer: Use-of-uninitialized-value in 1787 LocaleNCompare". (Credit to OSS-Fuzz).</li> 1788 </ul> 1789 </blockquote> 1790 <p>2018-04-09 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1791 <blockquote> 1792 <ul class="simple"> 1793 <li>OVERVIEW: Change set 9aaeeca0224c modified the drawing 1794 of clipping paths to conform to the SVG spec. This change 1795 set restores the previous behavior for non-SVG clients of 1796 render.c, while still satisfying the SVG spec for SVG clients.</li> 1797 <li>magick/render.h (DrawInfo): Added a bit field in member 1798 "flags" to indicate that drawing should be SVG compliant.</li> 1799 <li>magick/render.c (DrawImage): Now recognizes keyword 1800 "svg-compliant", and tags DrawInfo accordingly. This 1801 allows for existing features in render.c to be changed 1802 to comply with the SVG spec without impacting the previous 1803 behavior expected by non-SVG clients.</li> 1804 <li>magick/render.c (DrawImage): Now uses DrawInfo "flags" 1805 bit for SVG compliance in conjunction with "flags" bit 1806 for "clipping path" to determine when to ignore changes 1807 to fill color, stroke color, etc. This restores the 1808 previous behavior for clipping paths for non-SVG clients.</li> 1809 <li>coders/svg.c (SVGStartElement): The initial set of 1810 MVG commands for rendering an SVG file now includes 1811 new keyword "svg-compliant" (to indicate that certain 1812 graphical elements should be drawn according to the 1813 SVG spec), and includes an intialization of the SVG 1814 "fill-rule" to "nonzero" (the SVG default) instead of 1815 the internally initialized value of "evenodd".</li> 1816 <li>coders/wpg.c: Fixed C99 "//" comments.</li> 1817 </ul> 1818 </blockquote> 1819 <p>2018-04-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1820 <blockquote> 1821 <ul class="simple"> 1822 <li>coders/pict.c (ReadPICTImage): Copy tile exception info to main 1823 image and don't composite tile if it has a problem. Fixes 1824 oss-fuzz 7169 "graphicsmagick/enhance_fuzzer: 1825 Use-of-uninitialized-value in EnhanceImage". (Credit to OSS-Fuzz)</li> 1826 <li>coders/dib.c (ReadDIBImage): Do not increase decode bits/pixel 1827 if compression=2, but use it to increase pixel packet size when 1828 estimating bytes per line for decode buffer. Fixes oss-fuzz issue 1829 7324 "graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value 1830 in ReadDIBImage". (Credit to OSS-Fuzz)</li> 1831 <li>coders/dpx.c (ReadDPXImage): When handling the first element of 1832 a planar DPX, assure that the other channels are 1833 initialized. Fixes oss-fuzz 7841 "graphicsmagick/coder_DPX_fuzzer: 1834 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)</li> 1835 <li>coders/tim.c (ReadTIMImage): Only 4 and 8 bit TIM requires a 1836 colormap. For other depths, force reading as DirectClass even if 1837 the TIM file provides a colormap. Fixes oss-fuzz 7407 1838 "graphicsmagick/coder_TIM_fuzzer: Use-of-uninitialized-value in 1839 SyncImageCallBack". (Credit to OSS-Fuzz)</li> 1840 </ul> 1841 </blockquote> 1842 <p>2018-04-08 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 1843 <blockquote> 1844 <ul class="simple"> 1845 <li>coders/mat.c The unread data contains crap in memory, 1846 erase current image data. This should mute oss-fuzz 6604.</li> 1847 <li>coders/wpg.c - condition "if(y<1) continue;" is redundant 1848 and could be removed completely. 1849 Allow logging in MatlabV4 module.</li> 1850 <li>coders/svg.c - Do not use C++ syntax in C code - removed.</li> 1851 </ul> 1852 </blockquote> 1853 <p>2018-04-07 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1854 <blockquote> 1855 <ul class="simple"> 1856 <li>coders/wpg.c (UnpackWPGRaster): Fix uninitialized row 0 when 1857 row-based RLE is used. Fixes oss-fuzz 6603 1858 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 1859 BlendCompositePixel". (Credit to OSS-Fuzz)</li> 1860 <li>coders/pcd.c: Fix many issues, including oss-fuzz 6016 1861 "graphicsmagick/coder_PCD_fuzzer: Heap-double-free in 1862 MagickRealloc" and oss-fuzz 6108 "graphicsmagick/coder_PCD_fuzzer: 1863 Unknown signal in AllocateThreadViewDataSet". (Credit to OSS-Fuzz)</li> 1864 </ul> 1865 </blockquote> 1866 <p>2018-04-06 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1867 <blockquote> 1868 <ul class="simple"> 1869 <li>coders/dcm.c (funcDCM_BitsStored): Limit DICOM significant bits 1870 to 16. Otherwise rescale map code blows up. Fixes oss-fuzz 7435 1871 "graphicsmagick/coder_DCM_fuzzer: Out-of-memory in 1872 graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)</li> 1873 <li>coders/pix.c (ReadPIXImage): Detect EOF. Reject RLE lenth of 1874 zero. Fixes oss-fuzz 7440 "graphicsmagick/coder_PIX_fuzzer: 1875 Out-of-memory in graphicsmagick_coder_PIX_fuzzer". (Credit to 1876 OSS-Fuzz)</li> 1877 </ul> 1878 </blockquote> 1879 <p>2018-04-05 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1880 <blockquote> 1881 <ul class="simple"> 1882 <li>coders/dpx.c (ReadDPXImage): Insist on having an element 1883 descriptor we understand since otherwise we can not decode the 1884 image. Fixes oss-fuzz 7410 "graphicsmagick/coder_DPX_fuzzer: 1885 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)</li> 1886 <li>coders/avs.c, etc... (WriteAVSImage): Cache image list length 1887 before writing image sequence so that progress monitor is 1888 scalable. Helps with oss-fuzz 7404 1889 "graphicsmagick/coder_AVS_fuzzer: Timeout in 1890 graphicsmagick_coder_AVS_fuzzer". (Credit to OSS-Fuzz)</li> 1891 </ul> 1892 </blockquote> 1893 <p>2018-04-05 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1894 <blockquote> 1895 <ul class="simple"> 1896 <li>coders/svg.c (SVGStartElement, SVGEndElement), 1897 magick/render.c (DrawImage): The current text position 1898 is now maintained by DrawImage() instead of by 1899 SVGStartElement() and SVGEndElement(). This change was 1900 made to support the recently implmemented "use" and 1901 "class" elements, which may make changes to the font 1902 size that are not visible to the code in svg.c.</li> 1903 <li>coders/svg.c (GetStyleTokens, SVGStartElement): The 1904 list of SVG attributes is now reordered so that 1905 "font-size", "class", and "style" are processed first. 1906 This ensures that a change to the font size will be 1907 processed before any dimensional attribute whose value 1908 may depend on the font size (e.g., a width value 1909 specified in "em" units).</li> 1910 <li>coders/svg.c (ProcessStyleClassDefs): Fixed two memory 1911 leaks associated with making an early return when 1912 malformed input is detected.</li> 1913 <li>magick/render.c (ExtractTokensBetweenPushPop): Fixed 1914 an uninitialized variable condition which can occur when 1915 malformed input is detected.</li> 1916 <li>magick/render.h (DrawInfo), magick/render.c: DrawInfo 1917 member "unused1" has been renamed "flags". It is now 1918 used to tag a DrawInfo as being a clipping path or a 1919 compositing mask.</li> 1920 </ul> 1921 </blockquote> 1922 <p>2018-04-04 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1923 <blockquote> 1924 <ul class="simple"> 1925 <li>coders/pdb.c (ReadPDBImage): Update DirectClass pixels to avoid 1926 use of uninitialized memory for 2 bits/pixel. Fixes oss-fuzz 7350 1927 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 1928 WritePDBImage". (Credit to OSS-Fuzz)</li> 1929 <li>coders/palm.c (ReadPALMImage): Fix use of uninitialized memory. 1930 Fixes oss-fuzz 7325 "graphicsmagick/coder_PALM_fuzzer: 1931 Use-of-uninitialized-value in TransparentImageCallBack". (Credit 1932 to OSS-Fuzz)</li> 1933 <li>coders/dcm.c (DCM_ReadNonNativeImages): Break out of reading 1934 loop on EOF and properly report exception. Fixes oss-fuzz 7349 1935 "graphicsmagick/coder_DCM_fuzzer: Timeout in 1936 graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)</li> 1937 </ul> 1938 </blockquote> 1939 <p>2018-04-03 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1940 <blockquote> 1941 <ul class="simple"> 1942 <li>coders/xcf.c (ReadXCFImage): Require that XCF file offsets be in 1943 ascending order to avoid DOS. Fixes oss-fuzz 7333 1944 "graphicsmagick/coder_XCF_fuzzer: Out-of-memory in 1945 graphicsmagick_coder_XCF_fuzzer". (Credit to OSS-Fuzz)</li> 1946 <li>coders/wpg.c (UnpackWPGRaster): Fix memory leak in error return 1947 path. Fixes oss-fuzz 7338 "graphicsmagick/enhance_fuzzer: 1948 Direct-leak in UnpackWPGRaster". (Credit to OSS-Fuzz)</li> 1949 </ul> 1950 </blockquote> 1951 <p>2018-04-03 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1952 <blockquote> 1953 <ul class="simple"> 1954 <li>coders/svg.c (SVGStartElement): This changeset adds 1955 support for SVG geometric transforms specified using the 1956 style="transform: ..." syntax. This syntax is sometimes 1957 used when exporting SVG files from Adobe Illustrator.</li> 1958 </ul> 1959 </blockquote> 1960 <p>2018-04-02 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1961 <blockquote> 1962 <ul class="simple"> 1963 <li>coders/dpx.c (ReadDPXImage): Validate DPX packing method. Fixes 1964 oss-fuzz 7296 "graphicsmagick/coder_DPX_fuzzer: 1965 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)</li> 1966 </ul> 1967 </blockquote> 1968 <p>2018-04-02 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 1969 <blockquote> 1970 <ul class="simple"> 1971 <li>coders/svg.c (SVGStartElement, SVGEndElement), 1972 magick/render.c (DrawImage): This changeset adds support for 1973 "class" styling attributes within a <style> section within 1974 the <defs> section, and the ability to reference them from 1975 other SVG elements by class="classname". SVG files exported 1976 from Adobe Illustrator make extensive use of "class" definitions.</li> 1977 </ul> 1978 </blockquote> 1979 <p>2018-04-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 1980 <blockquote> 1981 <ul class="simple"> 1982 <li>coders/pict.c (ReadPICTImage): Fix leak of tile image on EOF. 1983 This is a recent regression. Fixes oss-fuzz 7287 1984 "graphicsmagick/coder_PCT_fuzzer: Indirect-leak in 1985 CloneImage". (Credit to OSS-Fuzz)</li> 1986 <li>magick/pixel_cache.c (OpenCache): Use image->scene rather than 1987 GetImageIndexInList(image) for scene-id part of cache info file 1988 name.</li> 1989 <li>coders/txt.c (WriteTXTImage): Optimize the progress indicator 1990 since it is very inefficient with a large number of scenes and 1991 oss-fuzz 7090 "graphicsmagick/coder_TEXT_fuzzer: Timeout in 1992 graphicsmagick_coder_TEXT_fuzzer" consistently shows 1993 GetImageListLength() in its stack traces.</li> 1994 <li>coders/dcm.c (ReadDCMImage): DICOM reader was no longer 1995 immediately quitting with excessive samples per pixel. This 1996 caused spinning for a very long time when reading planar images 1997 with large samples per pixel. This is a regression due to recent 1998 changes. Fixes oss-fuzz 7269 "graphicsmagick/coder_DCM_fuzzer: 1999 Timeout in graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)</li> 2000 <li>coders/xcf.c (ReadXCFImage): Destroy layer info before returning 2001 due to exception. This is a new regression due to adding more 2002 checks. Fixes oss-fuzz 7277 "graphicsmagick/coder_XCF_fuzzer: 2003 Direct-leak in ReadXCFImage". (Credit to OSS-Fuzz)</li> 2004 <li>coders/pdb.c (ReadPDBImage): Assure that all bytes of scanline 2005 are initialized while decoding. Fixes oss-fuzz 7051 2006 "graphicsmagick/coder_PDB_fuzzer: Use-of-uninitialized-value in 2007 WritePDBImage". (Credit to OSS-Fuzz)</li> 2008 </ul> 2009 </blockquote> 2010 <p>2018-03-31 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2011 <blockquote> 2012 <ul class="simple"> 2013 <li>coders/pcx.c (ReadPCXImage): Assure that scanline is 2014 initialized. Fixes oss-fuzz 6612 2015 "graphicsmagick/coder_PCX_fuzzer: Use-of-uninitialized-value in 2016 WriteRLEPixels". (Credit to OSS-Fuzz)</li> 2017 <li>coders/wpg.c (ReadWPGImage): Detect unexpected EOF and avoid use 2018 of uninitialized data. Fixes oss-fuzz 6601 2019 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 2020 ImportIndexQuantumType". (Credit to OSS-Fuzz)</li> 2021 <li>coders/sgi.c (ReadSGIImage): Assure that RLE decode buffer is 2022 initialized. Fixes oss-fuzz 6599 2023 "graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in 2024 SyncImageCallBack" and oss-fuzz 6600 2025 "graphicsmagick/coder_SGI_fuzzer: Use-of-uninitialized-value in 2026 SGIEncode". (Credit to OSS-Fuzz)</li> 2027 <li>coders/viff.c (ReadVIFFImage): Fix blob I/O size validation to 2028 avoid use of uninitialized data. Fixes oss-fuzz 6597 2029 "graphicsmagick/coder_VIFF_fuzzer: Use-of-uninitialized-value in 2030 ThresholdImage". (Credit to OSS-Fuzz) 2031 (ReadVIFFImage): Don't execute SetImageType(image,BilevelType) on 2032 an image which has no pixels yet in order to avoid use of 2033 uninitialized data. Fixes oss-fuzz 6597. (Credit to OSS-Fuzz)</li> 2034 <li>coders/wbmp.c (ReadWBMPImage): Fix blob I/O size validation to 2035 avoid use of uninitialized data. Fixes oss-fuzz 7047 2036 "graphicsmagick/coder_WBMP_fuzzer: Use-of-uninitialized-value in 2037 ReadWBMPImage". (Credit to OSS-Fuzz)</li> 2038 <li>coders/wpg.c (ExtractPostscript): Allow non-Postscript content 2039 but force reading using the magick we already detected. Also log 2040 the format that we detected.</li> 2041 <li>coders/xcf.c (ReadOneLayer): Reject layer size of 0x0. Fixes 2042 oss-fuzz 6636 "graphicsmagick/coder_XCF_fuzzer: Direct-leak in 2043 MagickMallocAligned". (Credit to OSS-Fuzz) 2044 (ReadXCFImage): Verify that seek offsets are within the bounds of 2045 the file data. Fixes oss-fuzz 6682 2046 "graphicsmagick/coder_XCF_fuzzer: Out-of-memory in 2047 graphicsmagick_coder_XCF_fuzzer". (Credit to OSS-Fuzz)</li> 2048 <li>magick/pixel_cache.c (ModifyCache): Destroy CacheInfo if 2049 OpenCache() fails so it is not leaked.</li> 2050 <li>coders/wpg.c (ExtractPostscript): Enforce that embedded file is 2051 a Postscript file. Fixes oss-fuzz 7235 2052 "graphicsmagick/coder_WPG_fuzzer: Indirect-leak in MagickRealloc". 2053 This is indicated to be a regression. (Credit to OSS-Fuzz)</li> 2054 </ul> 2055 </blockquote> 2056 <p>2018-03-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2057 <blockquote> 2058 <ul class="simple"> 2059 <li>coders/pict.c (ReadPICTImage): Check image pixel limits before 2060 allocating memory for tile. Fixes oss-fuzz 7217 2061 "graphicsmagick/coder_PICT_fuzzer: Out-of-memory in 2062 graphicsmagick_coder_PICT_fuzzer".</li> 2063 </ul> 2064 </blockquote> 2065 <p>2018-03-29 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2066 <blockquote> 2067 <ul class="simple"> 2068 <li>coders/pcd.c (ReadPCDImage): Add checks for EOF. Fixes oss-fuzz 2069 issue 7180 "graphicsmagick/coder_PCDS_fuzzer: Timeout in 2070 graphicsmagick_coder_PCDS_fuzzer". (Credit to OSS-Fuzz)</li> 2071 </ul> 2072 </blockquote> 2073 <p>2018-03-29 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2074 <blockquote> 2075 <ul> 2076 <li><p class="first">coders/svg.c (SVGStartElement, SVGEndElement), 2077 magick/render.c (DrawImage): This changeset implements the SVG 2078 "use" element. Graphical elements (e.g., "rect", "text", etc.) 2079 can be tagged with an identifier using 'id="identifier"' when 2080 defined within the "defs" section. They can then be referenced 2081 elsewhere in the SVG file using:</p> 2082 <p><use xlink:href="#identifier" ... /></p> 2083 <p>When referencing a graphical element by its identifier, the 2084 following syntaxes are now treated as being the same:</p> 2085 <p>href="#identifier" 2086 href="url(#identifier)" 2087 xlink:href="#identifier" 2088 xlink:href="url(#identifier)"</p> 2089 </li> 2090 </ul> 2091 </blockquote> 2092 <p>2018-03-27 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2093 <blockquote> 2094 <ul class="simple"> 2095 <li>coders/tim.c (ReadTIMImage): Reader was not observing subimage 2096 and subrange to quit after the specified frame range. Inspired by 2097 oss-fuzz 7132 "graphicsmagick/coder_TIM_fuzzer: Timeout in 2098 graphicsmagick_coder_TIM_fuzzer" (Credit to OSS-Fuzz)</li> 2099 </ul> 2100 </blockquote> 2101 <p>2018-03-27 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2102 <blockquote> 2103 <ul class="simple"> 2104 <li>coders/svg.c (SVGStartElement): Enable setting the 2105 background color from the SVG file when the client 2106 specifies style="background:color" inside the <svg> 2107 ... </svg> element.</li> 2108 </ul> 2109 </blockquote> 2110 <p>2018-03-25 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2111 <blockquote> 2112 <ul class="simple"> 2113 <li>coders/mtv.c (ReadMTVImage): Add some elementary tracing to MTV 2114 reader.</li> 2115 <li>coders/png.c (ReadMNGImage): Fix SourceForge issue 554 2116 "Divide-by-zero in ReadMNGImage (coders/png.c)". (Credit to Trace 2117 Probe)</li> 2118 <li>coders/bmp.c (ReadBMPImage): Assure that start position always 2119 advances to avoid looping BMPs. Fixes oss-fuzz 7045 2120 "graphicsmagick/coder_BMP_fuzzer: Timeout in 2121 graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz)</li> 2122 <li>coders/pict.c (DecodeImage): Verify that sufficient backing data 2123 exists before allocating memory to read it. Fixes oss-fuzz 6629 2124 "graphicsmagick/coder_PCT_fuzzer: Out-of-memory in 2125 graphicsmagick_coder_PCT_fuzzer". 2126 (ReadPICTImage): Destroy tile_image in ThrowPICTReaderException() 2127 macro to simplify logic.</li> 2128 </ul> 2129 </blockquote> 2130 <p>2018-03-25 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2131 <blockquote> 2132 <ul class="simple"> 2133 <li>coders/mat.c Check whether datablock is really read. 2134 Fixes oss-fuzz 7056 (Credit to OSS-Fuzz)</li> 2135 <li>coders/txt.c Duplicate image check for data with fixed geometry 2136 previous check is skipped. Fixes oss-fuzz 7090.</li> 2137 </ul> 2138 </blockquote> 2139 <p>2018-03-24 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2140 <blockquote> 2141 <ul class="simple"> 2142 <li>coders/dcm.c (ReadDCMImage): Validate that samples per pixel is 2143 in valid range. Fixes oss-fuzz 6260 2144 "graphicsmagick/coder_DCM_fuzzer: Out-of-memory in 2145 graphicsmagick_coder_DCM_fuzzer". (Credit to OSS-Fuzz)</li> 2146 <li>coders/meta.c (format8BIM): Allocate space for null termination 2147 and null terminate string. Fixes oss-fuzz 5985 2148 "graphicsmagick/coder_8BIMTEXT_fuzzer: Heap-buffer-overflow in 2149 formatIPTCfromBuffer". (Credit to OSS-Fuzz)</li> 2150 <li>coders/fits.c (ReadFITSImage): Include number of FITS scenes in 2151 file size validations. Fixes oss-fuzz 6781 2152 "graphicsmagick/coder_FITS_fuzzer: Timeout in 2153 graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz)</li> 2154 </ul> 2155 </blockquote> 2156 <p>2018-03-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2157 <blockquote> 2158 <ul class="simple"> 2159 <li>coders/meta.c (format8BIM): Validate size request prior to 2160 allocation. Fixes oss-fuzz issue 5974 2161 "graphicsmagick/coder_8BIMTEXT_fuzzer: Out-of-memory in 2162 graphicsmagick_coder_8BIMTEXT_fuzzer". (Credit to OSS-Fuzz)</li> 2163 </ul> 2164 </blockquote> 2165 <p>2018-03-23 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2166 <blockquote> 2167 <ul> 2168 <li><p class="first">coders/mat.c Fix forged amount of frames 7076. (Credit to OSS-Fuzz)</p> 2169 <blockquote> 2170 <p>* coders/topol.c Check for forged image that overflows file size 2171 (fuzz 6836).</p> 2172 </blockquote> 2173 </li> 2174 </ul> 2175 </blockquote> 2176 <p>2018-03-23 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2177 <blockquote> 2178 <ul> 2179 <li><p class="first">magick/render.c, render.h (DrawInfo, CloneDrawInfo, 2180 DrawClipPath, DrawImage, GetDrawInfo): According to the SVG 2181 spec, a clipping path is defined only by the geometry of its 2182 constituent elements, and is not dependent on fill color/opacity, 2183 stroke color/opacity, or stroke width. To ensure conformity 2184 with the spec, when a clipping path is created, these SVG 2185 elements are set to appropriate values, and any attempt to 2186 modify them is ignored.</p> 2187 <p>Also, whenever a clipping path is drawn, the associated image 2188 attributes are now updated from the parent image structure. 2189 This ensures that any added or modified attributes are up to 2190 date.</p> 2191 </li> 2192 </ul> 2193 </blockquote> 2194 <p>2018-03-22 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2195 <blockquote> 2196 <ul> 2197 <li><dl class="first docutils"> 2198 <dt>coders/topol.c Use rather MagickSwabArrayOfUInt32() to</dt> 2199 <dd><p class="first">flip all array elements at once.</p> 2200 <p class="last">* magick/annotate.c Compilation issue - using C++ syntax in C code.</p> 2201 </dd> 2202 </dl> 2203 </li> 2204 </ul> 2205 </blockquote> 2206 <p>2018-03-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2207 <blockquote> 2208 <ul class="simple"> 2209 <li>coders/dpx.c (ReadDPXImage): Validate header length and offset 2210 properties. Fixes oss-fuzz "graphicsmagick/coder_DPX_fuzzer: 2211 Use-of-uninitialized-value in WriteDPXImage". (Credit to OSS-Fuzz)</li> 2212 </ul> 2213 </blockquote> 2214 <p>2018-03-20 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2215 <blockquote> 2216 <ul class="simple"> 2217 <li>magick/annotate.c (RenderType): According to the SVG 2218 spec, the 'font-family' element can be a comma-separated 2219 list of one or more font family names. Function RenderType 2220 in file annotate.c has been modified to support multiple 2221 font family names as follows. The comma-separated list is 2222 processed until the first available font family is found. 2223 If no font family is found, or if font substitution occurred, 2224 then the entire font family string is tested to see if it 2225 exactly matches a font name, or if the font family string 2226 with blanks changed to hypens exactly matches a font name. 2227 If a font name match is found, the matched font overrides 2228 the font substution. The font name matching functionality 2229 is beyond what's in the SVG spec and is provided as a 2230 convenience to the user.</li> 2231 </ul> 2232 </blockquote> 2233 <p>2018-03-20 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2234 <blockquote> 2235 <ul class="simple"> 2236 <li>coders/mat.c Fix forged amount of frames 6755. (Credit to OSS-Fuzz)</li> 2237 </ul> 2238 </blockquote> 2239 <p>2018-03-20 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2240 <blockquote> 2241 <ul class="simple"> 2242 <li>coders/topol.c Redesign ReadBlobDwordLSB() to be more effective.</li> 2243 </ul> 2244 </blockquote> 2245 <p>2018-03-19 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2246 <blockquote> 2247 <ul class="simple"> 2248 <li>coders/xpm.c (ReadXPMImage): Reject XPM if its condensed version 2249 contains non-whitespace control characters. Fixes oss-fuzz 7027 2250 "graphicsmagick/coder_XPM_fuzzer: Timeout in 2251 graphicsmagick_coder_XPM_fuzzer". (Credit to OSS-Fuzz)</li> 2252 </ul> 2253 </blockquote> 2254 <p>2018-03-19 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2255 <blockquote> 2256 <ul class="simple"> 2257 <li>coders/topol.c Fix tile index overflow fuzz 6634. (Credit to OSS-Fuzz)</li> 2258 </ul> 2259 </blockquote> 2260 <p>2018-03-19 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2261 <blockquote> 2262 <ul class="simple"> 2263 <li>coders/dcm.c (DCM_ReadGrayscaleImage): Don't use rescale map if 2264 it was not allocated. This issue was induced in this development 2265 cycle due to disabling generating the rescale map. Fixes oss-fuzz 2266 7021 "graphicsmagick/coder_DCM_fuzzer: Null-dereference READ in 2267 DCM_ReadGrayscaleImage". (Credit to OSS-Fuzz)</li> 2268 </ul> 2269 </blockquote> 2270 <p>2018-03-18 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2271 <blockquote> 2272 <ul class="simple"> 2273 <li>magick/color_lookup.c (QueryColorDatabase): Defend against 2274 partial scanf() expression matching, resulting in use of 2275 uninitialized data. Likely fixes oss-fuzz 6596 2276 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in 2277 IsMonochromeImage". (Credit to OSS-Fuzz)</li> 2278 <li>coders/rle.c (ReadRLEImage): Validate number of colormap bits to 2279 avoid undefined shift behavior. Fixes oss-fuzz 6630 2280 "graphicsmagick/enhance_fuzzer: Undefined-shift in 2281 ReadRLEImage". (Credit to OSS-Fuzz)</li> 2282 <li>coders/dcm.c (DCM_ReadRGBImage): Don't use rescale map if it was 2283 not allocated. This issue was induced in this development cycle 2284 due to disabling generating the rescale map. Fixes oss-fuzz 6995 2285 "graphicsmagick/coder_DCM_fuzzer: Null-dereference READ in 2286 DCM_ReadRGBImage". (Credit to OSS-Fuzz)</li> 2287 <li>coders/dib.c (DecodeImage): Report failure to decode to expected 2288 amount of pixel data as an error. Fixes oss-fuzz 7007 2289 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in 2290 EnhanceImage". (Credit to OSS-Fuzz)</li> 2291 <li>coders/bmp.c (ReadBMPImage): Add file size and offset/seek 2292 validations. Fixes oss-fuzz 6623 2293 "graphicsmagick/coder_BMP_fuzzer: Timeout in 2294 graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz)</li> 2295 </ul> 2296 </blockquote> 2297 <p>2018-03-17 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2298 <blockquote> 2299 <ul class="simple"> 2300 <li>dcraw/dcraw.c Updated to version 9.27</li> 2301 </ul> 2302 </blockquote> 2303 <p>2018-03-15 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2304 <blockquote> 2305 <ul class="simple"> 2306 <li>coders/gif.c (ReadGIFImage): Fix botched fixes for use of 2307 uninitialized data when reading GIF extension blocks. Hopefully 2308 ok now.</li> 2309 </ul> 2310 </blockquote> 2311 <p>2018-03-13 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2312 <blockquote> 2313 <ul class="simple"> 2314 <li>coders/gif.c (ReadGIFImage): Fix use of uninitialized data when 2315 reading GIF extension blocks. Fixes oss-fuzz 6609 2316 "graphicsmagick/coder_GIF_fuzzer: Use-of-uninitialized-value in 2317 MagickArraySize". This seems to be a totally benign issue. (Credit 2318 to OSS-Fuzz)</li> 2319 <li>magick/magick.c (MagickSignal): Use an alternate signal stack, 2320 if available. This is required for Go lang C language extensions 2321 since Go lang requests an alternate signal sack, and uses small 2322 stacks for its threads. If the library user has not allocated an 2323 alternate signal stack, then behavior should be just as before. 2324 Issue was originally reported by yzh杨振宏 on March 1, 2018 via 2325 the graphicsmagick-help SourceForge mailing list.</li> 2326 </ul> 2327 </blockquote> 2328 <p>2018-02-28 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2329 <blockquote> 2330 <ul class="simple"> 2331 <li>magick/pixel_cache.c (AcquireCacheNexus): Add a check that the 2332 pixel cache is compatible with the image dimensions. Fixes 2333 oss-fuzz issues 5978 5988 5989 5990 5993 6016, and 6056, which are 2334 all related to the PICT writer. (Credit to OSS-Fuzz)</li> 2335 <li>magick/draw.c (DrawGetStrokeDashArray): Check for failure to 2336 allocate memory. Patch submited by Petr Gajdos via email on 2337 February 28, 2018.</li> 2338 </ul> 2339 </blockquote> 2340 <p>2018-02-27 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2341 <blockquote> 2342 <ul class="simple"> 2343 <li>coders/fits.c (ReadFITSImage): Fix signed integer overflow when 2344 computing pixels size. Fixes oss-fuzz 6586 2345 "graphicsmagick/coder_FITS_fuzzer: Integer-overflow in 2346 ReadFITSImage". (Credit to OSS-Fuzz)</li> 2347 </ul> 2348 </blockquote> 2349 <p>2018-02-27 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2350 <blockquote> 2351 <ul class="simple"> 2352 <li>coders/svg.c (SVGStartElement, SVGEndElement): From the 2353 SVG spec: "The 'foreignObject' element allows for inclusion 2354 of a foreign namespace which has its graphical content drawn 2355 by a different user agent." Code has been added to consume 2356 and discard the 'foreignObject' element and any settings (e.g., 2357 fill color) internal to it. Previously, settings internal 2358 to the 'foreignObject' element would persist and "leak" into 2359 the graphic elements that followed it, resulting in undesired 2360 side effects (e.g., fill color other than the expected default).</li> 2361 </ul> 2362 </blockquote> 2363 <p>2018-02-27 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2364 <blockquote> 2365 <ul class="simple"> 2366 <li>magick/render.c (DrawPolygonPrimitive): Fixed a bug 2367 introduced by changeset 39102dd1d456. For SVG, this 2368 changeset applied both the group AND the fill opacity 2369 values to fill patterns (similarly for stroke). For WMF, 2370 however, this caused the fill pattern to be rendered as 2371 100% transparent. A closer reading of the SVG spec does 2372 NOT show that the fill opacity should be applied to the 2373 fill pattern, so as of this latest changeset only the group 2374 opacity value is applied to fill and stroke patterns.</li> 2375 </ul> 2376 </blockquote> 2377 <p>2018-02-27 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2378 <blockquote> 2379 <ul class="simple"> 2380 <li>coders/bmp.c (ReadBMPImage): Fix divide by zero regression added 2381 by latest fixes. Fixes oss-fuzz 6583 2382 "graphicsmagick/coder_BMP_fuzzer: Divide-by-zero in ReadBMPImage". 2383 (Credit to OSS-Fuzz)</li> 2384 </ul> 2385 </blockquote> 2386 <p>2018-02-26 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2387 <blockquote> 2388 <ul class="simple"> 2389 <li>coders/pict.c (ReadPICTImage): Validate that PICT rectangles do 2390 not have zero dimensions. Specify expected file type when reading 2391 from a temporary file. Trace PICT rectangle dimensions. More 2392 detection of blob EOF and more error handling. Fixes oss-fuzz 2393 issue 6193 "graphicsmagick/coder_PCT_fuzzer: Unknown signal in 2394 AllocateImageColormap" and likely many oss-fuzz ASAN/UBSAN issues 2395 reported against "PCT" and "PICT" since this one problem appears 2396 to be causing a spew of reports.</li> 2397 <li>coders/png.c (ReadMNGImage): Detect and handle failure to 2398 allocate global PLTE. Problem was reported via email from Petr 2399 Gajdos on February 26, 2018.</li> 2400 </ul> 2401 </blockquote> 2402 <p>2018-02-25 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2403 <blockquote> 2404 <ul class="simple"> 2405 <li>magick/blob.c (ReadBlobLSBDouble): Make sure imported double is 2406 a normal value. 2407 (ReadBlobLSBDoubles): Make sure imported doubles are normal 2408 values. 2409 (ReadBlobLSBFloat): Make sure imported float is a normal value. 2410 (ReadBlobLSBFloats): Make sure imported floats are normal values. 2411 (ReadBlobMSBFloat): Make sure imported float is a normal value. 2412 (ReadBlobMSBFloats): Make sure imported floats are normal values. 2413 (ReadBlobMSBDouble): Make sure imported double is a normal value. 2414 (ReadBlobMSBDoubles): Make sure imported doubles are normal 2415 values.</li> 2416 <li>magick/import.c (ImportFloat32Quantum): Make sure imported float 2417 is a normal value. 2418 (ImportFloat64Quantum): Make sure imported double is a normal 2419 value.</li> 2420 <li>magick/image.h (RoundDoubleToQuantum): Restore previous behavior 2421 (from earlier today). 2422 (RoundFloatToQuantum): Restore previous behavior (from earlier 2423 today).</li> 2424 <li>coders/bmp.c (ReadBMPImage): Fix UBSAN runtime error: left shift 2425 of 205 by 24 places cannot be represented in type 'int'.</li> 2426 <li>coders/ept.c (ReadEPTImage): Fix dereference of NULL pointer 2427 which was detected by UBSAN in the test suite.</li> 2428 <li>magick/image.h (RoundDoubleToQuantum): Check double value for 2429 NaN and infinity in order to avoid undefined behavior. 2430 (RoundFloatToQuantum): Check float value for NaN and infinity in 2431 order to avoid undefined behavior.</li> 2432 <li>magick/common.h (MAGICK_ISNAN): Add a isnan() wrapper macro. 2433 (MAGICK_ISINF): Add a isinf() wrapper macro.</li> 2434 </ul> 2435 </blockquote> 2436 <p>2018-02-25 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2437 <blockquote> 2438 <ul class="simple"> 2439 <li>coders/mat.c Fix oss-fuzz issue 6273 - Heap-use-after-free in 2440 GetLocaleExceptionMessage. (Credit to OSS-Fuzz)</li> 2441 </ul> 2442 </blockquote> 2443 <p>2018-02-24 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2444 <blockquote> 2445 <ul class="simple"> 2446 <li>coders/dcm.c (DCM_PostRescaleImage): Remove use of 2447 DCM_PostRescaleImage() since its implementation is wrong and 2448 accesses non-allocated heap memory. Problem was reported by Petr 2449 Gajdos via email on February 8, 2018.</li> 2450 <li>coders/jp2.c (ReadJP2Image): Use a ThrowJP2ReaderException macro 2451 to automatically clean up when throwing an exception.</li> 2452 <li>coders/bmp.c (ReadBMPImage): Report an error if RLE decode does 2453 not produce the expected number of bytes. Fixes oss-fuzz issue 2454 6015 "graphicsmagick/coder_BMP_fuzzer: Out-of-memory in 2455 graphicsmagick_coder_BMP_fuzzer". (Credit to OSS-Fuzz)</li> 2456 </ul> 2457 </blockquote> 2458 <p>2018-02-23 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2459 <blockquote> 2460 <ul class="simple"> 2461 <li>magick/render.c (DrawImage): Fixed a bug in which graphical 2462 elements defined within <defs> ... </defs> were being rendered, 2463 contrary to the SVG spec.</li> 2464 </ul> 2465 </blockquote> 2466 <p>2018-02-23 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2467 <blockquote> 2468 <ul class="simple"> 2469 <li>magick/render.c (DrawPolygonPrimitive): When filling or 2470 stroking a polygon using a pattern, the fill (or stroke) 2471 and group/object opacity values were not being applied to 2472 the pattern (fixed).</li> 2473 </ul> 2474 </blockquote> 2475 <p>2018-02-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2476 <blockquote> 2477 <ul class="simple"> 2478 <li>coders/bmp.c (ReadBMPImage): Fix SeekBlob() return value checks. 2479 Add more EOF checks. Require that a provided ba_offset be a 2480 forward seek in order to avoid the possibility of endless looping.</li> 2481 </ul> 2482 </blockquote> 2483 <p>2018-02-23 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2484 <blockquote> 2485 <ul class="simple"> 2486 <li>coders/mat.c Fix oss-fuzz issue 6301. (Credit to OSS-Fuzz)</li> 2487 </ul> 2488 </blockquote> 2489 <p>2018-02-22 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2490 <blockquote> 2491 <ul class="simple"> 2492 <li>magick/alpha_composite.c (BlendQuantumOpacity): The 2493 pixel compositing equation used when compositing an 2494 image into the output was incorrect and has been fixed.</li> 2495 <li>magick/render.c (DrawPolygonPrimitive): When 2496 compositing polygon edge pixels over a transparent 2497 black background, the code would composite as if the 2498 background were opaque black, resulting in the edge 2499 pixels being too dark (fixed).</li> 2500 </ul> 2501 </blockquote> 2502 <p>2018-02-21 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2503 <blockquote> 2504 <ul> 2505 <li><p class="first">magick/render.c (DrawImage): Per the SVG spec, opacity, 2506 fill-opacity, and stroke-opacity values are now clamped 2507 to [0,1].</p> 2508 <p>Also fixed two bugs introduced by changeset 91de8039f27d 2509 (dated 2018-02-12): (1) a group/object opacity value 2510 specified using a percentage was not being converted to a 2511 value in [0,1]; (2) if fill-opacity or stroke-opacity was 2512 1, and the group/object opacity value was set to 1, the 2513 resulting fill-opacity or stroke-opacity value would be 2514 set to 0 instead of 1.</p> 2515 </li> 2516 </ul> 2517 </blockquote> 2518 <p>2018-02-19 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2519 <blockquote> 2520 <ul class="simple"> 2521 <li>coders/viff.c (ReadVIFFImage): Fix excessive memory usage. 2522 Fixes oss-fuzz 6006 "graphicsmagick/coder_XV_fuzzer: Out-of-memory 2523 in graphicsmagick_coder_XV_fuzzer". (Credit to OSS-Fuzz)</li> 2524 <li>coders/txt.c (ReadInt): Avoid benign signed integer overflow due 2525 to accepting an arbitrary number of digits. Fixes oss-fuzz 6002 2526 "graphicsmagick/coder_TEXT_fuzzer: Integer-overflow in 2527 ReadInt". (Credit to OSS-Fuzz)</li> 2528 <li>coders/viff.c (ReadVIFFImage): Verify that there is sufficient 2529 data to back up colormap allocation request. Fixes oss-fuzz 5986 2530 "graphicsmagick/coder_VIFF_fuzzer: Out-of-memory in 2531 graphicsmagick_coder_VIFF_fuzzer". (Credit to OSS-Fuzz)</li> 2532 <li>magick/memory.c: Define MAGICK_MEMORY_HARD_LIMIT=value to abort 2533 when memory request exceeds value. Useful to find location of 2534 excessive memory requests.</li> 2535 </ul> 2536 </blockquote> 2537 <p>2018-02-19 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2538 <blockquote> 2539 <ul class="simple"> 2540 <li>coders/svg.c (SVGStartElement): Per the SVG spec, the 2541 SVG coder now initializes the MVG coder (which renders 2542 SVG graphical elements) with the the SVG defaults for 2543 fill color, fill-opacity, stroke color, stroke-opacity, 2544 and stroke-width. This makes the SVG coder independent 2545 of the MVG coder intial state.</li> 2546 </ul> 2547 </blockquote> 2548 <p>2018-02-19 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2549 <blockquote> 2550 <ul class="simple"> 2551 <li>coders/svg.c (SVGStartElement): Fixed initialization of 2552 x and y attributes per the SVG spec: for graphical elements 2553 "image", "pattern", "text", "rect", and "use", if the x or y 2554 attribute is not specified, the effect is as if a value of 2555 "0" were specified.</li> 2556 </ul> 2557 </blockquote> 2558 <p>2018-02-18 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2559 <blockquote> 2560 <ul class="simple"> 2561 <li>coders/sun.c (ReadSUNImage): Fix edge case which broke file-size 2562 validation logic. Fixes oss-fuzz issue 5981 2563 "graphicsmagick/coder_SUN_fuzzer: Out-of-memory in 2564 graphicsmagick_coder_SUN_fuzzer". (Credit to OSS-Fuzz)</li> 2565 <li>coders/txt.c (ReadTXTImage): Validate that file size is 2566 sufficient for claimed image properties. Fixes oss-fuzz issue 2567 5960 "graphicsmagick/coder_TXT_fuzzer: Out-of-memory in 2568 graphicsmagick_coder_TXT_fuzzer". (Credit to OSS-Fuzz)</li> 2569 <li>coders/tga.c (ReadTGAImage): Only allow 1 and 8 bit 2570 colormapped/grey images. Fixes oss-fuzz issue 6314 2571 "graphicsmagick/coder_ICB_fuzzer: Undefined-shift in 2572 ReadTGAImage". (Credit to OSS-Fuzz)</li> 2573 <li>coders/bmp.c (ReadBMPImage): Detect and report when BMP height 2574 value is out of range (too negative). Fixes oss-fuzz issue 6394 2575 "graphicsmagick/coder_BMP_fuzzer: Integer-overflow in 2576 ReadBMPImage". (Credit to OSS-Fuzz)</li> 2577 <li>coders/rla.c (ReadRLAImage): Detect when RLE decoding is 2578 producing too many samples and report as an error. Fixes oss-fuzz 2579 issue 6312 "graphicsmagick/coder_RLA_fuzzer: Timeout in 2580 graphicsmagick_coder_RLA_fuzzer". (Credit to OSS-Fuzz)</li> 2581 <li>coders/fits.c (ReadFITSImage): Validate that file size is 2582 sufficient for claimed image properties. Fixes oss-fuzz issue 2583 6429 "graphicsmagick/coder_FITS_fuzzer: Timeout in 2584 graphicsmagick_coder_FITS_fuzzer". (Credit to OSS-Fuzz)</li> 2585 <li>magick/image.c (CloneImage): Check image pixel limits in 2586 CloneImage() when it is used to change the image dimensions. This 2587 avoids depending on the using code to detect and report such 2588 issues.</li> 2589 <li>coders/xcf.c (ReadXCFImage): Check image pixel limits after each 2590 CloneImage() to assure that image is within specified resource 2591 limits. Fixes oss-fuzz issue 6399 "graphicsmagick/enhance_fuzzer: 2592 Timeout in graphicsmagick_enhance_fuzzer". (Credit to OSS-Fuzz)</li> 2593 </ul> 2594 </blockquote> 2595 <p>2018-02-16 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2596 <blockquote> 2597 <ul class="simple"> 2598 <li>magick/render.c (TracePath): TracePath() was not 2599 correctly processing multiple sets of cubic or quadratic 2600 Bezier coordinates when the previous path data command was 2601 not a cubic or quadratic Bezier command. This would result 2602 in the first control point being equal to the current path 2603 point instead of being computed using the current path 2604 point and the second control point of the previous Bezier 2605 command.</li> 2606 </ul> 2607 </blockquote> 2608 <p>2018-02-15 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2609 <blockquote> 2610 <ul class="simple"> 2611 <li>magick/render.c (TracePath): TracePath() was not 2612 consuming commas (if present) at the end of a set of 2613 points when multiple sets of points were specified for 2614 various path commands (e.g., line, Bezier). This 2615 resulted in the remaining sets of points being ignored 2616 (fixed).</li> 2617 </ul> 2618 </blockquote> 2619 <p>2018-02-15 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2620 <blockquote> 2621 <ul class="simple"> 2622 <li>magick/render.c (TraceArcPath): No points are generated 2623 by TraceArcPath() if the starting and ending arc points 2624 are the same. For this case, the coordinate count was not 2625 being set to zero before returning (fixed).</li> 2626 </ul> 2627 </blockquote> 2628 <p>2018-02-15 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2629 <blockquote> 2630 <ul class="simple"> 2631 <li>magick/render.c (DrawImage): Clipping of polygons in 2632 DrawImage() would sometime result in a starting pixel 2633 location that was greater than the ending pixel location, 2634 causing a subsequent call to GetImagePixelsEx() to fail 2635 due a column count <= 0. Modified the clipping code to 2636 eliminate this condition, and also to return early if 2637 the polygon lies completely outside the image boundaries. 2638 Also fixed variable declarations from a previous commit 2639 that were causing problems for the C89 compiler.</li> 2640 </ul> 2641 </blockquote> 2642 <p>2018-02-13 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2643 <blockquote> 2644 <ul class="simple"> 2645 <li>coders/topol.c (ReadTOPOLImage): Detect EOF immediately rather 2646 than spinning. Fixes oss-fuzz issue 6303 2647 "graphicsmagick/coder_TOPOL_fuzzer: Timeout in 2648 graphicsmagick_coder_TOPOL_fuzzer". (Credit to OSS-Fuzz)</li> 2649 <li>coders/dcm.c (DCM_SetupRescaleMap): Avoid excessive left shift. 2650 Fixes oss-fuzz issue 6256 "graphicsmagick/coder_DCM_fuzzer: 2651 Undefined-shift in DCM_SetupRescaleMap". (Credit to OSS-Fuzz)</li> 2652 </ul> 2653 </blockquote> 2654 <p>2018-02-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2655 <blockquote> 2656 <ul class="simple"> 2657 <li>coders/wpg.c (ExtractPostscript): Detect EOF on input while 2658 transferring bytes to Postscript file. Fixes oss-fuzz issue 6087 2659 "graphicsmagick/coder_WPG_fuzzer: NULL". Later identified to be 2660 CVE-2017-17682 as previously discovered in ImageMagick. (Credit to 2661 OSS-Fuzz)</li> 2662 <li>coders/pdb.c (ReadPDBImage): Quit attempting to read image data 2663 immediately at EOF. Fixes oss-fuzz issue 6252 2664 "graphicsmagick/coder_PDB_fuzzer: Timeout in 2665 graphicsmagick_coder_PDB_fuzzer". (Credit to OSS-Fuzz)</li> 2666 </ul> 2667 </blockquote> 2668 <p>2018-02-12 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2669 <blockquote> 2670 <ul class="simple"> 2671 <li>coders/topol.c (ReadTOPOLImage): Avoid index out of bounds when 2672 input filename does not use a file extension. Fixes oss-fuzz issue 2673 6237 "graphicsmagick/coder_TOPOL_fuzzer: Index-out-of-bounds in 2674 ReadTOPOLImage". (Credit to OSS-Fuzz)</li> 2675 </ul> 2676 </blockquote> 2677 <p>2018-02-12 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2678 <blockquote> 2679 <ul class="simple"> 2680 <li>magick/render.c (DrawImage): Object/group opacity, 2681 when set in DrawImage(), would overwrite the fill 2682 and stroke opacities. This has been fixed so that 2683 the object opacity is now combined with the fill 2684 and stroke opacities per the SVG spec.</li> 2685 </ul> 2686 </blockquote> 2687 <p>2018-02-12 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2688 <blockquote> 2689 <ul class="simple"> 2690 <li>coders/mat.c Fix oss-fuzz issue 6021. (Credit to OSS-Fuzz)</li> 2691 </ul> 2692 </blockquote> 2693 <p>2018-02-11 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2694 <blockquote> 2695 <ul class="simple"> 2696 <li>coders/dcm.c (ReadDCMImage): Avoid undefined left shift of 2697 short. Fix memory leaks in error reporting paths. Fixes oss-fuzz 2698 issue 6217 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in 2699 ReadDCMImage". (Credit to OSS-Fuzz)</li> 2700 <li>coders/dpx.c (ReadDPXImage): Avoid divide by zero exception in 2701 the case where reference high equals reference low. Fixes oss-fuzz 2702 issue 6215 "graphicsmagick/coder_DPX_fuzzer: Divide-by-zero in 2703 ReadDPXImage". (Credit to OSS-Fuzz)</li> 2704 <li>coders/topol.c (ReadTOPOLImage): Avoid index out of bounds when 2705 input filename does not use a file extension.</li> 2706 <li>coders/cut.c (ReadCUTImage): Avoid index out of bounds when 2707 input filename does not use a file extension. Fixes oss-fuzz issue 2708 6218 "graphicsmagick/coder_CUT_fuzzer: Index-out-of-bounds in 2709 ReadCUTImage". (Credit to OSS-Fuzz)</li> 2710 <li>coders/pwp.c (ReadPWPImage): Force temporary file to be read as 2711 a SFW file rather than autodetecting the format. Fixes oss-fuzz 2712 issue 6220 "graphicsmagick/coder_PWP_fuzzer: Indirect-leak in 2713 AllocateImage". (Credit to OSS-Fuzz)</li> 2714 </ul> 2715 </blockquote> 2716 <p>2018-02-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2717 <blockquote> 2718 <ul class="simple"> 2719 <li>coders/pdf.c (WritePDFImage): Assure that xref memory is not 2720 leaked if an exception is thrown. Fixes oss-fuzz issue 5968 2721 "graphicsmagick/coder_EPDF_fuzzer: Direct-leak in MagickRealloc". 2722 (Credit to OSS-Fuzz)</li> 2723 <li>coders/tim.c (ReadTIMImage): Verify that 4/8 bit PSX TIM 2724 provides a CLUT and verify indexes. Fixes oss-fuzz issue 5972 2725 "graphicsmagick/coder_TIM_fuzzer: Null-dereference WRITE in 2726 ReadTIMImage". (Credit to OSS-Fuzz)</li> 2727 <li>coders/topol.c (ReadTOPOLImage): Add additional header 2728 validations. Fixes oss-fuzz issue 5975 2729 "graphicsmagick/coder_TOPOL_fuzzer: Floating-point-exception in 2730 ReadTOPOLImage". (Credit to OSS-Fuzz)</li> 2731 <li>coders/bmp.c (ReadBMPImage): Avoid possible division by zero 2732 when decoding CIE primary values. (Credit to OSS-Fuzz)</li> 2733 <li>magick/export.c (ExportViewPixelArea): Only compute 2734 unsigned_maxvalue if sample_bits <= 32.</li> 2735 <li>magick/import.c (ImportViewPixelArea): Assure that 2736 double_maxvalue minus double_minvalue is not zero, or excessively 2737 close to zero to avoid divide by zero exception or impossible 2738 scaling factor. (Credit to OSS-Fuzz) 2739 (ImportViewPixelArea): Only compute unsigned_maxvalue if 2740 sample_bits <= 32.</li> 2741 </ul> 2742 </blockquote> 2743 <p>2018-02-09 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2744 <blockquote> 2745 <ul class="simple"> 2746 <li>coders/dib.c (ReadDIBImage): Validate that image width is not 2747 too negative such that it's absolute value can not fit in 32-bit 2748 unsigned width. Resolves oss-fuzz issue 6179 2749 "graphicsmagick/coder_ICO_fuzzer: Integer-overflow in 2750 ReadDIBImage". (Credit to OSS-Fuzz)</li> 2751 <li>coders/dcm.c (funcDCM_BitsStored): Validate DICOM datum size. 2752 Use a different means to determine the maximum value which does 2753 not use excessive shifting. Resolves oss-fuzz issue 6165 2754 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in 2755 funcDCM_BitsStored". (Credit to OSS-Fuzz)</li> 2756 </ul> 2757 </blockquote> 2758 <p>2018-02-08 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2759 <blockquote> 2760 <ul class="simple"> 2761 <li>coders/dpx.c (ReadWordU32BE): Add casts to avoid default type 2762 promotion from unsigned char to 'int' leading to undefined 2763 behavior for 24 bit shift. Fixes oss-fuzz issue 6058 2764 "graphicsmagick/coder_DPX_fuzzer: Undefined-shift in 2765 ReadWordU32BE". (Credit to OSS-Fuzz) 2766 (ReadDPXImage): Require that the file has at least one element. 2767 Add bountiful casts for values which are left-shifted. Fixes 2768 oss-fuzz issue 5962 "graphicsmagick/coder_DPX_fuzzer: 2769 Undefined-shift in ReadDPXImage". (Credit to OSS-Fuzz)</li> 2770 <li>coders/dcm.c (DCM_ReadOffsetTable): Add casts Add casts to avoid 2771 default type promotion from unsigned char to 'int' leading to 2772 undefined behavior for 16 bit shift. Fixes oss-fuzz issue 5980 2773 "graphicsmagick/coder_DCM_fuzzer: Undefined-shift in 2774 DCM_ReadOffsetTable". (Credit to OSS-Fuzz)</li> 2775 <li>magick/module_aliases.h (ModuleAliases): Add missing mapping 2776 from "ICODIB" format to "DIB" module.</li> 2777 <li>magick/import.c (ImportUInt32Quantum): Add casts to avoid 2778 default type promotion from unsigned char to 'int' leading to 2779 undefined behavior for 24 bit shift. Fixes oss-fuzz 2780 "graphicsmagick/coder_P7_fuzzer: Undefined-shift in 2781 ImportRGBQuantumType". (Credit to OSS-Fuzz)</li> 2782 </ul> 2783 </blockquote> 2784 <p>2018-02-07 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 2785 <blockquote> 2786 <ul class="simple"> 2787 <li>coders/wpg.c Fix oss-fuzz issue 5964 2788 "graphicsmagick/coder_MAT_fuzzer: Heap-use-after-free in 2789 GetLocaleExceptionMessage". (Credit to OSS-Fuzz)</li> 2790 </ul> 2791 </blockquote> 2792 <p>2018-02-07 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2793 <blockquote> 2794 <ul class="simple"> 2795 <li>magick/render.c (IsPoint): Fixed a bug in which 2796 IsPoint() would reject as a valid coordinate value 2797 strings that did not begin with an integer: e.g., 2798 "0.25" would be accepted, but ".25" would not.</li> 2799 </ul> 2800 </blockquote> 2801 <p>2018-02-07 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2802 <blockquote> 2803 <ul class="simple"> 2804 <li>coders/cut.c (ReadCUTImage): Fix DestroyImageInfo() of NULL 2805 pointer leading to assertion. Fixes oss-fuzz issue 6067 2806 "graphicsmagick/coder_CUT_fuzzer: Unknown signal in 2807 DestroyImageInfo".</li> 2808 <li>coders/tga.c (ReadTGAImage): Throw exception rather than 2809 assertion for unexpected comment size. Fixes oss-fuzz issue 5961 2810 "graphicsmagick/coder_ICB_fuzzer: ASSERT: (size_t) 2811 (tga_info.id_length+1) == commentsize".</li> 2812 </ul> 2813 </blockquote> 2814 <p>2018-02-06 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2815 <blockquote> 2816 <ul class="simple"> 2817 <li>coders/pdf.c (WritePDFImage): Free 'xref' allocation before 2818 error return. Fixes oss-fuzz issue 5968 2819 "graphicsmagick/coder_EPDF_fuzzer: Direct-leak in MagickRealloc".</li> 2820 </ul> 2821 </blockquote> 2822 <p>2018-02-04 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2823 <blockquote> 2824 <ul class="simple"> 2825 <li>coders/pdb.c (ReadPDBImage): Fix heap buffer overflow if blob is 2826 already at EOF when comment is read. Fixes oss-fuzz issue 5997 2827 "graphicsmagick/coder_PDB_fuzzer: Heap-buffer-overflow in 2828 SetImageAttribute".</li> 2829 <li>coders/dpx.c (ReadDPXImage): Fix memory leak of user data if 2830 user data is truncated. Fix consumption of one uninitialized 2831 stack bytes. Fixes oss-fuzz issue 5973: 2832 graphicsmagick/enhance_fuzzer: Direct-leak in ReadDPXImage.</li> 2833 <li>coders/pnm.c (ReadPNMImage): Detect and avoid division by zero. 2834 Fixes Issue 5959 in oss-fuzz: graphicsmagick/coder_P7_fuzzer: 2835 Divide-by-zero in ReadPNMImage</li> 2836 <li>magick/xwindow.c (MagickXClientMessage): Eliminate valgrind 2837 gripe about use of uninitialized stack data by clearing allocation 2838 to zero. 2839 (MagickXMakeImage): Eliminate valgrind gripe about use of 2840 uninitialized heap data by clearing allocation to zero.</li> 2841 <li>coders/pwp.c (ReadPWPImage): Remove bogus EOF test on an image 2842 with a closed blob. Fixes Issue 5957 in oss-fuzz: 2843 graphicsmagick/coder_PWP_fuzzer: ASSERT: image->blob->type != 2844 UndefinedStream.</li> 2845 <li>www/Changes.rst: Fix typo with spelling "ChangeLog-2017.html". 2846 Resolves SourceForge issue #544 "dead link 2017 changelog page on 2847 GraphicsMagick web site".</li> 2848 </ul> 2849 </blockquote> 2850 <p>2018-02-03 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2851 <blockquote> 2852 <ul class="simple"> 2853 <li>magick/static.c (OpenModule): Assure that status is initialized. 2854 Resolves Coverity 261207 "Uninitialized scalar variable".</li> 2855 <li>wand/magick_wand.c (MagickHasColormap): New function to test if 2856 the image has a colormap. 2857 (MagickIsGrayImage): New function to test if the image uses only 2858 gray pixels. 2859 (MagickIsMonochromeImage): New function to test if the image uses 2860 only monochrome pixels. 2861 (MagickIsOpaqueImage): New function to test if the image uses only 2862 opaque pixels. 2863 (MagickIsPaletteImage): New function to test if the image is based 2864 on a color palette. Above functions are written by Troy Patteson 2865 and submitted via SourceForge patch #54 "Wand API patches: has 2866 colormap, is gray image, is monochrome image, is opaque image, is 2867 palette image".</li> 2868 <li>fuzzing: Added initial OSS-Fuzz integration by Alex Gaynor. 2869 From SourceForge patch #55 "OSS-Fuzz integration"</li> 2870 <li>coders/png.c (ReadMNGImage): Fix free using possibly unallocated 2871 pointer value.</li> 2872 <li>magick/blob.c (SeekBlob): Remove implicit extension of blob 2873 allocation size based on seek offset. Besides making an 2874 assumption about how the blob memory was allocated, this 2875 reallocation feature provides a memory DOS opportunity. Resolves 2876 issue reported by Alex Gaynor via email entitled "Security issue 2877 with memory management in Magick++" to the graphicsmagick-security 2878 list on 31 Jan 2018. 2879 (SeekBlob):</li> 2880 <li>coders/jpeg.c (ReadIPTCProfile): Revert inadvertent wrong return 2881 codes added by change on December 9, 2017. Fixes SourceForge bug 2882 542 "Improper call to JPEG library in state 201" since 1.3.28.</li> 2883 </ul> 2884 </blockquote> 2885 <p>2018-02-01 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2886 <blockquote> 2887 <ul class="simple"> 2888 <li>magick/annotate.c (RenderFreetype): Fixed the text 2889 opacity computation in RenderFreeType(). This bug caused 2890 the text fill color to bleed into the character cell when 2891 the SVG "fill-opacity" is less than 1.0.</li> 2892 </ul> 2893 </blockquote> 2894 <p>2018-02-01 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2895 <blockquote> 2896 <ul class="simple"> 2897 <li>magick/attribute.c (CloneImageAttributes): Fixed a bug 2898 in which the source image attributes would always replace 2899 the destination image attributes instead of being appended 2900 to them, and the destination image attributes would become 2901 a memory leak.</li> 2902 </ul> 2903 </blockquote> 2904 <p>2018-01-31 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2905 <blockquote> 2906 <ul class="simple"> 2907 <li>coders/svg.c (SVGStartElement): Fixed a bug in which the 2908 x,y location values for a <text> or <tspan> were overwritten 2909 by the x,y values for the next <tspan> before the previous 2910 values were used. This caused the text associated with the 2911 previous <text> or <tspan> to appear at the location 2912 specified for the next <tspan>.</li> 2913 </ul> 2914 </blockquote> 2915 <p>2018-01-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2916 <blockquote> 2917 <ul class="simple"> 2918 <li>magick/static.c: Use !defined(SupportMagickModules) to enable 2919 static module loader. Fixes SourceForge bug #543 "Multiple 2920 definition of "OpenModule" (etc) when cross-compiling shared".</li> 2921 </ul> 2922 </blockquote> 2923 <p>2018-01-29 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2924 <blockquote> 2925 <ul class="simple"> 2926 <li>coders/svg.c (SVGStartElement): A terminating '>' in 2927 a geometry string is interpreted to mean that the dimensions 2928 of an image should only be changed if its width or height 2929 exceeds the geometry specification. For an unapparent and 2930 undocumented reason, a terminating '>', if present, was 2931 being nulled out, making this feature unusable for SVG files 2932 (now fixed).</li> 2933 </ul> 2934 </blockquote> 2935 <p>2018-01-29 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2936 <blockquote> 2937 <ul class="simple"> 2938 <li>coders/svg.c (ReadSVGImage): If there is a geometry string 2939 in image_info->size (e.g., gm convert -size "50x50%" in.svg 2940 out.png), AllocateImage() sets image->columns and image->rows 2941 to the width and height values from the size string. However, 2942 this makes no sense if the size string was something like 2943 "50x50%" (we'll get columns = rows = 50). So we set columns 2944 and rows to 0 after AllocateImage(), which is the same as if 2945 no size string was supplied by the client. This also results 2946 in svg_info.bounds to be set to 0,0 (i.e., unknown), so that 2947 svg_info.bounds will later be set using the image size 2948 information from either the svg "canvas" width/height or from 2949 the viewbox. Later, variable "page" is set from 2950 svg_info->bounds. Then the geometry string in image_info->size 2951 gets applied to the (now known) "page" width and height when 2952 SvgStartElement() calls GetMagickGeometry(), and the intended 2953 result is obtained.</li> 2954 </ul> 2955 </blockquote> 2956 <p>2018-01-24 Greg Wolfe <<a class="reference external" href="mailto:gregory.wolfe%40kodakalaris.com">gregory<span>.</span>wolfe<span>@</span>kodakalaris<span>.</span>com</a>></p> 2957 <blockquote> 2958 <ul class="simple"> 2959 <li>coders/svg.c (SVGStartElement): When the density (DPI) 2960 is specified using the ImageInfo::density member, the derived 2961 scale factor is incorrectly applied a second time to the 2962 width and height members of variable RectangleInfo page. 2963 Fixes SourceForge ticket #451.</li> 2964 </ul> 2965 </blockquote> 2966 <p>2018-01-23 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2967 <blockquote> 2968 <ul class="simple"> 2969 <li>magick/static.c: Use a lazy-loader for static modules with the 2970 same external interface as the lazy-loader for dynamic modules.</li> 2971 </ul> 2972 </blockquote> 2973 <p>2018-01-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2974 <blockquote> 2975 <ul class="simple"> 2976 <li>NEWS.txt: Prepare for 1.3.28 release.</li> 2977 </ul> 2978 </blockquote> 2979 <p>2018-01-17 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2980 <blockquote> 2981 <ul class="simple"> 2982 <li>NEWS.txt: Update with changes since previous release.</li> 2983 </ul> 2984 </blockquote> 2985 <p>2018-01-14 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 2986 <blockquote> 2987 <ul class="simple"> 2988 <li>PerlMagick/Magick.xs: Compiler warnings reduction.</li> 2989 <li>magick/pixel_cache.h: Mark GetPixels(), GetIndexes(), and 2990 GetOnePixel() as deprecated. Compilers may produce a warning if 2991 these functions are used.</li> 2992 <li>magick/pixel_cache.c (InterpolateColor): Return black pixel if 2993 InterpolateViewColor() reports failure.</li> 2994 <li>coders/png.c (ReadMNGImage): Fix memory leak of chunk and 2995 mng_info in error path.</li> 2996 <li>coders/gif.c (ReadGIFImage): Fix memory leak of global colormap.</li> 2997 </ul> 2998 </blockquote> 2999 <p>2018-01-13 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 3000 <blockquote> 3001 <ul class="simple"> 3002 <li>magick/symbols.h: Fix SourceForge issue #538 "13 symbols in 3003 common with ImageMagick despite --enable-symbol-prefix".</li> 3004 <li>coders/bmp.c (ReadBMPImage): Fix non-terminal loop due to 3005 unexpected bit-field mask value. Fixes SourceForge issue #541 3006 "Infinite Loop in ReadBMPImage (coders/bmp.c)".</li> 3007 <li>coders/jpeg.c (JPEGMessageHandler): Revert code added on 3008 2017-07-08 to promote certain warnings from libjpeg to errors. 3009 Add code to rationalize claimed image dimensions based on file 3010 size. Resolves SourceForge issue #539 "Images with libjpeg 3011 warnings result in error".</li> 3012 </ul> 3013 </blockquote> 3014 <p>2018-01-11 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p> 3015 <blockquote> 3016 <ul class="simple"> 3017 <li><dl class="first docutils"> 3018 <dt>coders/wpg.c Recursive ReadImage could return multiple scenes</dt> 3019 <dd>fixed.</dd> 3020 </dl> 3021 </li> 3022 </ul> 3023 </blockquote> 3024 <p>2018-01-07 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 3025 <blockquote> 3026 <ul class="simple"> 3027 <li>coders/png.c (ReadOnePNGImage): Quit 'passes' loop if we 3028 encountered an error</li> 3029 <li>magick/pixel_cache.c (SetNexus): Fix heap overwrite in 3030 AcquireCacheNexus() due to SetNexus() not using an allocated 3031 staging area for the pixels like it should. This problem impacts 3032 all 1.3.X releases. Resolves SourceForge issues 532 3033 "heap-buffer-overflow bug in ReadWPGImage" and #531 3034 "heap-buffer-overflow in AcquireCacheNexus".</li> 3035 <li>magick/pixel_cache.c (InterpolateViewColor): Now returns 3036 MagickPassFail rather than void. Code using this function is 3037 updated to check the return status.</li> 3038 </ul> 3039 </blockquote> 3040 <p>2018-01-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 3041 <blockquote> 3042 <ul class="simple"> 3043 <li>magick/describe.c (DescribeImage): Discriminate between 3044 AcquireImagePixels() returning NULL or finding a transparent 3045 pixel. This avoids use of a null pointer in the case where 3046 AcquireImagePixels() returns NULL.</li> 3047 </ul> 3048 </blockquote> 3049 <p>2017-12-31 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 3050 <blockquote> 3051 <ul class="simple"> 3052 <li>magick/static.c: Change static module initialization to be based 3053 on an initialized list rather than a squence of function calls in 3054 order to simplify maintenance and possibly address future 3055 requirements.</li> 3056 </ul> 3057 </blockquote> 3058 <p>2017-12-30 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> 3059 <blockquote> 3060 <ul class="simple"> 3061 <li>Copyright.txt: Bump copyright years and rotate ChangeLog.</li> 3062 </ul> 3063 </blockquote> 3064 </div> 3065 </body> 3066 </html>