Version in base suite: 1.4~hg15978-1 Base version: graphicsmagick_1.4~hg15978-1 Target version: graphicsmagick_1.4~hg15978-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/graphicsmagick/graphicsmagick_1.4~hg15978-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/graphicsmagick/graphicsmagick_1.4~hg15978-1+deb10u1.dsc changelog | 12 patches/CVE-2019-19950.patch | 160 +++++++++++++ patches/CVE-2019-19951.patch | 524 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2019-19953.patch | 30 ++ patches/series | 4 5 files changed, 730 insertions(+) diff -Nru graphicsmagick-1.4~hg15978/debian/changelog graphicsmagick-1.4~hg15978/debian/changelog --- graphicsmagick-1.4~hg15978/debian/changelog 2019-04-27 07:06:40.000000000 +0000 +++ graphicsmagick-1.4~hg15978/debian/changelog 2020-01-29 18:03:02.000000000 +0000 @@ -1,3 +1,15 @@ +graphicsmagick (1.4~hg15978-1+deb10u1) unstable; urgency=medium + + * Non-maintainer upload by the LTS Team. + * CVE-2019-19953 + heap-based buffer over-read in the function EncodeImage + * CVE-2019-19951 + heap-based buffer overflow in the function ImportRLEPixels + * CVE-2019-19950 + use-after-free in ThrowException and ThrowLoggedException + + -- Thorsten Alteholz Wed, 29 Jan 2020 19:03:02 +0100 + graphicsmagick (1.4~hg15978-1) unstable; urgency=medium * Mercurial snapshot, fixing uninitialized integer value of log_configured. diff -Nru graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19950.patch graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19950.patch --- graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19950.patch 1970-01-01 00:00:00.000000000 +0000 +++ graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19950.patch 2020-01-29 18:03:02.000000000 +0000 @@ -0,0 +1,160 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1557593192 18000 +# Node ID 44ab7f6c20b440157d50242943b5b0e3b3857014 +# Parent bc99af93614da8c8dd08ae407828758a64798666 +ThrowException(), ThrowLoggedException(): Handle the case where some passed character strings refer to existing exception character strings. + +diff -r bc99af93614d -r 44ab7f6c20b4 magick/error.c +--- a/magick/error.c Sat May 11 09:24:29 2019 -0500 ++++ b/magick/error.c Sat May 11 11:46:32 2019 -0500 +@@ -163,28 +163,32 @@ + { + assert(exception != (ExceptionInfo *) NULL); + assert(exception->signature == MagickSignature); +- if (exception->severity == UndefinedException) +- return; +- errno=exception->error_number; /* Shabby work-around for parameter limits */ +- if ((exception->severity >= WarningException) && +- (exception->severity < ErrorException)) ++ ++ do + { +- MagickWarning2(exception->severity,exception->reason, +- exception->description); +- return; +- } +- if ((exception->severity >= ErrorException) && +- (exception->severity < FatalErrorException)) +- { +- MagickError2(exception->severity,exception->reason,exception->description); +- return; +- } +- if (exception->severity >= FatalErrorException) +- { +- MagickFatalError2(exception->severity,exception->reason, +- exception->description); +- return; +- } ++ if (exception->severity == UndefinedException) ++ break; ++ errno=exception->error_number; /* Shabby work-around for parameter limits */ ++ if ((exception->severity >= WarningException) && ++ (exception->severity < ErrorException)) ++ { ++ MagickWarning2(exception->severity,exception->reason, ++ exception->description); ++ break; ++ } ++ if ((exception->severity >= ErrorException) && ++ (exception->severity < FatalErrorException)) ++ { ++ MagickError2(exception->severity,exception->reason,exception->description); ++ break; ++ } ++ if (exception->severity >= FatalErrorException) ++ { ++ MagickFatalError2(exception->severity,exception->reason, ++ exception->description); ++ break; ++ } ++ } while(0); + } + + /* +@@ -217,6 +221,7 @@ + assert(copy != (ExceptionInfo *) NULL); + assert(copy->signature == MagickSignature); + assert(original != (ExceptionInfo *) NULL); ++ assert(copy != original); + assert(original->signature == MagickSignature); + copy->severity=original->severity; + MagickFreeMemory(copy->reason); +@@ -932,14 +937,21 @@ + assert(exception->signature == MagickSignature); + LockSemaphoreInfo(error_semaphore); + exception->severity=(ExceptionType) severity; +- MagickFreeMemory(exception->reason); +- if (reason) +- exception->reason= +- AcquireString(GetLocaleExceptionMessage(severity,reason)); +- MagickFreeMemory(exception->description); +- if (description) +- exception->description= +- AcquireString(GetLocaleExceptionMessage(severity,description)); ++ { ++ char *new_reason=NULL; ++ if (reason) ++ new_reason=AcquireString(GetLocaleExceptionMessage(severity,reason)); ++ MagickFreeMemory(exception->reason); ++ exception->reason=new_reason; ++ } ++ { ++ char *new_description=NULL; ++ if (description) ++ new_description= ++ AcquireString(GetLocaleExceptionMessage(severity,description)); ++ MagickFreeMemory(exception->description); ++ exception->description=new_description; ++ } + exception->error_number=errno; + MagickFreeMemory(exception->module); + MagickFreeMemory(exception->function); +@@ -1028,22 +1040,42 @@ + if (!ignore) + { + exception->severity=(ExceptionType) severity; +- MagickFreeMemory(exception->reason); +- if (reason) +- exception->reason= +- AcquireString(GetLocaleExceptionMessage(severity,reason)); +- MagickFreeMemory(exception->description); +- if (description) +- exception->description= +- AcquireString(GetLocaleExceptionMessage(severity,description)); ++ ++ { ++ char *new_reason = NULL; ++ if (reason) ++ new_reason=AcquireString(GetLocaleExceptionMessage(severity,reason)); ++ MagickFreeMemory(exception->reason); ++ exception->reason=new_reason; ++ } ++ ++ { ++ char *new_description = NULL; ++ if (description) ++ new_description=AcquireString(GetLocaleExceptionMessage(severity,description)); ++ MagickFreeMemory(exception->description); ++ exception->description=new_description; ++ } ++ + exception->error_number=errno; +- MagickFreeMemory(exception->module); +- if (module) +- exception->module=AcquireString(module); +- MagickFreeMemory(exception->function); +- if (function) +- exception->function=AcquireString(function); ++ { ++ char *new_module = NULL; ++ if (module) ++ new_module=AcquireString(module); ++ MagickFreeMemory(exception->module); ++ exception->module=new_module; ++ } ++ ++ { ++ char *new_function = NULL; ++ if (function) ++ new_function=AcquireString(function); ++ MagickFreeMemory(exception->function); ++ exception->function=new_function; ++ } ++ + exception->line=line; ++ + if (exception->reason) + { + if (exception->description) diff -Nru graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19951.patch graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19951.patch --- graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19951.patch 1970-01-01 00:00:00.000000000 +0000 +++ graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19951.patch 2020-01-29 18:03:02.000000000 +0000 @@ -0,0 +1,524 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1557584669 18000 +# Node ID bc99af93614da8c8dd08ae407828758a64798666 +# Parent c2eeb95d2771d1c0d883b27906888de19a90ca81 +ImportRLEPixels(): Fix heap overflow caused by a typo in the code. Also fix undefined behavior caused by large left shifts of an unsigned char. + +diff -r c2eeb95d2771 -r bc99af93614d coders/miff.c +--- a/coders/miff.c Sat May 11 09:23:43 2019 -0500 ++++ b/coders/miff.c Sat May 11 09:24:29 2019 -0500 +@@ -148,13 +148,13 @@ + *p; + + register unsigned int ++ index, + quantum; + + register int + length; + + register IndexPacket +- index, + *indexes; + + register long +@@ -203,10 +203,10 @@ + { + if (length == 0) + { +- index=(*p++); ++ index=((unsigned int) *p++); + VerifyColormapIndex(image,index); + pixel=image->colormap[index]; +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -220,11 +220,11 @@ + { + if (length == 0) + { +- index=(*p++ << 8); +- index|=(*p++); ++ index =((unsigned int) *p++ << 8); ++ index|=((unsigned int) *p++); + VerifyColormapIndex(image,index); + pixel=image->colormap[index]; +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -241,13 +241,13 @@ + { + if (length == 0) + { +- index=(*p++ << 24); +- index|=(*p++ << 16); +- index|=(*p++ << 8); +- index|=(*p++); ++ index =((unsigned int) *p++ << 24); ++ index|=((unsigned int) *p++ << 16); ++ index|=((unsigned int) *p++ << 8); ++ index|=((unsigned int) *p++); + VerifyColormapIndex(image,index); + pixel=image->colormap[index]; +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -271,12 +271,12 @@ + { + if (length == 0) + { +- index=(*p++); ++ index=((unsigned int) *p++); + VerifyColormapIndex(image,index); + pixel=image->colormap[index]; +- quantum=(*p++); ++ quantum=((unsigned int) *p++); + pixel.opacity=MaxRGB-ScaleCharToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -290,14 +290,14 @@ + { + if (length == 0) + { +- index=(*p++ << 8); +- index|=(*p++); ++ index =((unsigned int) *p++ << 8); ++ index|=((unsigned int) *p++); + VerifyColormapIndex(image,index); + pixel=image->colormap[index]; +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=MaxRGB-ScaleShortToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -314,18 +314,18 @@ + { + if (length == 0) + { +- index=(*p++ << 24); +- index|=(*p++ << 16); +- index|=(*p++ << 8); +- index|=(*p++); ++ index =((unsigned int) *p++ << 24); ++ index|=((unsigned int) *p++ << 16); ++ index|=((unsigned int) *p++ << 8); ++ index|=((unsigned int) *p++); + VerifyColormapIndex(image,index); + pixel=image->colormap[index]; +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=MaxRGB-ScaleLongToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -354,7 +354,7 @@ + pixel.blue=ScaleCharToQuantum(*p++); + pixel.opacity=ScaleCharToQuantum(*p++); + index=(IndexPacket) MaxRGB-ScaleCharToQuantum(*p++); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -368,22 +368,22 @@ + { + if (length == 0) + { +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum= ((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); ++ quantum= ((unsigned int) *p++ << 8); + quantum|=(*p++); + pixel.green=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + index=(IndexPacket) MaxRGB-ScaleShortToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *indexes++=index; +@@ -397,35 +397,35 @@ + { + if (length == 0) + { +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + index=(IndexPacket) MaxRGB-ScaleLongToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; +- indexes[x]=index; ++ *indexes++=index; + *q++=pixel; + } + break; +@@ -450,7 +450,7 @@ + pixel.green=ScaleCharToQuantum(*p++); + pixel.blue=ScaleCharToQuantum(*p++); + pixel.opacity=ScaleCharToQuantum(*p++); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -463,19 +463,19 @@ + { + if (length == 0) + { +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=ScaleShortToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -488,27 +488,27 @@ + { + if (length == 0) + { +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=ScaleLongToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -535,7 +535,7 @@ + pixel.green=ScaleCharToQuantum(*p++); + pixel.blue=ScaleCharToQuantum(*p++); + pixel.opacity=MaxRGB-ScaleCharToQuantum(*p++); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -548,19 +548,19 @@ + { + if (length == 0) + { +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=MaxRGB-ScaleShortToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -573,27 +573,27 @@ + { + if (length == 0) + { +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.opacity=MaxRGB-ScaleLongToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -619,7 +619,7 @@ + pixel.red=ScaleCharToQuantum(*p++); + pixel.green=ScaleCharToQuantum(*p++); + pixel.blue=ScaleCharToQuantum(*p++); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -632,16 +632,16 @@ + { + if (length == 0) + { +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleShortToQuantum(quantum); +- quantum=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleShortToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -654,22 +654,22 @@ + { + if (length == 0) + { +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.red=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.green=ScaleLongToQuantum(quantum); +- quantum=(*p++ << 24); +- quantum|=(*p++ << 16); +- quantum|=(*p++ << 8); +- quantum|=(*p++); ++ quantum =((unsigned int) *p++ << 24); ++ quantum|=((unsigned int) *p++ << 16); ++ quantum|=((unsigned int) *p++ << 8); ++ quantum|=((unsigned int) *p++); + pixel.blue=ScaleLongToQuantum(quantum); +- length=(*p++)+1; ++ length=((int) *p++)+1; + } + length--; + *q++=pixel; +@@ -1521,13 +1521,13 @@ + { + for (i=0; i < (long) image->colors; i++) + { +- pixel=(*p << 8) | *(p+1); ++ pixel=((unsigned int) *p << 8) | (unsigned int) *(p+1); + image->colormap[i].red=ScaleShortToQuantum(pixel); + p+=2; +- pixel=(*p << 8) | *(p+1); ++ pixel=((unsigned int) *p << 8) | (unsigned int) *(p+1); + image->colormap[i].green=ScaleShortToQuantum(pixel); + p+=2; +- pixel=(*p << 8) | *(p+1); ++ pixel=((unsigned int) *p << 8) | (unsigned int) *(p+1); + image->colormap[i].blue=ScaleShortToQuantum(pixel); + p+=2; + } +@@ -1537,13 +1537,22 @@ + { + for (i=0; i < (long) image->colors; i++) + { +- pixel=(*p << 24) | (*(p+1) << 16) | (*(p+2) << 8) | *(p+3); ++ pixel=((unsigned int) *p << 24) | ++ ((unsigned int) *(p+1) << 16) | ++ ((unsigned int) *(p+2) << 8) | ++ (unsigned int) *(p+3); + image->colormap[i].red=ScaleLongToQuantum(pixel); + p+=4; +- pixel=(*p << 24) | (*(p+1) << 16) | (*(p+2) << 8) | *(p+3); ++ pixel=((unsigned int) *p << 24) | ++ ((unsigned int) *(p+1) << 16) | ++ ((unsigned int) *(p+2) << 8) | ++ (unsigned int) *(p+3); + image->colormap[i].green=ScaleLongToQuantum(pixel); + p+=4; +- pixel=(*p << 24) | (*(p+1) << 16) | (*(p+2) << 8) | *(p+3); ++ pixel=((unsigned int) *p << 24) | ++ ((unsigned int) *(p+1) << 16) | ++ ((unsigned int) *(p+2) << 8) | ++ (unsigned int) *(p+3); + image->colormap[i].blue=ScaleLongToQuantum(pixel); + p+=4; + } +@@ -1844,7 +1853,7 @@ + ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile, + image); + p+=bytes_read; +- length+=*(p-1)+1; ++ length+=(size_t) *(p-1)+1; + } + + if (!ImportRLEPixels(image,quantum_type,quantum_size,pixels)) diff -Nru graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19953.patch graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19953.patch --- graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19953.patch 1970-01-01 00:00:00.000000000 +0000 +++ graphicsmagick-1.4~hg15978/debian/patches/CVE-2019-19953.patch 2020-01-29 18:03:02.000000000 +0000 @@ -0,0 +1,30 @@ + +# HG changeset patch +# User Bob Friesenhahn +# Date 1576203219 21600 +# Node ID 28f8bacd4bbffe21b78c41010746e07f4c03070e +# Parent 7f340cac76a2c141ee37c5eda152c9c14c268f71 +PICT: Throw a writer exception if the PICT width limit is exceeded. + +Index: graphicsmagick-1.4~hg15978/coders/pict.c +=================================================================== +--- graphicsmagick-1.4~hg15978.orig/coders/pict.c 2020-01-27 13:24:53.050903041 +0100 ++++ graphicsmagick-1.4~hg15978/coders/pict.c 2020-01-27 13:25:46.717771505 +0100 +@@ -694,7 +694,7 @@ + % + */ + static size_t EncodeImage(Image *image,const unsigned char *scanline, +- const unsigned long bytes_per_line,unsigned char *pixels) ++ const size_t bytes_per_line,unsigned char *pixels) + { + #define MaxCount 128U + #define MaxPackbitsRunlength 128 +@@ -1786,6 +1786,8 @@ + bytes_per_line=(size_t) image->columns; + if (storage_class == DirectClass) + bytes_per_line = MagickArraySize(bytes_per_line, image->matte ? 4 : 3); ++ if ((bytes_per_line ==0) || (bytes_per_line > 0x7FFF)) ++ ThrowWriterException(ResourceLimitError,MemoryAllocationFailed,image); + buffer=MagickAllocateMemory(unsigned char *,PictInfoSize); + packed_scanline=MagickAllocateMemory(unsigned char *,row_bytes+MaxCount); + scanline=MagickAllocateMemory(unsigned char *,row_bytes); diff -Nru graphicsmagick-1.4~hg15978/debian/patches/series graphicsmagick-1.4~hg15978/debian/patches/series --- graphicsmagick-1.4~hg15978/debian/patches/series 2018-05-08 20:33:46.000000000 +0000 +++ graphicsmagick-1.4~hg15978/debian/patches/series 2020-01-29 18:03:02.000000000 +0000 @@ -1,2 +1,6 @@ link-demos.diff semaphore_O0_ppc64el.patch +CVE-2019-19950.patch +CVE-2019-19951.patch +CVE-2019-19953.patch +