2018-12-20 Bob Friesenhahn * coders/jpeg.c (ReadJPEGImage): Move return point for 'ping' mode until after jpeg_start_decompress() and after JPEG compression properties have been estimated. Fixes SourceForge issue #578 "gm identify with format "%[JPEG-Colorspace-Name]" does not work" and #586 "Identify returning wrong compression values". 2018-12-18 Bob Friesenhahn * coders/gif.c (ReadGIFImage): Don't throw an error if opacity is outside of the range of the image colors. Fix suggested by 莫红波 on the graphicsmagick-bugs mailinb list on Fri, 9 Oct 2015. * magick/memory.h (MagickAllocateClearedArray): New macro for allocating a cleared array. * magick/resize.c (ScaleImage): Patch by Troy Patteson which resolves SourceForge issue #381 "Artifacts when scaling a PNG with semi-transparent pixels". ScaleImage() suffers from two problems related to the blending of fully transparent pixels with non-fully transparent pixels during the scaling operation. The first is that the colour values for fully transparent pixels are contributing to the colour values of the blended pixels when they should not. The second is that the colour values of pixels blended with fully and non-fully transparent pixels are scaled as though the fully transparent pixels contribute to the blended pixels' colour values when they should not. For example, if blending 10% of a fully opaque white pixel with 90% of a fully transparent black pixel one would expect the blended pixel RGBA values to be 255,255,255,25.5 assuming 8 bit colour but they are in fact 25.5,25.5,25.5,25.5. The provided patch solves the first issue by treating the colour values of fully transparent pixels as zero and the second issue by recording the volume of each blended pixel made up of pxiels that are not fully transparent (0.1 in the above example) and then scaling the blended pixel RGB values by dividing by that amount. In the above example, 25.5/0.1 = 255. 2018-12-16 Bob Friesenhahn * coders/dib.c (ReadDIBImage): DIB images claiming more than 8-bits per pixel are not colormapped. Reject such files. Fixes SourceForge issue #585 "Assertion Failure in coders/png.c:7503". The problem is in the DIB reader rather than PNG. * coders/miff.c (ReadMIFFImage): Detect and reject zero-length deflate-encoded row in MIFF version 0. Fixes oss-fuzz 11876 "graphicsmagick/coder_MIFF_fuzzer: Use-of-uninitialized-value in deflate_slow". (Credit to OSS-Fuzz) * configure.ac: Improve search for true Microsoft Windows fonts and provide better indication of results. Fix a typo which caused DcrawExtraOptions not to be evaluated correctly. 2018-12-15 Bob Friesenhahn * coders/tiff.c (QuantumTransferMode): Be more strict about the requirements for CIE Log2(L) and LOGLUV images. (ReadTIFFImage): Apply memory resource limits to strip and tile allocations. (ReadTIFFImage): Rationalize tile width/height to reject large tile sizes which are much larger than the image dimensions. Fixes oss-fuzz 11824 "graphicsmagick/coder_BIGTIFF_fuzzer: Out-of-memory in graphicsmagick_coder_BIGTIFF_fuzzer". (Credit to OSS-Fuzz) (ReadTIFFImage): Return with error if TIFFClientOpen() reports errors yet still returns a TIFF handle. 2018-12-12 Bob Friesenhahn * coders/tga.c (WriteTGAImage): Image rows/columns must not be larger than 65535. Fixes SourceForge #583 "heap-buffer-overflow in WriteTGAImage of tga.c". 2018-12-11 Bob Friesenhahn * coders/bmp.c (ReadBMPImage): Fix heap overflow in 32-bit build due to arithmetic overflow. Only happens if limits are changed from defaults. Fixes SourceForge #582 "heap-buffer-overflow in ReadBMPImage of bmp.c". 2018-12-09 Bob Friesenhahn * common.shi.in (MAGICK_FONT): The test suite must pass even on systems where we don't find any fonts. 2018-12-08 Bob Friesenhahn * coders/miff.c (ReadMIFFImage): Sanitize claimed profile size before allocating memory for it. Fixes oss-fuzz 11781 "graphicsmagick/coder_MIFF_fuzzer: Out-of-memory in graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz) 2018-12-05 Bob Friesenhahn * coders/png.c (ReadMNGImage): Fix non-terminal MNG looping. Fixes oss-fuzz 11596 "graphicsmagick/coder_MNG_fuzzer: Timeout in graphicsmagick_coder_MNG_fuzzer". (Credit to OSS-Fuzz) 2018-12-04 Bob Friesenhahn * coders/xpm.c (WriteXPMImage): Assure that added colormap entry for transparent XPM is initialized. Fixes oss-fuzz 11617 "graphicsmagick/coder_XPM_fuzzer: Use-of-uninitialized-value in QueryColorname". (Credit to OSS-Fuzz) * coders/miff.c (ReadMIFFImage): Fix memory leak of profiles 'name' when claimed length is zero. Fixes oss-fuzz 11710 "graphicsmagick/coder_MIFF_fuzzer: Direct-leak in AllocateString". and oss-fuzz 11688 "graphicsmagick/coder_MIFF_fuzzer: Out-of-memory in graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz) 2018-12-02 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh: Apply patch from Alex Gaynor to add Zstd to the oss-fuzz build. 2018-12-01 Bob Friesenhahn * configure.ac (DcrawExtraOptions): For QuantumDepth > 8 pass -6 option to dcraw. Fixes SourceForge issue #568 "dcraw not returning 16 bit image even though quantum depth is set to 16". * fuzzing/oss-fuzz-build.sh (PKG_CONFIG_PATH): Build WebP prior to libtiff so that libtiff has a chance to find it. 2018-11-30 Bob Friesenhahn * magick/command.c (TimeImageCommand): Time command now shows 6 digits of elapsed time indication since this precision is often now available and it is useful to see. 2018-11-29 Bob Friesenhahn * Magick++/lib/Magick++/Drawable.h: Fix use of clang diagnostic syntax. Addresses SourceForge bug #579 "'diagnostic pop' pragma without 'diagnostic push' in Drawable.h.". 2018-11-22 Bob Friesenhahn * magick/constitute.c (WriteImage): Eliminate use of just-freed memory in clone_info->magick when throwing exception due to no support for format. Fixes SourceForge issue #576 "heap use-after-freee when convert one format into another format". * magick/command.c (BenchmarkImageCommand): Benchmark command now shows 6 digits of elapsed time indication since this precision is often now available and it is useful to see. 2018-11-21 Bob Friesenhahn * wand/wand_api.h ("C"): magick/api.h should be included prior to wand/wand_symbols.h. Change made due to report by yzh杨振宏 on Wed, 21 Nov 2018 via the graphicsmagick-bugs mailing list. 2018-11-20 Fojtik Jaroslav * magick/nt_base.c Fix a bug when OS does not support performance counter. 2018-11-20 Bob Friesenhahn * magick/nt_base.c (NTElapsedTime): Use QueryPerformanceFrequency() and QueryPerformanceCounter() to measure elapsed time for Windows. 2018-11-19 Fojtik Jaroslav * tiff/port/snprintf.c Fix for older Microsoft Visual Studio 2018-11-17 Bob Friesenhahn * www/index.rst: Update in preparation for 1.3.31 release. * version.sh: Update library versioning in preparation for 1.3.31 release. * NEWS.txt: Update news in preparation for 1.3.31 release. 2018-11-15 Bob Friesenhahn * magick/command.c (BenchmarkUsage): Document the benchmark command better. 2018-11-14 Bob Friesenhahn * magick/resize.c (HorizontalFilter, VerticalFilter): quantum is a pointer so it's value can not be usefully flushed. Use a local variable and then update quantum pointer when done. 2018-11-11 Bob Friesenhahn * magick/*: Changed row_count tallying to use 'omp atomic' and status update to use 'omp flush' for progress and error indication. This replaces most use of 'omp critical' for this purpose. Changed some lumpy algorithms which were using 'static' scheduling to 'guided' scheduling due to observing better results. Also added prolific 'restrict' annotations where they were missing. * www/security.rst: Documented a PGP private key for file signing or private correspondence. 2018-11-10 Bob Friesenhahn * www/authors.rst: Moved "Glenn Randers-Pehrson" and "Gregory J Wolfe" to the "Former Contributor" category. 2018-11-09 Bob Friesenhahn * Added many GCC function annotations in the libraries and coders. 2018-11-07 Bob Friesenhahn * configure.ac: Use printf rather than echo to portably expand tab requests in configuration summary. 2018-11-01 Bob Friesenhahn * configure.ac: Use pkg-config data as the initial choice when configuring for FreeType 2.0 and libxml-2.0. Only fall back to invoking an external script (and then traditional methods) if pkg-config fails. * coders/msl.c (ProcessMSLScript): Release msl_image if OpenBlob fails. Similar to ImageMagick CVE-2018-18544. Problem was reported to us via email from Petr Gajdos on Thu, 1 Nov 2018. 2018-10-27 Bob Friesenhahn * coders/miff.c (WriteMIFFImage): Only run strlen(attribute->value) once per attribute since the length won't change. May address oss-fuzz 11158 "graphicsmagick/coder_MIFF_fuzzer: Timeout in graphicsmagick_coder_MIFF_fuzzer". (Credit to OSS-Fuzz) * Fix compilation warnings observed with GCC 8.2.0. 2018-10-26 Bob Friesenhahn * magick/pixel_iterator.c (PixelIterateMonoModifyImplementation): Use atomic and flush rather than critical construct for a small speedup. * magick/monitor.c (MagickMonitorFormatted): Serialize calls to the progress monitor so that the caller does not need to perform this serialization. (MagickMonitor): Serialize calls to the progress monitor so that the caller does not need to perform this serialization. This function is now marked as deprecated. (InitializeMagickMonitor): New private function to initialize monitor functionality. (DestroyMagickMonitor): New private function to destroy monitor functionality. 2018-10-23 Bob Friesenhahn * coders/gif.c (ReadGIFImage): Improve the efficiency of storing a GIF comment in order to avoid a DOS opportunity. Fixes oss-fuzz 11096 "graphicsmagick/coder_GIF_fuzzer: Timeout in graphicsmagick_coder_GIF_fuzzer". (Credit to OSS-Fuzz) 2018-10-21 Bob Friesenhahn * PerlMagick/Makefile.PL.in: Use MAGICK_API_LIBS to obtain the list of libraries to use when linking. * configure.ac: OpenMP library is normally supplied due to a CFLAGS option so only supply it in cases where the CFLAGS option may be lost or it might not be used. Otherwise the compiler may apply the library twice when linking. 2018-10-20 Bob Friesenhahn * configure.ac: Remove Ghostscript library support (--with-gslib) from configure script. The 'HasGS' pre-processor defines which were enabled by this remain in the source code so it is still possible to use this library if absolutely necessary (e.g. CPPFLAGS=-DHasGS LIBS=-lgs). * tests/rwfile.tap: Test TIFF format with all supported compression options. * tests/{rwblob.c, rwfile.c} (main): Use StringToCompressionType() to parse compression option. Also consider requested compression algorithm when deciding if format is lossy. * coders/tiff.c (WriteTIFFImage): WebP compression needs PHOTOMETRIC_RGB. Fix wrong rows-per-strip calculation when using LZMA compression. * tests/rwblob.tap: Added a rwblob test to verify that lower-case magick works. * magick/static.c (OpenModule): Upper case magick string before searching static modules list. Fixes Debian bug 911386 "libgraphicsmagick-q16-3: graphicsmagick 1.3.30 has made formats case-sensitive at the API level". * filters/analyze.c (AnalyzeImage): X and y should be unsigned long to match image rows/columns type. Calculate total pixels by simple multiplication rather than counting. 2018-10-14 Bob Friesenhahn * coders/tiff.c (WriteTIFFImage): Support WebP compression in TIFF. This requires a libtiff release after 4.0.9. * magick/image.h ("C"): WebPCompression added to CompressionType enumeration. 2018-10-13 Bob Friesenhahn * configure.ac: Configure for the Zstd library. Use --without-zstd to disable searching for this library. Libtiff may require this library to successfully link so static linkage could fail if searching for libzstd is disabled. * magick/image.h ("C"): ZSTDCompression added to CompressionType enumeration. * coders/tiff.c (WriteTIFFImage): Support Zstd compression in TIFF. This requires a libtiff release after 4.0.9. 2018-10-10 Bob Friesenhahn * magick/command.c (GMCommandSingle): Add 'compare' to the list of command names that gm will support as a command if copied to or linked from that name. There was already a 'compare' link installed when the '--enable-magick-compat' configure option is used, but it could not possibly function without being blessed by this list. Related to Debian bug #910652 "graphicsmagick-imagemagick-compat: Doesn't ship a compare tool". 2018-09-30 Bob Friesenhahn * Magick++/lib/Magick++/Drawable.h: Block unused-private-field warnings from Clang due to _dummy members which were intentionally included in some parent class definitions. * magick/widget.c (XEditText): Fix compilation warnings about cases which fall-through. * magick/display.c (MagickXAnnotateEditImage): Fix compilation warnings about cases which fall-through. * coders/pict.c (WritePICTImage): Add more checks to memory allocation calculations. * magick/pixel_cache.c (DestroyCacheInfo): Eliminate intentional fall-through logic in switch statement which results in compiler warnings. Eliminate switch statements entirely and split unrelated logic. * coders/txt.c (ReadTXTImage): Fix comparison between pointer and '\0' rather than NULL as was obviously intended. * coders/msl.c (MSLStartElement): Add missing 'break' statements after ThrowException() calls. Otherwise execution falls through into unrelated switch cases and throws a redundant exception. 2018-09-29 Bob Friesenhahn * coders/meta.c (parse8BIM): Eliminate repeated use of strlen() which scans the entire remaining string on each cycle. Fixes oss-fuzz 10667 "graphicsmagick/coder_IPTCTEXT_fuzzer: Timeout in graphicsmagick_coder_IPTCTEXT_fuzzer". (Credit to OSS-Fuzz) 2018-09-26 Bob Friesenhahn * magick/utility.c (MagickGetToken): Fix possible read up to four bytes beyond end of stack allocated token buffer. Fixes oss-fuzz 10653 "graphicsmagick/coder_MVG_fuzzer: Stack-buffer-overflow in MagickGetToken". (Credit to OSS-Fuzz) 2018-09-22 Bob Friesenhahn * fuzzing/coder_fuzzer.cc (LLVMFuzzerTestOneInput): Limit the maximum number of JPEG progressive scans to 50. * coders/jpeg.c (ReadJPEGImage): Apply a default limit of 100 progressive scans before the reader quits with an error. This limit may be adjusted using the -define mechanism like -define JPEG:max-scan-number=500. Also respond more quickly to files which exceed the maximum image dimensions. Fixes oss-fuzz 10258 "graphicsmagick/coder_JPEG_fuzzer: Timeout in graphicsmagick_coder_JPEG_fuzzer". (Credit to OSS-Fuzz) 2018-09-20 Bob Friesenhahn * coders/png.c (ReadMNGImage): mng_LOOP chunk must be at least 5 bytes long. Fixes oss-fuzz 10455 "graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in ReadMNGImage". (Credit to OSS-Fuzz) 2018-09-15 Bob Friesenhahn * magick/render.c (TraceEllipse): Detect arithmetic overflow when computing the number of points to allocate for an ellipse. Fixes oss-fuzz 10306 "graphicsmagick/coder_MVG_fuzzer: Heap-buffer-overflow in TracePoint". (Credit to OSS-Fuzz) 2018-09-12 Bob Friesenhahn * magick/attribute.c (GenerateEXIFAttribute): Eliminate undefined shift. Also right-sized involved data types. Fixes oss-fuzz 10309 "graphicsmagick/coder_JPG_fuzzer: Undefined-shift in Read32s". (Credit to OSS-Fuzz) 2018-09-09 Bob Friesenhahn * magick/render.c (DrawClipPath): Fix Coverity 319663 "Null pointer dereferences". Totally insignificant. * coders/wpg.c (ReadWPGImage): Mask/fix Coverity 319664 "Error handling issues". * magick/attribute.c (FindEXIFAttribute): Change size types from signed to unsigned and check for unsigned overflow. (GenerateEXIFAttribute): Change size types from signed to unsigned and check for unsigned overflow. Fixes oss-fuzz 10283 "graphicsmagick/coder_JPG_fuzzer: Integer-overflow in GenerateEXIFAttribute". (Credit to OSS-Fuzz) * coders/sfw.c (ReadSFWImage): Enforce that file is read using the JPEG reader. (Credit to OSS-Fuzz) * coders/miff.c (ReadMIFFImage): Fix leak of 'values' buffer due to change made yesterday. * coders/mpc.c (ReadMPCImage): Fix leak of 'values' buffer due to change made yesterday. Fixes oss-fuzz 10277 "graphicsmagick/coder_MPC_fuzzer: Direct-leak in ReadMPCImage". (Credit to OSS-Fuzz) 2018-09-08 Bob Friesenhahn * coders/miff.c (ReadMIFFImage): Support legacy keyword 'color-profile' for ICC color profile as was used by ImageMagick 4.2.9. * coders/mpc.c (ReadMPCImage): Require that first keyword/value be id=MagickCache * coders/miff.c (ReadMIFFImage): Require that first keyword/value be id=ImageMagick. 2018-09-06 Bob Friesenhahn * coders/dcm.c (DCM_ReadElement): Add more size checks. * coders/jnx.c (ExtractTileJPG): Enforce that JPEG tiles are read by the JPEG coder. Fixes oss-fuzz 10147 "graphicsmagick/coder_JNX_fuzzer: Use-of-uninitialized-value in funcDCM_PhotometricInterpretation". (Credit to OSS-Fuzz) 2018-09-10 Fojtik Jaroslav * coders/wpg.c Zero fill raster error recovery. 2018-08-29 Bob Friesenhahn * magick/render.c (ConvertPrimitiveToPath): Second attempt to prevent heap write overflow of PathInfo array. Fixes oss-fuzz 10096 "Heap-buffer-overflow in ConvertPrimitiveToPath". (Credit to OSS-Fuzz) 2018-08-25 Bob Friesenhahn * coders/tiff.c ("QuantumTransferMode"): CIE Log images with an alpha channel are not supported. Fixes oss-fuzz 10013 "graphicsmagick/coder_TIFF_fuzzer: Use-of-uninitialized-value in DisassociateAlphaRegion". (Credit to OSS-Fuzz) * magick/render.c (DrawImage): SetImageAttribute() appends new text to any existing value, leading to every increasing memory consumption if the existing value is not deleted first by the unwary. Fixes oss-fuzz 9983 "graphicsmagick/coder_MVG_fuzzer: Timeout in graphicsmagick_coder_MVG_fuzzer" and oss-fuzz 10016 "graphicsmagick/coder_MVG_fuzzer: Out-of-memory in graphicsmagick_coder_MVG_fuzzer". (Credit to OSS-Fuzz) * magick/utility.c (TranslateTextEx): Fix off-by-one in loop bounds check which allowed a one-byte stack write overflow. Fixes oss-fuzz 10055 "graphicsmagick/coder_MVG_fuzzer: Stack-buffer-overflow in TranslateTextEx". (Credit to OSS-Fuzz) * magick/render.c (DrawImage): Be more precise about error detection and reporting, and return from an error more quickly. Also added MAX_DRAWIMAGE_RECURSION pre-processor definition to allow adjusting the drawing recursion limit. The drawing recursion limit is still 100, which seems exceptionally generous. * magick/constitute.c (WriteImage): Produce a more useful error message if an encoding delegate is not available. * magick/nt_base.h (isnan): Try adding a MSVC replacement for missing isnan() function. Not yet tested. 2018-08-25 Fojtik Jaroslav * coders/wpg.c This should fix intentional 64 bit file offset overflow as depictedin OSS-fuzz-9936. Thanks to OSS-Fuzz. 2018-08-22 Bob Friesenhahn * magick/render.c (ConvertPrimitiveToPath): Need to enlarge PathInfo array allocation to avoid possible heap write overflow. Fixes oss-fuzz 9651 "graphicsmagick/coder_MVG_fuzzer: Heap-buffer-overflow in ConvertPrimitiveToPath". (Credit to OSS-Fuzz) 2018-08-20 Bob Friesenhahn * coders/mpc.c (ReadMPCImage): Insist that the format be identified prior to any comment, and that there is only one comment. * coders/miff.c (ReadMIFFImage): Insist that the format be identified prior to any comment, and that there is only one comment. Fixes oss-fuzz 9979 "graphicsmagick/coder_MIFF_fuzzer: Timeout in graphicsmagick_coder_MIFF_fuzzer". This is not a serious issue, but the code runs slowly under UBSAN. (Credit to OSS-Fuzz) 2018-08-19 Bob Friesenhahn * magick/utility.c (MagickAtoFChk): Add additional validation checks for floating point values. NAN and +/- INFINITY values also map to 0.0. Fixes oss-fuzz 9630 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in IsNexusInCore" and oss-fuzz 9612 "graphicsmagick/coder_MVG_fuzzer: Integer-overflow in SetCacheNexus". (Credit to OSS-Fuzz) * magick/render.c (DrawImage): Add missing error-reporting logic to return immediately upon memory reallocation failure. Apply memory resource limits to PrimitiveInfo array allocation. Fixes oss-fuzz 9576 "graphicsmagick/coder_MVG_fuzzer: Null-dereference READ in DrawImage", oss-fuzz 9593 "graphicsmagick/coder_MVG_fuzzer: Out-of-memory in graphicsmagick_coder_MVG_fuzzer", oss-fuzz 9648 "graphicsmagick/coder_MVG_fuzzer: Unknown signal in DrawImage". (Credit to OSS-Fuzz) 2018-08-16 Fojtik Jaroslav * coder/mat.c Explicitly reject non-seekable streams. 2018-08-15 Fojtik Jaroslav * coder/mat.c Correctly check GetBlobSize(image) even for zipstreams. 2018-08-14 Fojtik Jaroslav * coders/mat.c More aggresive data corruption checking. 2018-08-09 Bob Friesenhahn * coders/xbm.c (XBMInteger): Limit the number of hex digits parsed to avoid signed integer overflow. Fixes oss-fuzz 9746 "graphicsmagick/coder_XBM_fuzzer: Undefined-shift in XBMInteger". (Credit to OSS-Fuzz) 2018-08-07 Fojtik Jaroslav * coders/mat.c Typecast difference to quantum. 2018-08-05 Bob Friesenhahn * coders/mat.c (InsertComplexFloatRow): Avoid signed overflow. Fixes oss-fuzz 9667 "graphicsmagick/coder_MAT_fuzzer: Integer-overflow in InsertComplexFloatRow". (Credit to OSS-Fuzz) * coders/xbm.c (ReadXBMImage): Add validations for row and column dimensions. Fixes oss-fuzz 9736 "graphicsmagick/coder_XBM_fuzzer: Out-of-memory in graphicsmagick_coder_XBM_fuzzer". (Credit to OSS-Fuzz) 2018-08-04 Fojtik Jaroslav * coders/wpg.c Add mechanism to approve embedded subformats in WPG. This should mute oss-fuzz 9559. (Credit to OSS-Fuzz) 2018-07-24 Bob Friesenhahn * coders/mvg.c (ReadMVGImage): Fix memory leak added on 2018-07-21. Fixes oss-fuzz 9548 "graphicsmagick/coder_MVG_fuzzer: Direct-leak in CloneDrawInfo". (Credit to OSS-Fuzz) 2018-07-23 Bob Friesenhahn * coders/cineon.c (ReadCINEONImage): Fix SourceForge issue 571 "Unexpected hang on a crafted Cineon image" by detecting and quitting on EOF appropriately, and verifying that file size is sufficient for claimed pixel dimensions when possible. * fuzzing/oss-fuzz-build.sh, fuzzing/dictionaries/MVG.dict: Added MVG fuzzing dictionary by Alex Gaynor. 2018-07-22 Bob Friesenhahn * magick/pixel_cache.c (SetNexus): For requests one pixel tall, SetNexus() was wrongly using pixels in-core rather than using a staging area for the case where the nexus rows extend beyond the image raster boundary, leading to heap overflow. This can happen when virtual pixels outside the image bounds are accessed. Fixes oss-fuzz 9512 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Heap-buffer-overflow in AcquireCacheNexus". (Credit to OSS-Fuzz) * magick/render.c (ExtractTokensBetweenPushPop): ExtractTokensBetweenPushPop() needs to always return a valid pointer into the primitive string. Fixes oss-fuzz 9511 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Null-dereference READ in DrawImage". (Credit to OSS-Fuzz) (DrawPolygonPrimitive): Fix leak of polygon set when object is completely outside image. Fixes oss-fuzz 9513 "graphicsmagick/graphicsmagick_coder_MVG_fuzzer: Direct-leak in AllocateThreadViewDataSet". (Credit to OSS-Fuzz) 2018-07-21 Bob Friesenhahn * magick/blob.c (FileToBlob): Use confirm access APIs to verify that read access to this path is allowed by policy. Check that file is a regular file before proceeding to open and read from it. * coders/mvg.c (ReadMVGImage): Don't allow MVG files to side-load a file as the drawing primitive using '@' syntax. Fixes oss-fuzz 9494 "graphicsmagick/coder_MVG_fuzzer: Sanitizer CHECK failure in "((0)) != (0)" (0x0, 0x0)". (Credit to OSS-Fuzz) 2018-07-19 Bob Friesenhahn * coders/mvg.c (ReadMVGImage): Don't assume that in-memory MVG blob is a null-terminated C string. Fixes oss-fuzz 9469 "graphicsmagick/coder_MVG_fuzzer: Heap-buffer-overflow in AllocateString". (Credit to OSS-Fuzz) 2018-07-12 Bob Friesenhahn * coders/miff.c (ReadMIFFImage): Detect EOF when reading using ReadBlobZC() and avoid subsequent heap read overflow. Fixes oss-fuzz 9357 "graphicsmagick/coder_MIFF_fuzzer: Heap-buffer-overflow in ImportRGBQuantumType". (Credit to OSS-Fuzz) 2018-07-11 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh (CFLAGS): Try disabling SIMD instructions in libjpeg-turbo build. 2018-07-10 Bob Friesenhahn * coders/png.c (WriteOnePNGImage): Free png_pixels as soon as possible. This might help with oss-fuzz 9334 "graphicsmagick/coder_PNG8_fuzzer: Direct-leak in WriteOnePNGImage", which we have yet to reproduce. It is not clear if png_pixels is being clobbered by longjmp or if something else is going on. 2018-06-26 Bob Friesenhahn * coders/jpeg.c (ReadJPEGImage): Provide a memory resource limit (of 1/5th the memory resource limit for Graphicsmagick) to libjpeg to limit how much memory it might consume for itself while reading a file. Fixes oss-fuzz 9096 "graphicsmagick/coder_JPEG_fuzzer: Timeout in graphicsmagick_coder_JPEG_fuzzer". (Credit to OSS-Fuzz) (ReadJPEGImage): Make sure that JPEG pixels array is initialized in case libjpeg fails to completely initialize it. May fix oss-fuzz 9115 "graphicsmagick/coder_JPEG_fuzzer: Use-of-uninitialized-value in ReadJPEGImage". We are not sure since the problem was not reproduced. (Credit to OSS-Fuzz) 2018-06-23 Bob Friesenhahn * version.sh: Update library versioning for 1.3.30 release. * NEWS.txt: Update news for 1.3.30 release. 2018-06-22 Bob Friesenhahn * coders/dpx.c (ReadDPXImage): Report exception on EOF file reading DPX pixel data. Fixes oss-fuzz 8104 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in WriteDPXImage", oss-fuzz 8297 "graphicsmagick/enhance_fuzzer: Use-of-uninitialized-value in EnhanceImage", and oss-fuzz 8133 "graphicsmagick/coder_DPX_fuzzer: Use-of-uninitialized-value in RGBTransformPackets". (Credit to OSS-Fuzz) 2018-06-20 Bob Friesenhahn * coders/cmyk.c (ReadCMYKImage): Free scanline buffer in error path. Fixes SourceForge issue #567 "small memory leak in rgb.c, gray.c and cmyk.c" reported by Petr Gajdos. * coders/gray.c (ReadGRAYImage): Free scanline buffer in error path. Fixes SourceForge issue #567 "small memory leak in rgb.c, gray.c and cmyk.c" reported by Petr Gajdos. * coders/rgb.c (ReadRGBImage): Free scanline buffer in error path. Fixes SourceForge issue #567 "small memory leak in rgb.c, gray.c and cmyk.c" reported by Petr Gajdos. * coders/jpeg.c (ReadJPEGImage): Avoid memory leak of profile buffer when longjmp-based exception is thrown while reading a profile. Fixes oss-fuzz 8957 "graphicsmagick/enhance_fuzzer: Direct-leak in ReadGenericProfile". (Credit to OSS-Fuzz) 2018-06-17 Bob Friesenhahn * coders/xcf.c (load_level): Make sure to free 'tile_image' before returning exception. Fixes oss-fuzz 8935 "graphicsmagick/coder_XCF_fuzzer: Indirect-leak in CloneImage". (Credit to OSS-Fuzz) * coders/jpeg.c (ReadJPEGImage): Allow three warnings of any given type before promoting the next warning of the same type to a hard error. The warning limit may be adjusted by the user using -define jpeg:max-warnings=. Fixes oss-fuzz 8704 "graphicsmagick/coder_JPG_fuzzer: Out-of-memory in graphicsmagick_coder_JPG_fuzzer". (Credit to OSS-Fuzz) * coders/png.c (ReadPNGImage): Detect EOF when reading magic_number. Fixes oss-fuzz 8944 "graphicsmagick/coder_PNG_fuzzer: Use-of-uninitialized-value in ReadPNGImage". (Credit to OSS-Fuzz) (ReadPNGImage, ReadJNGImage): Makes sure that return value of ReadBlob() is always checked to detect EOF. 2018-06-16 Bob Friesenhahn * coders/tiff.c (ReadTIFFImage): Re-structure exception reporting so that QuantumTransferMode() exceptions thrown for PLANARCONFIG_SEPARATE images are handled immediately. Fixes oss-fuzz 8896 "graphicsmagick/coder_BIGTIFF_fuzzer: Use-of-uninitialized-value in DisassociateAlphaRegion". (Credit to OSS-Fuzz) (ReadTIFFImage): tsize_t is a signed type so be prepared for unexpected negative values produced by libtiff size functions. Fixes oss-fuzz 8934 "graphicsmagick/coder_TIFF_fuzzer: Sanitizer CHECK failure in "((0)) != (0)" (0x0, 0x0)". (Credit to OSS-Fuzz) 2018-06-16 Fojtik Jaroslav * coders/wpg.c Fix oss-fuzz 7735 "graphicsmagick/coder_WPG_fuzzer: Use-of-uninitialized-value in ReadWPGImage". (Credit to OSS-Fuzz) 2018-06-11 Bob Friesenhahn * coders/png.c (ReadMNGImage): ENDL chunk must be at least one byte in size. Fixes oss-fuzz 8832 "graphicsmagick/coder_MNG_fuzzer: Null-dereference READ in ReadMNGImage". (Credit to OSS-Fuzz) (ReadMNGImage): Length of DISC chunk must be evenly divisible by 2. Fixes oss-fuzz 8834 "graphicsmagick/coder_MNG_fuzzer: Heap-buffer-overflow in ReadMNGImage". (Credit to OSS-Fuzz) 2018-06-10 Bob Friesenhahn * coders/mpc.c (ReadMPCImage): Detect end of file while reading image directory. Similar to MIFF fixes for ImageMagick CVE-2017-18272. (RegisterMPCImage): Require seekable stream since MPC is strictly a file-based format and so GetBlobSize() is assured to work. Similar to MIFF behavior. Claimed to be part of the resolution for ImageMagick CVE CVE-2017-11449. Suggested by Petr Gajdos via email on January 3, 2018. 2018-06-09 Bob Friesenhahn * coders/miff.c (ReadMIFFImage): Detect end of file while reading image directory. Fixes SourceForge issue 565 "ImageMagick CVE-2017-18272 applies to GraphicsMagick". Thanks to Petr Gajdos for reporting this issue to us. * magick/import.c (ImportViewPixelArea): Use appropriate bits_per_sample validations for FloatQuantumSampleType. Fixes oss-fuzz 8780 "graphicsmagick/coder_PTIF_fuzzer: Use-of-uninitialized-value in HorizontalFilter". (Credit to OSS-Fuzz) 2018-06-09 Fojtik Jaroslav * coders/mat.c More than 4GiB are not supported in MAT! 2018-06-09 Bob Friesenhahn * coders/mat.c (ReadMATImage): Add casts to avoid arithmetic overflow when computing size and offsets. Fixes oss-fuzz 8801 "graphicsmagick/coder_MAT_fuzzer: Timeout in graphicsmagick_coder_MAT_fuzzer". (Credit to OSS-Fuzz) * magick/blob.c (ReadBlobLSBDoubles, ReadBlobMSBDoubles): Only byte-swap doubles or test doubles for NAN if we have read enough bytes for at least one double value. (ReadBlob): Add an assertion to enforce that ReadBlob() will never report reading more bytes than requested due to some implementation issue. 2018-06-08 Bob Friesenhahn * magick/blob.c (ReadBlob, WriteBlob): gzread(), BZ2_bzread(), gzwrite(), BZ2_bzwrite() return type 'int' rather than 'size_t' like their stdio equivalents. Use correct signed type to avoid returning a negative value into an unsigned type, forming a huge positive value. Fixes oss-fuzz 8600 "graphicsmagick/coder_MAT_fuzzer: Heap-buffer-overflow in ReadBlobLSBDoubles". (Credit to OSS-Fuzz) 2018-06-07 Bob Friesenhahn * coders/png.c (png_read_raw_profile): Try to shore up parsing of raw profile reading to avoid heap read overruns. Fixes oss-fuzz 8763 "graphicsmagick/coder_PNG32_fuzzer: Heap-buffer-overflow in png_read_raw_profile". (Credit to OSS-Fuzz) 2018-06-07 Fojtik Jaroslav * coders/mat.c Reduce stack usage for 64 bit architecture. 2018-06-06 Fojtik Jaroslav * coders/wpg.c Check return values of SeekBlob for more safety. 2018-06-06 Bob Friesenhahn * coders/png.c (ReadOneJNGImage): Use DestroyImageList() rather than DestroyImage() on returned Image from supposed read of JPEG data, in case multiple frames were unexpectedly returned. Also add "JPEG:" prefix to filename when reading from temporary file to force that it can only be read as a JPEG file, disabling format auto-detection based on file header. Fixes oss-fuzz 8755 "graphicsmagick/coder_JNG_fuzzer: Indirect-leak in AllocateImage". (Credit to OSS-Fuzz) 2018-06-05 Bob Friesenhahn * magick/blob.c (EOFBlob): Implement EOF detection for ZipStream. Does some archaic zlib not provide gzeof()? Fixes oss-fuzz 8550 "graphicsmagick/coder_MAT_fuzzer: Timeout in graphicsmagick_coder_MAT_fuzzer". (Credit to OSS-Fuzz) 2018-06-04 Bob Friesenhahn * coders/png.c (ReadOnePNGImage): Skip adding empty raw profile. Fixes oss-fuzz "graphicsmagick/coder_PNG_fuzzer: Heap-buffer-overflow in png_read_raw_profile". (Credit to OSS-Fuzz) 2018-06-03 Bob Friesenhahn * NEWS.txt: Update NEWS with latest changes. * coders/dcm.c (DCM_ReadRGBImage): Force the image to DirectClass to avoid later use of uninitialized indexes. Fixes oss-fuzz 8602 "graphicsmagick/coder_DCM_fuzzer: Use-of-uninitialized-value in DCM_PostRescaleImage". (Credit to OSS-Fuzz) (DCM_ReadPlanarRGBImage): Force the image to DirectClass to avoid later use of uninitialized indexes. * coders/png.c (ReadMNGImage): Free chunk memory in error reporting path to avoid leak. Fixes oss-fuzz 8721 "graphicsmagick/coder_MNG_fuzzer: Direct-leak in ReadMNGImage". (Credit to OSS-Fuzz) 2018-06-02 Bob Friesenhahn * magick/constitute.c (ReadImage): Assure that an error exception is thrown if coder returns null without properly reporting an exception. * magick/blob.c (BlobToImage): Assure that an error exception is thrown if coder returns null without properly reporting an exception. * coders/png.c (ReadMNGImage): Disable mystery "linked list is corrupted" code. Assure that exceptions are reported to the correct place so they are not lost. Fixes oss-fuzz 8710 "graphicsmagick/coder_MNG_fuzzer: Indirect-leak in AllocateImage". (Credit to OSS-Fuzz) * coders/tiff.c (ReadTIFFImage): Initialize allocated scanline, strip, or tile to zero in order to avoid complaint about use of uninitialized data if libtiff fails to write all the bytes. Fixes oss-fuzz 8551 "graphicsmagick/coder_TIFF_fuzzer: Use-of-uninitialized-value in ImportGrayQuantumType". (Credit to OSS-Fuzz) * magick/annotate.c (RenderFreetype): Throw an exception if DrawInfo font is null. Should fix oss-fuzz 8557 "graphicsmagick/coder_PCD_fuzzer: Unknown signal in RenderFreetype" and may fix oss-fuzz 8544 "graphicsmagick/coder_PCD_fuzzer: Null-dereference READ in RenderFreetype". (Credit to OSS-Fuzz) * coders/jpeg.c (ReadGenericProfile): Add/improve tracing for profile size and when JPEG header is being read. 2018-06-01 Bob Friesenhahn * coders/png.c (ReadOneJNGImage): Report a useful exception for the case when the JNG file fails to provide the necessary image chunks to allocate the color image. Inspired by oss-fuzz 8666 "graphicsmagick/coder_JNG_fuzzer: ASSERT: data != (const char *) NULL" although the reported issue was not reproduced. 2018-05-31 Bob Friesenhahn * coders/png.c (ReadMNGImage): Fix off-by-one in length validation for TERM chunk which allowed one byte heap read overflow. Fixes oss-fuzz 8615 "graphicsmagick/coder_MNG_fuzzer: Heap-buffer-overflow in mng_get_long". (Credit to OSS-Fuzz) (ReadMNGImage): Fix leak of MngInfo in error reporting path. Fixes oss-fuzz 8604 "graphicsmagick/coder_MNG_fuzzer: Direct-leak in ReadMNGImage". (Credit to OSS-Fuzz) (ReadMNGImage): Verify that claimed chunk size does not exceed input size. Fixes oss-fuzz 8564 "graphicsmagick/coder_MNG_fuzzer: Out-of-memory in graphicsmagick_coder_MNG_fuzzer". (Credit to OSS-Fuzz) * coders/tiff.c (ReadTIFFImage): Reject files with excessive samples-per-pixel or extra-samples. Avoids potential issues observed in oss-fuzz 8634 "graphicsmagick/coder_BIGTIFF_fuzzer: Undefined-shift in ImportAlphaQuantumType". (Credit to OSS-Fuzz) 2018-05-30 Bob Friesenhahn * coders/png.c (ReadMNGImage): Assure that object id index is always less than MNG_MAX_OBJECTS to avoid overflow. Fixes oss-fuzz 8596 "graphicsmagick/coder_MNG_fuzzer: Index-out-of-bounds in ReadMNGImage" and likely other issues yet to be reported. (Credit to OSS-Fuzz) 2018-05-30 Greg Wolfe * magick/render.c (CompareEdges): Per ticket #562, function CompareEdges() did not conform to the qsort() requirement that if CompareEdges(edge0,edge1) returns -1 (i.e., edge0 "less than" edge1), then CompareEdges(edge1,edge0) should return 1 (edge1 "greater than" edge0). This has been fixed. 2018-05-30 Bob Friesenhahn * coders/png.c (ReadOneJNGImage): Deal with JDAA JNG chunk with length zero. Fixes oss-fuzz 8562 "graphicsmagick/coder_JNG_fuzzer: ASSERT: data != (const char *) NULL". (Credit to OSS-Fuzz) * coders/tiff.c (ReadTIFFImage): Check that the bits-per-sample is supported by the implementation before attempting to decode the image. Fixes oss-fuzz 8554 "graphicsmagick/coder_BIGTIFF_fuzzer: Undefined-shift in MagickBitStreamMSBWrite". (Credit to OSS-Fuzz) * coders/png.c (ReadMNGImage): Eliminate use of uninitialized header magic data by checking for EOF first. Fixes oss-fuzz 8597 "graphicsmagick/coder_MNG_fuzzer: Use-of-uninitialized-value in ReadMNGImage". (Credit to OSS-Fuzz) 2018-05-25 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh: More fixes based on what is observed in oss-fuzz build log. 2018-05-24 Fojtik Jaroslav * coders/jnx.c The attribute should belong to only one scene and not to whole image list. 2018-05-24 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh: Changes to add CPPFLAGS to configure executions to hopefully get oss-fuzz build closer to success. 2018-05-23 Bob Friesenhahn * PerlMagick/t/jpeg/read.t: Add a JNX reader test case. * coders/jnx.c (ReadJNXImage): JNX image depth should be 8. * fuzzing/oss-fuzz-build.sh: Apply patch from Alex Gaynor to switch libpng to autotools build system, as well as configure GraphicsMagick with '--with-quantum-depth=16'. 2018-05-22 Bob Friesenhahn * coders/tiff.c (ReadTIFFImage): Validate tile memory requests for the TIFFReadRGBATile() case in the same way as the TIFFReadTile() case. Fixes oss-fuzz 8434 "graphicsmagick/coder_BIGTIFF_fuzzer: Out-of-memory in graphicsmagick_coder_BIGTIFF_fuzzer". (Credit to OSS-Fuzz) 2018-05-21 Bob Friesenhahn * coders/tile.c (ReadTILEImage): Remove any existing size request when while image to tile. This avoids size being used for both the input image size and the tile image size. Fixes SourceForge issue #563 "tile: appears to blow image up by 100% before applying tiling". 2018-05-20 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh: Patch from Paul Kehrer to disable libpng test programs and binaries while building libpng in support of oss-fuzz testing. * coders/dcm.c (DCM_ReadGrayscaleImage): If a palette was provided, the image may be in PseudoClass but we need DirectClass for gray image when GRAYSCALE_USES_PALETTE is not defined. Fixes oss-fuzz 7550 "graphicsmagick/coder_DCM_fuzzer: Use-of-uninitialized-value in SyncImageCallBack". (Credit to OSS-Fuzz) (ReadDCMImage): Restore use of DCM_PostRescaleImage() in order to obtain suitably scaled DICOM again. Hopefully it is more robust now. (DCM_ReadPaletteImage): Assure that DirectClass pixels are initialized. 2018-05-19 Bob Friesenhahn * coders/tiff.c (ReadTIFFImage): Remove strange addition of image->columns to pixel buffer offsets which now causes a heap overflow since the buffer has been right-sized. Perhaps the extra offset plus the over-sized allocation was some attempt to avoid buffer over/underflows due to bugs in libtiff. Fixes oss-fuzz 8384 "graphicsmagick/coder_BIGTIFF_fuzzer: Heap-buffer-overflow in put1bitbwtile" which is described to be a regression. (Credit to OSS-Fuzz) * magick/render.c (DrawImage): Fix wrong range checks which caused spurious "Parsing of SVG images fail with "Non-conforming drawing primitive definition (push)" failure. Fixes SourceForge issue 561 "Parsing of SVG images fail with "Non-conforming drawing primitive definition (push)"" which is due to problems caused by the fix for SourceForge issue 517. * coders/tiff.c (WritePTIFImage): Use '-define ptif:minimum-geometry=' to specify the smallest subresolution frame which is produced by the PTIF (Pyramid TIFF) writer. 2018-05-18 Bob Friesenhahn * coders/tiff.c (WritePTIFImage): Allow 1x1 input image to be supported. * coders/png.c (ReadOneJNGImage): Unconditionally free JDAT chunk memory. Fixes oss-fuzz 8366 "graphicsmagick/coder_JNG_fuzzer: Direct-leak in ReadOneJNGImage". (Credit to OSS-Fuzz) * coders/tiff.c (WritePTIFImage): Fix leak of pyramid Image list if ResizeImage() fails. Fixes oss-fuzz 8364 "graphicsmagick/coder_PTIF_fuzzer: Indirect-leak in CloneImage". (Credit to OSS-Fuzz) 2018-05-17 Bob Friesenhahn * coders/tiff.c (WriteTIFFImage): Add and use ThrowTIFFWriterException() macro to consistently clean-up when throwing writer exception. May fix oss-fuzz 8321 "graphicsmagick/coder_EPT_fuzzer: Direct-leak in TIFFClientOpen". (Credit to OSS-Fuzz) (ReadTIFFImage): Add and use ThrowTIFFReaderException() macro to consistently clean-up when throwing reader exception. 2018-05-16 Greg Wolfe * magick/alpha_composite.h (AlphaCompositePixel): The macro definition for MagickAlphaCompositeQuantum in alpha_composite.h computes an expression of the form: a * b + c * d * e Code in function AlphaCompositePixel() (also in alpha_composite.h) multiplies the result of this macro by variable "delta" as follows: delta * a * b + c * d * e However, the intended result is actually: delta * ( a * b + c * d * e ) The macro definition has been modified to enclose the entire expression in parentheses. The effects of this bug were particularly evident at the boundary between a stroked polygon and a transparent black region. More generally, an incorrect composited pixel value was being computed by AlphaCompositePixel() whenever the output alpha value was not 100% opaque. 2018-05-16 Bob Friesenhahn * tests/rwblob.tap: Add a test for PTIF format. * coders/tiff.c (WritePTIFImage): Fix Image blob referencing in order to avoid double-free when writing PTIF to memory BLOB. Fixes oss-fuzz 8280 "graphicsmagick/coder_PTIF_fuzzer: Heap-double-free in Magick::BlobRef::~BlobRef". (Credit to OSS-Fuzz) 2018-05-14 Bob Friesenhahn * coders/tiff.c (WriteTIFFImage): Use libtiff's TIFFDefaultStripSize() function rather than an old porting macro required by some defunct libtiff version. Expected to fix oss-fuzz 8248 "graphicsmagick/coder_EPT_fuzzer: Floating-point-exception in WriteTIFFImage". (Credit to OSS-Fuzz) 2018-05-13 Fojtik Jaroslav * coders/mat.c Fix potentional leak when compressed object is corrupted. Fixes oss-fuzz 8251 (Credit to OSS-Fuzz) 2018-05-13 Bob Friesenhahn * coders/tiff.c (ReadTIFFImage): Fix leak of Image when TIFFReadRGBAImage() reports failure. Also harden buffer allocation calculation. Fixes oss-fuzz 8275 "graphicsmagick/coder_BIGTIFF_fuzzer: Indirect-leak in AllocateImage". (Credit to OSS-Fuzz) * coders/ept.c (ReadEPTImage): Add validations of 'count' and 'filesize' read from EPT file. In response to oss-fuzz 8248 "graphicsmagick/coder_EPT_fuzzer: Floating-point-exception in WriteTIFFImage" but we are unable to recreate the oss-fuzz issue since the EPT reader already immediately reports an EOF exception. 2018-05-12 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh: Apply SourceForge patch #57 "Add fuzzing support for jpeg + freetype delegates" by Alex Gaynor. * coders/png.c (read_user_chunk_callback): Fix memory leak and use of uninitialized memory when handling eXIf chunk. Fixes oss-fuzz 8247 "graphicsmagick/coder_PNG24_fuzzer: Direct-leak in png_malloc". (Credit to OSS-Fuzz) 2018-05-11 Bob Friesenhahn * fuzzing/oss-fuzz-build.sh: Apply SourceForge patch #56 "Use a few delegate libraries in fuzzing" by Alex Gaynor. 2018-05-10 Bob Friesenhahn * tests/rwfile.tap: MIFF zip and bzip compression tests do not fail if zlib and bzlib are not available because the compression request is silently changed to no compression. 2018-05-07 Greg Wolfe * magick/render.c (DrawImage, InsertAttributeIntoInputStream): For a reference such as 'class="classname"', the "classname" is now allowed to be undefined. * coders.svg.c (ProcessStyleClassDefs): Class definitions defined within a