[Secure-testing-team] Bug#836776: SGI security bug

[Bastien ROUCARIES]

Package: src:imagemagick
version: 8:6.7.7.10-4
Severity: grave
Tags: patch security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org


According to upstream changelog a new bug
buffer overflow in SGI coders (bug report from
          pwchen&rayzhong of tencent


Author: Cristy <urban-warrior at imagemagick.org>
Date:   Thu Aug 18 18:24:24 2016 -0400

    Prevent buffer overflow in BMP & SGI coders (bug report from
pwchen&rayzhong of tencent)

diff --git a/ChangeLog b/ChangeLog
index 89ea234..b5b3f1e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,5 @@
 2016-08-15  6.9.5-8 Cristy  <quetzlzacatenango at image...>
-  * Prevent buffer overflow in BMP coder (bug report from
+  * Prevent buffer overflow in BMP & SGI coders (bug report from
          pwchen&rayzhong of tencent).

 2016-08-14  6.9.5-7 Cristy  <quetzlzacatenango at image...>
diff --git a/coders/sgi.c b/coders/sgi.c
index 756f7e6..96f18a0 100644
--- a/coders/sgi.c
+++ b/coders/sgi.c
@@ -355,13 +355,15 @@ static Image *ReadSGIImage(const ImageInfo
*image_info,ExceptionInfo *exception)
     image->rows=iris_info.rows;
     image->depth=(size_t) MagickMin(iris_info.depth,MAGICKCORE_QUANTUM_DEPTH);
     if (iris_info.pixel_format == 0)
-      image->depth=(size_t) MagickMin((size_t) 8*
-        iris_info.bytes_per_pixel,MAGICKCORE_QUANTUM_DEPTH);
+      image->depth=(size_t) MagickMin((size_t) 8*iris_info.bytes_per_pixel,
+        MAGICKCORE_QUANTUM_DEPTH);
     if (iris_info.depth < 3)
       {
         image->storage_class=PseudoClass;
         image->colors=iris_info.bytes_per_pixel > 1 ? 65535 : 256;
       }
+    if (EOFBlob(image) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     if ((image_info->ping != MagickFalse)  && (image_info->number_scenes != 0))
       if (image->scene >= (image_info->scene+image_info->number_scenes-1))
         break;