Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Completion of error handling #196

Closed
elfring opened this issue May 6, 2016 · 6 comments
Closed

Completion of error handling #196

elfring opened this issue May 6, 2016 · 6 comments

Comments

@elfring
Copy link

elfring commented May 6, 2016

Would you like to add more error handling for return values from functions like the following?
dlemstra pushed a commit that referenced this issue Jun 4, 2016
https://github.com/ImageMagick/ImageMagick/issues/196
933e96f
dlemstra pushed a commit that referenced this issue Jun 4, 2016
https://github.com/ImageMagick/ImageMagick/issues/196
4e914bb
dlemstra pushed a commit that referenced this issue Jun 4, 2016
https://github.com/ImageMagick/ImageMagick/issues/196
1be809a
@mikayla-grace
Copy link

Thanks for your suggestion, we added additional error handling to ConcatenateImages() and ReadGROUP4Image().

@dlemstra dlemstra closed this as completed Jun 4, 2016
@elfring
Copy link
Author

elfring commented Jun 4, 2016

I suggest to avoid ignorance of return values a bit more. Would you like to detect every error situation as early as possible?

How do you think about to improve static source code analysis also for this software?

@anarcat
Copy link

anarcat commented Dec 20, 2016

it looks like 933e96f wasn't backported to -6?

@mikayla-grace
Copy link

ImageMagick version 6 includes a ConcatenateImages() method in wand/convert.c and it checks for IO conditions like ConcatenateImages() of version 7. Given that, what do you mean when you suggest it was not backported.

@anarcat
Copy link

anarcat commented Dec 20, 2016

i stand corrected. it's just the commit wasn't linked to this issue so I assumed (mistakenly) that it wasn't backported.

@carnil
Copy link

carnil commented Dec 28, 2016
edited

Three CVEs have been assigned for those issues. AFAICT, the one for the error handling of the fwrite's in ReadGROUP4Image would still be open?

> Check return of write function
> ==============================
> 
> Debian bug: https://bugs.debian.org/845196
> Reference URL: https://security-tracker.debian.org/845196
> Upstream commit:
> - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a \
>                 02a046e7
> - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5 \
> 710069f9 Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
> Upstream version fixed: 7.0.1-10
> 
> The above fixes may be incomplete, according to the upstream issue. In
> addition, the -6 branch seems to have an incomplete fix as well.

Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.

Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
specifically noted at the beginning of issues/196, but not fixed in
either of these commits. It is not the same as the fputc issue in
ReadGROUP4Image.

Origin: https://marc.info/?l=oss-security&m=148278818528413&w=2

@bastien-roucaries bastien-roucaries mentioned this issue Jan 11, 2017
Closed
dlemstra pushed a commit that referenced this issue Jan 11, 2017
https://github.com/ImageMagick/ImageMagick/issues/352
8ed56f4 
#196
dlemstra pushed a commit that referenced this issue Jan 11, 2017
https://github.com/ImageMagick/ImageMagick/issues/352
41e9559 
#196
@YangY-Xiao YangY-Xiao mentioned this issue Jul 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@elfring @carnil @anarcat @dlemstra @mikayla-grace