Sophie

Sophie

distrib > Mageia > 1 > i586 > media > core-updates-src > by-pkgid > b0202108aaa53fc5834cfeb063e09c6d > files > 6

imagemagick-6.6.6.10-5.3.mga1.src.rpm

diff -uNr ImageMagick-6.6.6-10-dos//magick/profile.c ImageMagick-6.6.6-10//magick/profile.c
--- ImageMagick-6.6.6-10-dos//magick/profile.c	2012-04-13 22:26:16.519542438 -0400
+++ ImageMagick-6.6.6-10//magick/profile.c	2012-04-13 22:26:31.297191247 -0400
@@ -1827,9 +1827,12 @@
   EndianType
     endian;
 
-  int
+  size_t
     offset;
 
+  SplayTreeInfo
+    *exif_resources;
+
   ssize_t
     id,
     level;
@@ -1889,12 +1892,14 @@
   /*
     This the offset to the first IFD.
   */
-  offset=(int) ReadProfileLong(endian,exif+4);
+  offset=(size_t) ((int) ReadProfileLong(endian,exif+4));
   if ((size_t) offset >= length)
     return(MagickFalse);
   directory=exif+offset;
   level=0;
   entry=0;
+  exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL,
+    (void *(*)(void *)) NULL,(void *(*)(void *)) NULL);
   do
   {
     if (level > 0)
@@ -1924,6 +1929,9 @@
         number_bytes;
 
       q=(unsigned char *) (directory+2+(12*entry));
+      if (GetValueFromSplayTree(exif_resources,q) == q)
+        break;
+      (void) AddValueToSplayTree(exif_resources,q,q);
       tag_value=(ssize_t) ReadProfileShort(endian,q);
       format=(ssize_t) ReadProfileShort(endian,q+2);
       if ((format-1) >= EXIF_NUM_FORMATS)
@@ -1934,13 +1942,15 @@
         p=q+8;
       else
         {
-          int
+          size_t
             offset;
 
           /*
             The directory entry contains an offset.
           */
-          offset=(int) ReadProfileLong(endian,q+8);
+          offset=(size_t) ((int) ReadProfileLong(endian,q+8));
+          if ((offset+number_bytes) < offset)
+            continue;  /* prevent overflow */
           if ((size_t) (offset+number_bytes) > length)
             continue;
           p=(unsigned char *) (exif+offset);
@@ -2007,5 +2017,6 @@
         }
     }
   } while (level > 0);
+  exif_resources=DestroySplayTree(exif_resources);
   return(MagickTrue);
 }
diff -uNr ImageMagick-6.6.6-10-dos//magick/property.c ImageMagick-6.6.6-10//magick/property.c
--- ImageMagick-6.6.6-10-dos//magick/property.c	2012-04-13 22:26:16.518542462 -0400
+++ ImageMagick-6.6.6-10//magick/property.c	2012-04-13 22:26:31.298191223 -0400
@@ -1313,6 +1313,8 @@
             The directory entry contains an offset.
           */
           offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8));
+          if ((offset+number_bytes) < offset)
+            continue;  /* prevent overflow */
           if ((size_t) (offset+number_bytes) > length)
             continue;
           p=(unsigned char *) (exif+offset);

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional