From 7f7b0f8e5eb8f4180e31ed93c65f0e1dd20050cb Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Mon, 15 Dec 2014 01:32:48 +0000
Subject: Robustify xmp and pnm reader
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17240 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17245 and http://trac.imagemagick.org/changeset/17240 and http://trac.imagemagick.org/changeset/17248
diff --git a/coders/pnm.c b/coders/pnm.c
index 505a37f..64da096 100644
--- a/coders/pnm.c
+++ b/coders/pnm.c
@@ -199,7 +199,7 @@ static unsigned int PNMInteger(Image *image,const unsigned int base)
return(0);
if (c == (int) '#')
PNMComment(image);
- } while (isdigit(c) == MagickFalse);
+ } while (isdigit(c) == 0);
if (base == 2)
return((unsigned int) (c-(int) '0'));
/*
@@ -211,13 +211,11 @@ static unsigned int PNMInteger(Image *image,const unsigned int base)
if (value > (unsigned int) (INT_MAX/10))
break;
value*=10;
- if (value > (INT_MAX-c))
+ if (value > (INT_MAX-(c-(int) '0')))
break;
value+=c-(int) '0';
c=ReadBlobByte(image);
- if (c == EOF)
- return(value);
- } while (isdigit(c) != MagickFalse);
+ } while (isdigit(c) != 0);
return(value);
}
diff --git a/coders/xbm.c b/coders/xbm.c
index ad5ab6a..d8045fc 100644
--- a/coders/xbm.c
+++ b/coders/xbm.c
@@ -131,33 +131,38 @@ static MagickBooleanType IsXBM(const unsigned char *magick,const size_t length)
%
*/
-static int XBMInteger(Image *image,short int *hex_digits)
-{
+static unsigned int XBMInteger(Image *image,short int *hex_digits)
+{
int
- c,
- flag,
+ c;
+
+ unsigned int
value;
-
- value=0;
- flag=0;
- for ( ; ; )
- {
+
+ /*
+ Skip any leading whitespace.
+ */
+ do
+ {
c=ReadBlobByte(image);
if (c == EOF)
- {
- value=(-1);
- break;
- }
+ return(0);
+ } while (hex_digits[c] < 0);
+ /*
+ Evaluate number.
+ */
+ value=0;
+ do
+ {
+ if (value > (unsigned int) (INT_MAX/10))
+ break;
+ value*=16;
c&=0xff;
- if (isxdigit(c) != MagickFalse)
- {
- value=(int) ((size_t) value << 4)+hex_digits[c];
- flag++;
- continue;
- }
- if ((hex_digits[c]) < 0 && (flag != 0))
+ if (value > (INT_MAX-hex_digits[c]))
break;
- }
+ value+=hex_digits[c];
+ c=ReadBlobByte(image);
+ } while (hex_digits[c] >= 0);
return(value);
}
@@ -189,23 +194,21 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
short int
hex_digits[256];
- size_t
- bit,
- byte,
- bytes_per_line,
- length,
- padding,
- value,
- version;
-
ssize_t
y;
unsigned char
*data;
- unsigned long
+ unsigned int
+ bit,
+ byte,
+ bytes_per_line,
height,
+ length,
+ padding,
+ value,
+ version,
width;
/*
@@ -231,12 +234,12 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
width=0;
height=0;
while (ReadBlobString(image,buffer) != (char *) NULL)
- if (sscanf(buffer,"#define %s %lu",name,&width) == 2)
+ if (sscanf(buffer,"#define %s %u",name,&width) == 2)
if ((strlen(name) >= 6) &&
(LocaleCompare(name+strlen(name)-6,"_width") == 0))
break;
while (ReadBlobString(image,buffer) != (char *) NULL)
- if (sscanf(buffer,"#define %s %lu",name,&height) == 2)
+ if (sscanf(buffer,"#define %s %u",name,&height) == 2)
if ((strlen(name) >= 7) &&
(LocaleCompare(name+strlen(name)-7,"_height") == 0))
break;
@@ -339,7 +342,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
if (version == 10)
for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
{
- value=(size_t) XBMInteger(image,hex_digits);
+ value=XBMInteger(image,hex_digits);
*p++=(unsigned char) value;
if ((padding == 0) || (((i+2) % bytes_per_line) != 0))
*p++=(unsigned char) (value >> 8);
@@ -347,7 +350,7 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
else
for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
{
- value=(size_t) XBMInteger(image,hex_digits);
+ value=XBMInteger(image,hex_digits);
*p++=(unsigned char) value;
}
/*
--
cgit v0.10.2
