From 2d90693af41a363a988a9db3a91a15f9ca7c7370 Mon Sep 17 00:00:00 2001 From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Sat, 20 Dec 2014 13:40:37 +0000 Subject: Added checks to prevent overflow in rle file git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17348 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17348 diff --git a/coders/rle.c b/coders/rle.c index 4cc6a96..7341919 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -181,7 +181,9 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) map_length, number_colormaps, number_planes, - one; + one, + offset, + pixel_info_length; ssize_t count, @@ -310,8 +312,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_pixels=(MagickSizeType) image->columns*image->rows; if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes)) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - pixel_info=AcquireVirtualMemory(image->columns,image->rows* - MagickMax(number_planes,4)*sizeof(*pixels)); + pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4); + pixel_info=AcquireVirtualMemory(pixel_info_length,sizeof(*pixels)); if (pixel_info == (MemoryInfo *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); @@ -379,9 +381,17 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) operand=ReadBlobByte(image); if (opcode & 0x40) operand=(int) ReadBlobLSBShort(image); - p=pixels+((image->rows-y-1)*image->columns*number_planes)+ - x*number_planes+plane; + offset=((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane; operand++; + if (offset+((size_t) operand*number_planes) > pixel_info_length) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + pixel_info=RelinquishVirtualMemory(pixel_info); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } + p=pixels+offset; for (i=0; i < (ssize_t) operand; i++) { pixel=(unsigned char) ReadBlobByte(image); @@ -403,8 +413,16 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) pixel=(unsigned char) ReadBlobByte(image); (void) ReadBlobByte(image); operand++; - p=pixels+((image->rows-y-1)*image->columns*number_planes)+ - x*number_planes+plane; + offset=((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane; + p=pixels+offset; + if (offset+((size_t) operand*number_planes) > pixel_info_length) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + pixel_info=RelinquishVirtualMemory(pixel_info); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } for (i=0; i < (ssize_t) operand; i++) { if ((y < (ssize_t) image->rows) && -- cgit v0.10.2