Sophie

Sophie

distrib > Mageia > 5 > i586 > by-pkgid > 924f283dc2a92a7452b3f8d7f4d71fb4 > files > 38

imagemagick-6.8.9.9-4.mga5.src.rpm

From 2d90693af41a363a988a9db3a91a15f9ca7c7370 Mon Sep 17 00:00:00 2001
From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Sat, 20 Dec 2014 13:40:37 +0000
Subject: Added checks to prevent overflow in rle file

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17348 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin:  http://trac.imagemagick.org/changeset/17348

diff --git a/coders/rle.c b/coders/rle.c
index 4cc6a96..7341919 100644
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -181,7 +181,9 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     map_length,
     number_colormaps,
     number_planes,
-    one;
+    one,
+    offset,
+    pixel_info_length;
 
   ssize_t
     count,
@@ -310,8 +312,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     number_pixels=(MagickSizeType) image->columns*image->rows;
     if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    pixel_info=AcquireVirtualMemory(image->columns,image->rows*
-      MagickMax(number_planes,4)*sizeof(*pixels));
+    pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4);
+    pixel_info=AcquireVirtualMemory(pixel_info_length,sizeof(*pixels));
     if (pixel_info == (MemoryInfo *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
@@ -379,9 +381,17 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
           operand=ReadBlobByte(image);
           if (opcode & 0x40)
             operand=(int) ReadBlobLSBShort(image);
-          p=pixels+((image->rows-y-1)*image->columns*number_planes)+
-            x*number_planes+plane;
+          offset=((image->rows-y-1)*image->columns*number_planes)+x*
+            number_planes+plane;
           operand++;
+          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+            {
+              if (number_colormaps != 0)
+                colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+              pixel_info=RelinquishVirtualMemory(pixel_info);
+              ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+            }
+          p=pixels+offset;
           for (i=0; i < (ssize_t) operand; i++)
           {
             pixel=(unsigned char) ReadBlobByte(image);
@@ -403,8 +413,16 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
           pixel=(unsigned char) ReadBlobByte(image);
           (void) ReadBlobByte(image);
           operand++;
-          p=pixels+((image->rows-y-1)*image->columns*number_planes)+
-            x*number_planes+plane;
+          offset=((image->rows-y-1)*image->columns*number_planes)+x*
+            number_planes+plane;
+          p=pixels+offset;
+          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+            {
+              if (number_colormaps != 0)
+                colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+              pixel_info=RelinquishVirtualMemory(pixel_info);
+              ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+            }
           for (i=0; i < (ssize_t) operand; i++)
           {
             if ((y < (ssize_t) image->rows) &&
-- 
cgit v0.10.2