From 33b2d377b94eb738011bc7d5e90ca0a16ce4d471 Mon Sep 17 00:00:00 2001 From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Tue, 16 Dec 2014 22:50:20 +0000 Subject: Fixed parsing resource block. Avoid a crash git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17305 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17305 diff --git a/coders/psd.c b/coders/psd.c index eaeb6bc..e0dc766 100644 --- a/coders/psd.c +++ b/coders/psd.c @@ -521,7 +521,7 @@ static const char *ModeToString(PSDImageType type) } } -static MagickBooleanType ParseImageResourceBlocks(Image *image, +static void ParseImageResourceBlocks(Image *image, const unsigned char *blocks,size_t length, MagickBooleanType *has_merged_image) { @@ -540,7 +540,7 @@ static MagickBooleanType ParseImageResourceBlocks(Image *image, short_sans; if (length < 16) - return(MagickFalse); + return; profile=BlobToStringInfo((const void *) NULL,length); SetStringInfoDatum(profile,blocks); (void) SetImageProfile(image,"8bim",profile); @@ -552,7 +552,9 @@ static MagickBooleanType ParseImageResourceBlocks(Image *image, p=PushLongPixel(MSBEndian,p,&long_sans); p=PushShortPixel(MSBEndian,p,&id); p=PushShortPixel(MSBEndian,p,&short_sans); - p=PushLongPixel(MSBEndian,p,&count); + p=PushLongPixel(MSBEndian,p,&count); + if (p+count > blocks+length) + return; switch (id) { case 0x03ed: @@ -601,7 +603,7 @@ static MagickBooleanType ParseImageResourceBlocks(Image *image, if ((count & 0x01) != 0) p++; } - return(MagickTrue); + return; } static CompositeOperator PSDBlendModeToCompositeOperator(const char *mode) @@ -1752,7 +1754,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info, (void) LogMagickEvent(CoderEvent,GetMagickModule(), " reading image resource blocks - %.20g bytes",(double) ((MagickOffsetType) length)); - blocks=(unsigned char *) AcquireQuantumMemory((size_t) length+16, + blocks=(unsigned char *) AcquireQuantumMemory((size_t) length, sizeof(*blocks)); if (blocks == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); @@ -1763,8 +1765,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info, blocks=(unsigned char *) RelinquishMagickMemory(blocks); ThrowReaderException(CorruptImageError,"ImproperImageHeader"); } - (void) ParseImageResourceBlocks(image,blocks,(size_t) length, - &has_merged_image); + ParseImageResourceBlocks(image,blocks,(size_t) length,&has_merged_image); blocks=(unsigned char *) RelinquishMagickMemory(blocks); } /* -- cgit v0.10.2