From 6055ec3af7254dc188ccbac418093cbc6f19344b Mon Sep 17 00:00:00 2001 From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Mon, 22 Dec 2014 01:26:10 +0000 Subject: Replaced calls to ConstrainColormapIndex with IsValidColormapIndex. Avoid a memory leak. git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17385 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17385 diff --git a/coders/rle.c b/coders/rle.c index 8d50b7e..74f4968 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -147,6 +147,9 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) Image *image; + IndexPacket + index; + int opcode, operand, @@ -440,9 +443,6 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF)); if (number_colormaps != 0) { - IndexPacket - index; - MagickStatusType mask; @@ -451,10 +451,13 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) */ mask=(MagickStatusType) (map_length-1); p=pixels; + x=(ssize_t) number_planes; if (number_colormaps == 1) for (i=0; i < (ssize_t) number_pixels; i++) { - index=ConstrainColormapIndex(image,*p & mask); + if (IsValidColormapIndex(image,*p & mask,&index,exception) == + MagickFalse) + break; *p=colormap[index]; p++; } @@ -463,10 +466,18 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) for (i=0; i < (ssize_t) number_pixels; i++) for (x=0; x < (ssize_t) number_planes; x++) { - index=ConstrainColormapIndex(image,x*map_length+(*p & mask)); + if (IsValidColormapIndex(image,(size_t) (x*map_length+ + (*p & mask)),&index,exception) == MagickFalse) + break; *p=colormap[index]; p++; } + if ((i < (ssize_t) number_pixels) || (x < (ssize_t) number_planes)) + { + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + pixel_info=RelinquishVirtualMemory(pixel_info); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } } /* Initialize image structure. @@ -569,15 +580,23 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) break; for (x=0; x < (ssize_t) image->columns; x++) { - SetPixelRed(q,image->colormap[(ssize_t) - ConstrainColormapIndex(image,*p++)].red); - SetPixelGreen(q,image->colormap[(ssize_t) - ConstrainColormapIndex(image,*p++)].green); - SetPixelBlue(q,image->colormap[(ssize_t) - ConstrainColormapIndex(image,*p++)].blue); + if (IsValidColormapIndex(image,*p++,&index,exception) == + MagickFalse) + break; + SetPixelRed(q,image->colormap[(ssize_t) index].red); + if (IsValidColormapIndex(image,*p++,&index,exception) == + MagickFalse) + break; + SetPixelGreen(q,image->colormap[(ssize_t) index].green); + if (IsValidColormapIndex(image,*p++,&index,exception) == + MagickFalse) + break; + SetPixelBlue(q,image->colormap[(ssize_t) index].blue); SetPixelAlpha(q,ScaleCharToQuantum(*p++)); q++; } + if (x < (ssize_t) image->columns) + break; if (SyncAuthenticPixels(image,exception) == MagickFalse) break; if (image->previous == (Image *) NULL) -- cgit v0.10.2