From 0a89a1ccca6e7ee059b73f5cc924513383e8a330 Mon Sep 17 00:00:00 2001 From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Sun, 30 Nov 2014 21:54:05 +0000 Subject: Avoid heap overflow in palm, pnm and xpm files git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17140 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17140 diff --git a/coders/palm.c b/coders/palm.c index ccdd353..0e58f91 100644 --- a/coders/palm.c +++ b/coders/palm.c @@ -189,7 +189,7 @@ static MagickBooleanType % o pixel: a pointer to the PixelPacket to be matched. % */ -static int FindColor(PixelPacket *pixel) +static ssize_t FindColor(PixelPacket *pixel) { register ssize_t i; @@ -374,26 +374,26 @@ static Image *ReadPALMImage(const ImageInfo *image_info, for (i=0; i < (ssize_t) count; i++) { ReadBlobByte(image); - index=ConstrainColormapIndex(image,255-i); - image->colormap[(int) index].red= - ScaleCharToQuantum((unsigned char) ReadBlobByte(image)); - image->colormap[(int) index].green= - ScaleCharToQuantum((unsigned char) ReadBlobByte(image)); - image->colormap[(int) index].blue= - ScaleCharToQuantum((unsigned char) ReadBlobByte(image)); + index=ConstrainColormapIndex(image,(size_t) (255-i)); + image->colormap[(int) index].red=ScaleCharToQuantum( + (unsigned char) ReadBlobByte(image)); + image->colormap[(int) index].green=ScaleCharToQuantum( + (unsigned char) ReadBlobByte(image)); + image->colormap[(int) index].blue=ScaleCharToQuantum( + (unsigned char) ReadBlobByte(image)); } } else { for (i=0; i < (ssize_t) (1L << bits_per_pixel); i++) { - index=ConstrainColormapIndex(image,255-i); - image->colormap[(int) index].red= - ScaleCharToQuantum(PalmPalette[i][0]); - image->colormap[(int) index].green= - ScaleCharToQuantum(PalmPalette[i][1]); - image->colormap[(int) index].blue= - ScaleCharToQuantum(PalmPalette[i][2]); + index=ConstrainColormapIndex(image,(size_t) (255-i)); + image->colormap[(int) index].red=ScaleCharToQuantum( + PalmPalette[i][0]); + image->colormap[(int) index].green=ScaleCharToQuantum( + PalmPalette[i][1]); + image->colormap[(int) index].blue=ScaleCharToQuantum( + PalmPalette[i][2]); } } } @@ -406,18 +406,18 @@ static Image *ReadPALMImage(const ImageInfo *image_info, image->storage_class=PseudoClass; image->depth=8; } - one_row=(unsigned char *) AcquireQuantumMemory(bytes_per_row, - sizeof(*one_row)); + one_row=(unsigned char *) AcquireQuantumMemory(MagickMax(bytes_per_row, + 2*image->columns),sizeof(*one_row)); if (one_row == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); lastrow=(unsigned char *) NULL; if (compressionType == PALM_COMPRESSION_SCANLINE) { - lastrow=(unsigned char *) AcquireQuantumMemory(bytes_per_row, - sizeof(*lastrow)); + lastrow=(unsigned char *) AcquireQuantumMemory(MagickMax(bytes_per_row, + 2*image->columns),sizeof(*lastrow)); if (lastrow == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); } - mask=(1l << bits_per_pixel)-1; + mask=(size_t) (1U << bits_per_pixel)-1; for (y = 0; y < (ssize_t) image->rows; y++) { if ((flags & PALM_IS_COMPRESSED_FLAG) == 0) @@ -453,7 +453,7 @@ static Image *ReadPALMImage(const ImageInfo *image_info, for (i=0; i < (ssize_t) bytes_per_row; i+=8) { count=(ssize_t) ReadBlobByte(image); - byte=1UL*MagickMin((ssize_t) bytes_per_row-i,8); + byte=(size_t) MagickMin((ssize_t) bytes_per_row-i,8); for (bit=0; bit < byte; bit++) { if ((y == 0) || (count & (one << (7 - bit)))) @@ -478,12 +478,9 @@ static Image *ReadPALMImage(const ImageInfo *image_info, { color16=(*ptr++ << 8); color16|=(*ptr++); - SetPixelRed(q,(QuantumRange*((color16 >> 11) & 0x1f))/ - 0x1f); - SetPixelGreen(q,(QuantumRange*((color16 >> 5) & 0x3f))/ - 0x3f); - SetPixelBlue(q,(QuantumRange*((color16 >> 0) & 0x1f))/ - 0x1f); + SetPixelRed(q,(QuantumRange*((color16 >> 11) & 0x1f))/0x1f); + SetPixelGreen(q,(QuantumRange*((color16 >> 5) & 0x3f))/0x3f); + SetPixelBlue(q,(QuantumRange*((color16 >> 0) & 0x1f))/0x1f); SetPixelOpacity(q,OpaqueOpacity); q++; } @@ -660,9 +657,6 @@ ModuleExport void UnregisterPALMImage(void) static MagickBooleanType WritePALMImage(const ImageInfo *image_info, Image *image) { - int - y; - ExceptionInfo *exception; @@ -692,6 +686,9 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info, register PixelPacket *p; + ssize_t + y; + size_t count, bits_per_pixel, @@ -848,7 +845,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info, sizeof(*one_row)); if (one_row == (unsigned char *) NULL) ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); - for (y=0; y < (int) image->rows; y++) + for (y=0; y < (ssize_t) image->rows; y++) { ptr=one_row; (void) ResetMagickMemory(ptr,0,bytes_per_row); @@ -858,7 +855,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info, indexes=GetAuthenticIndexQueue(image); if (bits_per_pixel == 16) { - for (x=0; x < (int) image->columns; x++) + for (x=0; x < (ssize_t) image->columns; x++) { color16=(unsigned short) ((((31*(size_t) GetPixelRed(p))/ (size_t) QuantumRange) << 11) | @@ -881,7 +878,7 @@ static MagickBooleanType WritePALMImage(const ImageInfo *image_info, { byte=0x00; bit=(unsigned char) (8-bits_per_pixel); - for (x=0; x < (int) image->columns; x++) + for (x=0; x < (ssize_t) image->columns; x++) { if (bits_per_pixel >= 8) color=(unsigned char) GetPixelIndex(indexes+x); diff --git a/coders/pnm.c b/coders/pnm.c index 1d6817e..3fe0dec 100644 --- a/coders/pnm.c +++ b/coders/pnm.c @@ -155,7 +155,7 @@ static void PNMComment(Image *image) Read comment. */ comment=AcquireString(GetImageProperty(image,"comment")); - extent=strlen(comment); + extent=MaxTextExtent; p=comment+strlen(comment); for (c='#'; (c != EOF) && (c != (int) '\n'); p++) { diff --git a/coders/xpm.c b/coders/xpm.c index 6acd4e9..e48eb9c 100644 --- a/coders/xpm.c +++ b/coders/xpm.c @@ -152,12 +152,16 @@ static int CompareXPMColor(const void *target,const void *source) return(strcmp(p,q)); } -static char *CopyXPMColor(char *destination,const char *source,size_t length) +static size_t CopyXPMColor(char *destination,const char *source,size_t length) { - while (length-- && (*source != '\0')) - *destination++=(*source++); + register char + *p; + + p=source; + while (length-- && (*p != '\0')) + *destination++=(*p++); *destination='\0'; - return(destination-length); + return((size_t) (p-source)); } static char *NextXPMLine(char *p) @@ -307,24 +311,26 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception) */ length=MaxTextExtent; xpm_buffer=(char *) AcquireQuantumMemory((size_t) length,sizeof(*xpm_buffer)); + if (xpm_buffer == (char *) NULL) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + *xpm_buffer='\0'; p=xpm_buffer; - if (xpm_buffer != (char *) NULL) - while (ReadBlobString(image,p) != (char *) NULL) - { - if ((*p == '#') && ((p == xpm_buffer) || (*(p-1) == '\n'))) - continue; - if ((*p == '}') && (*(p+1) == ';')) - break; - p+=strlen(p); - if ((size_t) (p-xpm_buffer+MaxTextExtent) < length) - continue; - length<<=1; - xpm_buffer=(char *) ResizeQuantumMemory(xpm_buffer,length+MaxTextExtent, - sizeof(*xpm_buffer)); - if (xpm_buffer == (char *) NULL) - break; - p=xpm_buffer+strlen(xpm_buffer); - } + while (ReadBlobString(image,p) != (char *) NULL) + { + if ((*p == '#') && ((p == xpm_buffer) || (*(p-1) == '\n'))) + continue; + if ((*p == '}') && (*(p+1) == ';')) + break; + p+=strlen(p); + if ((size_t) (p-xpm_buffer+MaxTextExtent) < length) + continue; + length<<=1; + xpm_buffer=(char *) ResizeQuantumMemory(xpm_buffer,length+MaxTextExtent, + sizeof(*xpm_buffer)); + if (xpm_buffer == (char *) NULL) + break; + p=xpm_buffer+strlen(xpm_buffer); + } if (xpm_buffer == (char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); /* @@ -438,13 +444,12 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception) indexes=GetAuthenticIndexQueue(image); for (x=0; x < (ssize_t) image->columns; x++) { - (void) CopyXPMColor(key,p,(size_t) width); + p+=CopyXPMColor(key,p,MagickMin(width,MaxTextExtent)); j=(ssize_t) GetValueFromSplayTree(xpm_colors,key); if (image->storage_class == PseudoClass) SetPixelIndex(indexes+x,j); *r=image->colormap[j]; r++; - p+=width; } if (SyncAuthenticPixels(image,exception) == MagickFalse) break; -- cgit v0.10.2