Sophie: ImageMagick-5.5.7.15-6.3.100mdk src

ImageMagick-5.5.7.15-6.3.100mdk.src.rpm

--- coders/avi.c
+++ coders/avi.c
@@ -171,17 +171,24 @@
   register unsigned char
     *q;
 
+  unsigned char
+    *end;
+
   (void) memset(pixels,0,image->columns*image->rows);
   byte=0;
   x=0;
   q=pixels;
+  end=pixels + (size_t) image->columns*image->rows;
   for (y=0; y < (long) image->rows; )
   {
+    if (q < pixels || q  >= end)
+      break;
     count=ReadBlobByte(image);
     if (count == EOF)
       break;
     if (count != 0)
       {
+        count=Min((unsigned long)count, end - q);
         /*
           Encoded mode.
         */
@@ -231,6 +238,7 @@
             /*
               Absolute mode.
             */
+    	    count=Min((unsigned long)count, end - q);
             for (i=0; i < count; i++)
             {
               if (compression == 1)
--- coders/bmp.c
+++ coders/bmp.c
@@ -187,6 +187,9 @@
   register unsigned char
     *q;
 
+  unsigned char
+    *end;
+
   assert(image != (Image *) NULL);
   assert(pixels != (unsigned char *) NULL);
   (void) LogMagickEvent(CoderEvent,GetMagickModule(),"  Decoding RLE pixels");
@@ -194,13 +197,17 @@
   byte=0;
   x=0;
   q=pixels;
+  end=pixels + (size_t) image->columns*image->rows;
   for (y=0; y < (long) image->rows; )
   {
+    if (q < pixels || q  >= end)
+      break;
     count=ReadBlobByte(image);
     if (count == EOF)
       break;
     if (count != 0)
       {
+        count=Min((unsigned long)count, end - q);
         /*
           Encoded mode.
         */
@@ -257,6 +264,7 @@
             /*
               Absolute mode.
             */
+    	    count=Min((unsigned long)count, end - q);
             if (compression == BI_RLE8)
               for (i=count; i != 0; --i)
                 *q++=ReadBlobByte(image);