--- ImageMagick-6.2.4/coders/sun.c.cve-2006-3743-3744 2005-05-08 20:02:56.000000000 -0600 +++ ImageMagick-6.2.4/coders/sun.c 2006-08-25 08:32:35.610749474 -0600 @@ -133,10 +133,10 @@ static MagickBooleanType IsSUN(const uns % */ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, - const size_t length,unsigned char *pixels) + const size_t length,unsigned char *pixels,size_t maxpixels) { register const unsigned char - *p; + *p, *l; register unsigned char *q; @@ -152,7 +152,8 @@ static MagickBooleanType DecodeImage(con assert(pixels != (unsigned char *) NULL); p=compressed_pixels; q=pixels; - while ((size_t) (p-compressed_pixels) < length) + l=q+maxpixels; + while ((size_t) (p-compressed_pixels) < length && q < l) { byte=(*p++); if (byte != 128U) @@ -165,7 +166,7 @@ static MagickBooleanType DecodeImage(con count=(ssize_t) (*p++); if (count > 0) byte=(*p++); - while (count >= 0) + while (count >= 0 && q < l) { *q++=byte; count--; @@ -377,6 +378,8 @@ static Image *ReadSUNImage(const ImageIn CloseBlob(image); return(GetFirstImageInList(image)); } + if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); sun_data=(unsigned char *) AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data)); if (sun_data == (unsigned char *) NULL) @@ -394,11 +397,28 @@ static Image *ReadSUNImage(const ImageIn Read run-length encoded raster pixels. */ height=sun_info.height; - bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16; + + /* calculate bytes per line, verifying no overflow occurs */ + bytes_per_line=sun_info.width*sun_info.depth; + if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + + if ((ULONG_MAX - bytes_per_line) < 15) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + + bytes_per_line += 15; + bytes_per_line <<= 1; + if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + + bytes_per_line >>= 4; + if ((bytes_per_line * height) / height != bytes_per_line) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height); if (sun_pixels == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - (void) DecodeImage(sun_data,sun_info.length,sun_pixels); + (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height); sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); } /* --- ImageMagick-6.2.4/coders/xcf.c.cve-2006-3743-3744 2005-04-26 20:51:54.000000000 -0600 +++ ImageMagick-6.2.4/coders/xcf.c 2006-08-25 08:32:35.611749293 -0600 @@ -268,7 +268,7 @@ static CompositeOperator GIMPBlendModeTo % % */ -static char *ReadBlobStringWithLongSize(Image *image,char *string) +static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max) { int c; @@ -284,7 +284,7 @@ static char *ReadBlobStringWithLongSize( if (image->debug != MagickFalse) (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename); length = ReadBlobMSBLong(image); - for (i=0; i < (long) length; i++) + for (i=0; i < (long) Min(length, max); i++) { c=ReadBlobByte(image); if (c == EOF) @@ -693,7 +693,7 @@ static MagickBooleanType ReadOneLayer(Im outLayer->width = ReadBlobMSBLong(image); outLayer->height = ReadBlobMSBLong(image); outLayer->type = ReadBlobMSBLong(image); - (void) ReadBlobStringWithLongSize(image, outLayer->name); + (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024); /* allocate the image for this layer */ outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue, @@ -1100,7 +1100,7 @@ static Image *ReadXCFImage(const ImageIn /*float factor = (float) */ (void) ReadBlobMSBLong(image); /* unsigned long digits = */ (void) ReadBlobMSBLong(image); for (i=0; i<5; i++) - (void) ReadBlobStringWithLongSize(image, unit_string); + (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string)); } break;