--- ImageMagick-6.2.4/coders/sgi.c.cve-2006-4144 2005-08-09 18:05:48.000000000 -0600 +++ ImageMagick-6.2.4/coders/sgi.c 2006-08-25 08:31:19.094582564 -0600 @@ -323,8 +323,8 @@ static Image *ReadSGIImage(const ImageIn if ((4*bytes_per_pixel*number_pixels) != ((MagickSizeType) (size_t) (4*bytes_per_pixel*number_pixels))) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - iris_pixels=(unsigned char *) - AcquireMagickMemory(4*bytes_per_pixel*iris_info.columns*iris_info.rows); + iris_pixels=(unsigned char *) AcquireMagickMemory(4*bytes_per_pixel* + iris_info.columns*iris_info.rows); if (iris_pixels == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); if ((int) iris_info.storage != 0x01) @@ -335,8 +335,8 @@ static Image *ReadSGIImage(const ImageIn /* Read standard image format. */ - scanline=(unsigned char *) - AcquireMagickMemory(bytes_per_pixel*iris_info.columns); + scanline=(unsigned char *) AcquireMagickMemory(bytes_per_pixel* + iris_info.columns); if (scanline == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); for (z=0; z < (int) iris_info.depth; z++) @@ -344,8 +344,7 @@ static Image *ReadSGIImage(const ImageIn p=iris_pixels+bytes_per_pixel*z; for (y=0; y < (long) iris_info.rows; y++) { - count=ReadBlob(image,bytes_per_pixel*iris_info.columns, - scanline); + count=ReadBlob(image,bytes_per_pixel*iris_info.columns,scanline); if (EOFBlob(image) != MagickFalse) break; if (bytes_per_pixel == 2) @@ -393,20 +392,24 @@ static Image *ReadSGIImage(const ImageIn (max_packets == (unsigned char *) NULL) || (runlength == (unsigned long *) NULL)) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++) + for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++) offsets[i]=(ssize_t) ReadBlobMSBLong(image); - for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++) + for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++) + { runlength[i]=ReadBlobMSBLong(image); + if (runlength[i] >= (4*(size_t) iris_info.columns+10)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + } /* Check data order. */ offset=0; - data_order=MagickFalse; - for (y=0; ((y < (long) iris_info.rows) && (data_order == MagickFalse)); y++) - for (z=0; ((z < (int) iris_info.depth) && (data_order == MagickFalse)); z++) + data_order=0; + for (y=0; ((y < (long) iris_info.rows) && (data_order == 0)); y++) + for (z=0; ((z < (long) iris_info.depth) && (data_order == 0)); z++) { if (offsets[y+z*iris_info.rows] < offset) - data_order=MagickTrue; + data_order=1; offset=offsets[y+z*iris_info.rows]; } offset=(ssize_t) (512+4*bytes_per_pixel*2*(iris_info.rows*