Sophie

Sophie

distrib > Mandriva > cs4.0 > i586 > by-pkgid > e30fef45570f1cbb6f62a065f71d79ec > files > 13

ImageMagick-6.2.4.3-1.2.20060mdk.src.rpm

--- ImageMagick-6.2.4/coders/sgi.c.cve-2006-4144	2005-08-09 18:05:48.000000000 -0600
+++ ImageMagick-6.2.4/coders/sgi.c	2006-08-25 08:31:19.094582564 -0600
@@ -323,8 +323,8 @@ static Image *ReadSGIImage(const ImageIn
     if ((4*bytes_per_pixel*number_pixels) != ((MagickSizeType) (size_t)
         (4*bytes_per_pixel*number_pixels)))
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    iris_pixels=(unsigned char *)
-      AcquireMagickMemory(4*bytes_per_pixel*iris_info.columns*iris_info.rows);
+    iris_pixels=(unsigned char *) AcquireMagickMemory(4*bytes_per_pixel*
+      iris_info.columns*iris_info.rows);
     if (iris_pixels == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     if ((int) iris_info.storage != 0x01)
@@ -335,8 +335,8 @@ static Image *ReadSGIImage(const ImageIn
         /*
           Read standard image format.
         */
-        scanline=(unsigned char *)
-          AcquireMagickMemory(bytes_per_pixel*iris_info.columns);
+        scanline=(unsigned char *) AcquireMagickMemory(bytes_per_pixel*
+          iris_info.columns);
         if (scanline == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
         for (z=0; z < (int) iris_info.depth; z++)
@@ -344,8 +344,7 @@ static Image *ReadSGIImage(const ImageIn
           p=iris_pixels+bytes_per_pixel*z;
           for (y=0; y < (long) iris_info.rows; y++)
           {
-            count=ReadBlob(image,bytes_per_pixel*iris_info.columns,
-              scanline);
+            count=ReadBlob(image,bytes_per_pixel*iris_info.columns,scanline);
             if (EOFBlob(image) != MagickFalse)
               break;
             if (bytes_per_pixel == 2)
@@ -393,20 +392,24 @@ static Image *ReadSGIImage(const ImageIn
             (max_packets == (unsigned char *) NULL) ||
             (runlength == (unsigned long *) NULL))
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
+        for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
           offsets[i]=(ssize_t) ReadBlobMSBLong(image);
-        for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
+        for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
+        {
           runlength[i]=ReadBlobMSBLong(image);
+          if (runlength[i] >= (4*(size_t) iris_info.columns+10))
+            ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+        }
         /*
           Check data order.
         */
         offset=0;
-        data_order=MagickFalse;
-        for (y=0; ((y < (long) iris_info.rows) && (data_order == MagickFalse)); y++)
-          for (z=0; ((z < (int) iris_info.depth) && (data_order == MagickFalse)); z++)
+        data_order=0;
+        for (y=0; ((y < (long) iris_info.rows) && (data_order == 0)); y++)
+          for (z=0; ((z < (long) iris_info.depth) && (data_order == 0)); z++)
           {
             if (offsets[y+z*iris_info.rows] < offset)
-              data_order=MagickTrue;
+              data_order=1;
             offset=offsets[y+z*iris_info.rows];
           }
         offset=(ssize_t) (512+4*bytes_per_pixel*2*(iris_info.rows*

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional