GraphicsMagick/GraphicsMagick-CVE-2016-868...


# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1473544878 18000
# Node ID b9edafd479b9d2e0976f184a259747efb198dc46
# Parent  c53725cb5449ac885536a6a98dc911d8b21a3c54
PCX: Check that filesize is reasonable given header.

--- a/coders/pcx.c	Sat Sep 10 16:48:12 2016 -0500
+++ b/coders/pcx.c	Sat Sep 10 17:01:18 2016 -0500
@@ -1,5 +1,5 @@
 /*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003 - 2016 GraphicsMagick Group
 % Copyright (C) 2002 ImageMagick Studio
 % Copyright 1991-1999 E. I. du Pont de Nemours and Company
 %
@@ -251,6 +251,9 @@
   size_t
     pcx_packets;
 
+  magick_off_t
+    file_size;
+
   /*
     Open image file.
   */
@@ -292,6 +295,7 @@
     if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
         == -1)
       ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image);
+  file_size=GetBlobSize(image);
   count=ReadBlob(image,1,(char *) &pcx_info.identifier);
   for (id=1; id < 1024; id++)
   {
@@ -455,6 +459,34 @@
     if (CheckImagePixelLimits(image, exception) != MagickPass)
       ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
 
+
+    /*
+      Check that filesize is reasonable given header
+    */
+    {
+      double
+        uncompressed_size;
+      
+      uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes);
+      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                            "Uncompressed size: %.0f", uncompressed_size);
+      if (pcx_info.encoding == 0)
+        {
+          /* Not compressed */
+          if (uncompressed_size > file_size)
+            ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+        }
+      else
+        {
+          /* RLE compressed */
+          if (uncompressed_size > file_size*254.0)
+            ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                 image);
+        }
+    }
+
+
     /*
       Read image data.
     */
CVE-2016-7800 (#1381148) CVE-2016-7996, CVE-2016-7997 (#1383223) CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583) 8 years ago
			`# HG changeset patch`
			`# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>`
			`# Date 1473544878 18000`
			`# Node ID b9edafd479b9d2e0976f184a259747efb198dc46`
			`# Parent c53725cb5449ac885536a6a98dc911d8b21a3c54`
			`PCX: Check that filesize is reasonable given header.`

			`--- a/coders/pcx.c Sat Sep 10 16:48:12 2016 -0500`
			`+++ b/coders/pcx.c Sat Sep 10 17:01:18 2016 -0500`
			`@@ -1,5 +1,5 @@`
			`/*`
			`-% Copyright (C) 2003 - 2015 GraphicsMagick Group`
			`+% Copyright (C) 2003 - 2016 GraphicsMagick Group`
			`% Copyright (C) 2002 ImageMagick Studio`
			`% Copyright 1991-1999 E. I. du Pont de Nemours and Company`
			`%`
			`@@ -251,6 +251,9 @@`
			`size_t`
			`pcx_packets;`

			`+ magick_off_t`
			`+ file_size;`
			`+`
			`/*`
			`Open image file.`
			`*/`
			`@@ -292,6 +295,7 @@`
			`if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)`
			`== -1)`
			`ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image);`
			`+ file_size=GetBlobSize(image);`
			`count=ReadBlob(image,1,(char *) &pcx_info.identifier);`
			`for (id=1; id < 1024; id++)`
			`{`
			`@@ -455,6 +459,34 @@`
			`if (CheckImagePixelLimits(image, exception) != MagickPass)`
			`ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);`

			`+`
			`+ /*`
			`+ Check that filesize is reasonable given header`
			`+ */`
			`+ {`
			`+ double`
			`+ uncompressed_size;`
			`+`
			`+ uncompressed_size=((double) image->rowspcx_info.bytes_per_linepcx_info.planes);`
			`+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),`
			`+ "Uncompressed size: %.0f", uncompressed_size);`
			`+ if (pcx_info.encoding == 0)`
			`+ {`
			`+ /* Not compressed */`
			`+ if (uncompressed_size > file_size)`
			`+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,`
			`+ image);`
			`+ }`
			`+ else`
			`+ {`
			`+ /* RLE compressed */`
			`+ if (uncompressed_size > file_size*254.0)`
			`+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,`
			`+ image);`
			`+ }`
			`+ }`
			`+`
			`+`
			`/*`
			`Read image data.`
			`*/`