GraphicsMagick/GraphicsMagick-CVE-2016-780...

# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1475336055 18000
#      Sat Oct 01 10:34:15 2016 -0500
# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
# Parent  623b741873230aaf0aaa767f14f4241f9d56a0f6
Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.

diff --git a/coders/meta.c b/coders/meta.c
--- a/coders/meta.c
+++ b/coders/meta.c
@@ -396,10 +396,17 @@
             {
               if (brkused && next > 0)
                 {
+                  size_t
+                    codes_len;
+
                   char
                     *s = &token[next-1];
 
-                  len -= convertHTMLcodes(s, strlen(s));
+                  codes_len = convertHTMLcodes(s, strlen(s));
+                  if (codes_len > len)
+                    len = 0;
+                  else
+                    len -= codes_len;
                 }
             }
 
@@ -450,7 +457,7 @@
                     next=0;
                     outputlen += len;
                     while (len--)
-                      (void) WriteBlobByte(ofile,token[next++]); /* boom */
+                      (void) WriteBlobByte(ofile,token[next++]);
 
                     if (outputlen & 1)
                       {
@@ -682,10 +689,17 @@
             {
               if (brkused && next > 0)
                 {
+                  size_t
+                    codes_len;
+
                   char
                     *s = &token[next-1];
 
-                  len -= convertHTMLcodes(s, strlen(s));
+                  codes_len = convertHTMLcodes(s, strlen(s));
+                  if (codes_len > len)
+                    len = 0;
+                  else
+                    len -= codes_len;
                 }
             }
CVE-2016-7800 (#1381148) CVE-2016-7996, CVE-2016-7997 (#1383223) CVE-2016-8682, CVE-2016-8683, CVE-2016-8684 (#1385583) 8 years ago			`# HG changeset patch`
			`# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>`
			`# Date 1475336055 18000`
			`# Sat Oct 01 10:34:15 2016 -0500`
			`# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef`
			`# Parent 623b741873230aaf0aaa767f14f4241f9d56a0f6`
			`Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.`

			`diff --git a/coders/meta.c b/coders/meta.c`
			`--- a/coders/meta.c`
			`+++ b/coders/meta.c`
			`@@ -396,10 +396,17 @@`
			`{`
			`if (brkused && next > 0)`
			`{`
			`+ size_t`
			`+ codes_len;`
			`+`
			`char`
			`*s = &token[next-1];`

			`- len -= convertHTMLcodes(s, strlen(s));`
			`+ codes_len = convertHTMLcodes(s, strlen(s));`
			`+ if (codes_len > len)`
			`+ len = 0;`
			`+ else`
			`+ len -= codes_len;`
			`}`
			`}`

			`@@ -450,7 +457,7 @@`
			`next=0;`
			`outputlen += len;`
			`while (len--)`
			`- (void) WriteBlobByte(ofile,token[next++]); /* boom */`
			`+ (void) WriteBlobByte(ofile,token[next++]);`

			`if (outputlen & 1)`
			`{`
			`@@ -682,10 +689,17 @@`
			`{`
			`if (brkused && next > 0)`
			`{`
			`+ size_t`
			`+ codes_len;`
			`+`
			`char`
			`*s = &token[next-1];`

			`- len -= convertHTMLcodes(s, strlen(s));`
			`+ codes_len = convertHTMLcodes(s, strlen(s));`
			`+ if (codes_len > len)`
			`+ len = 0;`
			`+ else`
			`+ len -= codes_len;`
			`}`
			`}`