# HG changeset patch # User fojtik # Date 1475404477 -7200 # Sun Oct 02 12:34:37 2016 +0200 # Node ID 17e89d5d40c96f7cee22f1c661d47b016ea2579f # Parent 5c7b6d6094a25e99c57f8b18343914ebfd8213ef * coders/wpg.c Add sanity check for palette. diff --git a/coders/wpg.c b/coders/wpg.c --- a/coders/wpg.c +++ b/coders/wpg.c @@ -1210,7 +1210,7 @@ Header.DataOffset=TellBlob(image)+Rec2.RecordLength; - if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), + if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), "Parsing object: %X", Rec2.RecType); switch(Rec2.RecType) @@ -1224,18 +1224,20 @@ WPG_Palette.StartIndex=ReadBlobLSBShort(image); WPG_Palette.NumOfEntries=ReadBlobLSBShort(image); + /* Sanity check for amount of palette entries. */ + if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3) + ThrowReaderException(CorruptImageError,InvalidColormapIndex,image); + image->colors=WPG_Palette.NumOfEntries; if (!AllocateImageColormap(image,image->colors)) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image); + for (i=WPG_Palette.StartIndex; i < (int)WPG_Palette.NumOfEntries; i++) { - image->colormap[i].red= - ScaleCharToQuantum(ReadBlobByte(image)); - image->colormap[i].green= - ScaleCharToQuantum(ReadBlobByte(image)); - image->colormap[i].blue= - ScaleCharToQuantum(ReadBlobByte(image)); + image->colormap[i].red=ScaleCharToQuantum(ReadBlobByte(image)); + image->colormap[i].green=ScaleCharToQuantum(ReadBlobByte(image)); + image->colormap[i].blue=ScaleCharToQuantum(ReadBlobByte(image)); (void) ReadBlobByte(image); /*Opacity??*/ } break;