You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
59 lines
1.7 KiB
59 lines
1.7 KiB
# HG changeset patch
|
|
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
|
|
# Date 1475336055 18000
|
|
# Sat Oct 01 10:34:15 2016 -0500
|
|
# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
|
|
# Parent 623b741873230aaf0aaa767f14f4241f9d56a0f6
|
|
Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.
|
|
|
|
diff --git a/coders/meta.c b/coders/meta.c
|
|
--- a/coders/meta.c
|
|
+++ b/coders/meta.c
|
|
@@ -396,10 +396,17 @@
|
|
{
|
|
if (brkused && next > 0)
|
|
{
|
|
+ size_t
|
|
+ codes_len;
|
|
+
|
|
char
|
|
*s = &token[next-1];
|
|
|
|
- len -= convertHTMLcodes(s, strlen(s));
|
|
+ codes_len = convertHTMLcodes(s, strlen(s));
|
|
+ if (codes_len > len)
|
|
+ len = 0;
|
|
+ else
|
|
+ len -= codes_len;
|
|
}
|
|
}
|
|
|
|
@@ -450,7 +457,7 @@
|
|
next=0;
|
|
outputlen += len;
|
|
while (len--)
|
|
- (void) WriteBlobByte(ofile,token[next++]); /* boom */
|
|
+ (void) WriteBlobByte(ofile,token[next++]);
|
|
|
|
if (outputlen & 1)
|
|
{
|
|
@@ -682,10 +689,17 @@
|
|
{
|
|
if (brkused && next > 0)
|
|
{
|
|
+ size_t
|
|
+ codes_len;
|
|
+
|
|
char
|
|
*s = &token[next-1];
|
|
|
|
- len -= convertHTMLcodes(s, strlen(s));
|
|
+ codes_len = convertHTMLcodes(s, strlen(s));
|
|
+ if (codes_len > len)
|
|
+ len = 0;
|
|
+ else
|
|
+ len -= codes_len;
|
|
}
|
|
}
|
|
|