GraphicsMagick/GraphicsMagick-CVE-2016-7996.patch

# HG changeset patch
# User fojtik
# Date 1475404477 -7200
#      Sun Oct 02 12:34:37 2016 +0200
# Node ID 17e89d5d40c96f7cee22f1c661d47b016ea2579f
# Parent  5c7b6d6094a25e99c57f8b18343914ebfd8213ef
* coders/wpg.c Add sanity check for palette.

diff --git a/coders/wpg.c b/coders/wpg.c
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -1210,7 +1210,7 @@
 
           Header.DataOffset=TellBlob(image)+Rec2.RecordLength;
 
-          if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
+          if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
             "Parsing object: %X", Rec2.RecType);
 
           switch(Rec2.RecType)
@@ -1224,18 +1224,20 @@
               WPG_Palette.StartIndex=ReadBlobLSBShort(image);
               WPG_Palette.NumOfEntries=ReadBlobLSBShort(image);
 
+			/* Sanity check for amount of palette entries. */
+              if( (WPG_Palette.NumOfEntries-WPG_Palette.StartIndex) > (Rec2.RecordLength-2-2) / 3)
+                 ThrowReaderException(CorruptImageError,InvalidColormapIndex,image);                 
+ 
               image->colors=WPG_Palette.NumOfEntries;
               if (!AllocateImageColormap(image,image->colors))
                 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
+
               for (i=WPG_Palette.StartIndex;
                    i < (int)WPG_Palette.NumOfEntries; i++)
                 {
-                  image->colormap[i].red=
-                    ScaleCharToQuantum(ReadBlobByte(image));
-                  image->colormap[i].green=
-                    ScaleCharToQuantum(ReadBlobByte(image));
-                  image->colormap[i].blue=
-                    ScaleCharToQuantum(ReadBlobByte(image));
+                  image->colormap[i].red=ScaleCharToQuantum(ReadBlobByte(image));
+                  image->colormap[i].green=ScaleCharToQuantum(ReadBlobByte(image));
+                  image->colormap[i].blue=ScaleCharToQuantum(ReadBlobByte(image));
                   (void) ReadBlobByte(image);   /*Opacity??*/
                 }
               break;