Matthias Clasen
19 years ago
parent
4e79dd200e
commit
90930a610a
@ -0,0 +1,112 @@
|
|||||||
|
--- ImageMagick-6.2.2/coders/xcf.c.ormandy 2006-08-23 01:39:53.000000000 -0400
|
||||||
|
+++ ImageMagick-6.2.2/coders/xcf.c 2006-08-23 01:40:09.000000000 -0400
|
||||||
|
@@ -268,7 +268,7 @@
|
||||||
|
%
|
||||||
|
%
|
||||||
|
*/
|
||||||
|
-static char *ReadBlobStringWithLongSize(Image *image,char *string)
|
||||||
|
+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
|
||||||
|
{
|
||||||
|
int
|
||||||
|
c;
|
||||||
|
@@ -284,7 +284,7 @@
|
||||||
|
if (image->debug != MagickFalse)
|
||||||
|
(void) LogMagickEvent(TraceEvent,GetMagickModule(),image->filename);
|
||||||
|
length = ReadBlobMSBLong(image);
|
||||||
|
- for (i=0; i < (long) length; i++)
|
||||||
|
+ for (i=0; i < (long) Min(length, max); i++)
|
||||||
|
{
|
||||||
|
c=ReadBlobByte(image);
|
||||||
|
if (c == EOF)
|
||||||
|
@@ -693,7 +693,7 @@
|
||||||
|
outLayer->width = ReadBlobMSBLong(image);
|
||||||
|
outLayer->height = ReadBlobMSBLong(image);
|
||||||
|
outLayer->type = ReadBlobMSBLong(image);
|
||||||
|
- (void) ReadBlobStringWithLongSize(image, outLayer->name);
|
||||||
|
+ (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
|
||||||
|
|
||||||
|
/* allocate the image for this layer */
|
||||||
|
outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
|
||||||
|
@@ -1099,7 +1099,7 @@
|
||||||
|
/*float factor = (float) */ (void) ReadBlobMSBLong(image);
|
||||||
|
/* unsigned long digits = */ (void) ReadBlobMSBLong(image);
|
||||||
|
for (i=0; i<5; i++)
|
||||||
|
- (void) ReadBlobStringWithLongSize(image, unit_string);
|
||||||
|
+ (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
--- ImageMagick-6.2.2/coders/sun.c.ormandy 2006-08-23 01:39:58.000000000 -0400
|
||||||
|
+++ ImageMagick-6.2.2/coders/sun.c 2006-08-23 01:40:09.000000000 -0400
|
||||||
|
@@ -133,10 +133,10 @@
|
||||||
|
%
|
||||||
|
*/
|
||||||
|
static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
|
||||||
|
- const size_t length,unsigned char *pixels)
|
||||||
|
+ const size_t length,unsigned char *pixels,size_t maxpixels)
|
||||||
|
{
|
||||||
|
register const unsigned char
|
||||||
|
- *p;
|
||||||
|
+ *p, *l;
|
||||||
|
|
||||||
|
register unsigned char
|
||||||
|
*q;
|
||||||
|
@@ -152,7 +152,8 @@
|
||||||
|
assert(pixels != (unsigned char *) NULL);
|
||||||
|
p=compressed_pixels;
|
||||||
|
q=pixels;
|
||||||
|
- while ((size_t) (p-compressed_pixels) < length)
|
||||||
|
+ l=q+maxpixels;
|
||||||
|
+ while ((size_t) (p-compressed_pixels) < length && q < l)
|
||||||
|
{
|
||||||
|
byte=(*p++);
|
||||||
|
if (byte != 128U)
|
||||||
|
@@ -165,7 +166,7 @@
|
||||||
|
count=(ssize_t) (*p++);
|
||||||
|
if (count > 0)
|
||||||
|
byte=(*p++);
|
||||||
|
- while (count >= 0)
|
||||||
|
+ while (count >= 0 && q < l)
|
||||||
|
{
|
||||||
|
*q++=byte;
|
||||||
|
count--;
|
||||||
|
@@ -376,6 +377,8 @@
|
||||||
|
CloseBlob(image);
|
||||||
|
return(GetFirstImageInList(image));
|
||||||
|
}
|
||||||
|
+ if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
|
||||||
|
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
|
||||||
|
sun_data=(unsigned char *)
|
||||||
|
AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
|
||||||
|
if (sun_data == (unsigned char *) NULL)
|
||||||
|
@@ -393,11 +396,28 @@
|
||||||
|
Read run-length encoded raster pixels.
|
||||||
|
*/
|
||||||
|
height=sun_info.height;
|
||||||
|
- bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
|
||||||
|
+
|
||||||
|
+ /* calculate bytes per line, verifying no overflow occurs */
|
||||||
|
+ bytes_per_line=sun_info.width*sun_info.depth;
|
||||||
|
+ if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
|
||||||
|
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
|
||||||
|
+
|
||||||
|
+ if ((ULONG_MAX - bytes_per_line) < 15)
|
||||||
|
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
|
||||||
|
+
|
||||||
|
+ bytes_per_line += 15;
|
||||||
|
+ bytes_per_line <<= 1;
|
||||||
|
+ if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
|
||||||
|
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
|
||||||
|
+
|
||||||
|
+ bytes_per_line >>= 4;
|
||||||
|
+ if ((bytes_per_line * height) / height != bytes_per_line)
|
||||||
|
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
|
||||||
|
+
|
||||||
|
sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
|
||||||
|
if (sun_pixels == (unsigned char *) NULL)
|
||||||
|
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
|
||||||
|
- (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
|
||||||
|
+ (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
|
||||||
|
sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
|
||||||
|
}
|
||||||
|
/*
|
||||||
@ -0,0 +1,14 @@
|
|||||||
|
--- ImageMagick-6.2.8/coders/sgi.c.cve-2006-4144 2006-02-07 22:52:54.000000000 -0500
|
||||||
|
+++ ImageMagick-6.2.8/coders/sgi.c 2006-08-23 02:05:52.000000000 -0400
|
||||||
|
@@ -410,7 +410,11 @@
|
||||||
|
for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
|
||||||
|
offsets[i]=(ssize_t) ReadBlobMSBLong(image);
|
||||||
|
for (i=0; i < (long) (iris_info.rows*iris_info.depth); i++)
|
||||||
|
+ {
|
||||||
|
runlength[i]=ReadBlobMSBLong(image);
|
||||||
|
+ if (runlength[i] >= (4*(size_t) iris_info.columns+10))
|
||||||
|
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
|
||||||
|
+ }
|
||||||
|
/*
|
||||||
|
Check data order.
|
||||||
|
*/
|
||||||
Loading…
Reference in new issue