You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ImageMagick/ImageMagick-6.2.8-CVE-2007-...

38 lines
1.9 KiB

--- ImageMagick/coders/dcm.c.orig 2007-04-03 18:27:57.000000000 +0200
+++ ImageMagick/coders/dcm.c 2007-04-03 18:31:16.000000000 +0200
@@ -2902,6 +2902,8 @@ static Image *ReadDCMImage(const ImageIn
{
data=(unsigned char *)
AcquireMagickMemory((size_t) quantum*(length+1));
+ if (length > ((~0UL)/quantum))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,
"MemoryAllocationFailed");
--- ImageMagick/coders/xwd.c.orig 2007-04-03 19:21:18.000000000 +0200
+++ ImageMagick/coders/xwd.c 2007-04-03 19:24:36.000000000 +0200
@@ -236,7 +236,9 @@ static Image *ReadXWDImage(const ImageIn
if (header.header_size < sz_XWDheader)
ThrowReaderException(CorruptImageError,"CorruptImage");
length=(size_t) header.header_size-sz_XWDheader;
- comment=(char *) AcquireMagickMemory(length+MaxTextExtent);
+ if (length > ((~0UL)/sizeof(*comment)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
if (comment == (char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
count=ReadBlob(image,length,(unsigned char *) comment);
@@ -278,8 +281,10 @@ static Image *ReadXWDImage(const ImageIn
XWDColor
color;
- colors=(XColor *)
- AcquireMagickMemory((size_t) header.ncolors*sizeof(*colors));
+ length=(size_t) header.ncolors;
+ if (length > ((~0UL)/sizeof(*colors)))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
if (colors == (XColor *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
for (i=0; i < (long) header.ncolors; i++)