From e24de96ab25b396ae914a7640ff4d61e58c40cf0 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Sat, 29 Nov 2014 17:16:15 +0000
Subject: Avoid a heap buffer overflow in pdb file handling
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17132 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17132
diff --git a/coders/pdb.c b/coders/pdb.c
index 117538d..af6bfec 100644
--- a/coders/pdb.c
+++ b/coders/pdb.c
@@ -402,12 +402,11 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
(void) CloseBlob(image);
return(GetFirstImageInList(image));
}
- packets=bits_per_pixel*image->columns/8;
+ packets=(bits_per_pixel*image->columns+7)/8;
pixels=(unsigned char *) AcquireQuantumMemory(packets+256UL,image->rows*
sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-
switch (pdb_image.version & 0x07)
{
case 0:
@@ -528,7 +527,6 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
default:
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
}
-
pixels=(unsigned char *) RelinquishMagickMemory(pixels);
if (EOFBlob(image) != MagickFalse)
ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
@@ -801,7 +799,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
if (image->columns % 16)
pdb_image.width=(short) (16*(image->columns/16+1));
pdb_image.height=(short) image->rows;
- packets=(bits_per_pixel*image->columns/8+4)*image->rows;
+ packets=((bits_per_pixel*image->columns+7)/8)*image->rows;
runlength=(unsigned char *) AcquireQuantumMemory(2UL*packets,
sizeof(*runlength));
if (runlength == (unsigned char *) NULL)
--
cgit v0.10.2
