Sophie

Sophie

distrib > Mageia > 5 > x86_64 > by-pkgid > 857b723175ea1d5f45c5b31f25037f76 > files > 17

imagemagick-6.8.9.9-4.2.mga5.src.rpm

From 09561d37839dbfa04e017eea14811312985095d8 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Mon, 1 Dec 2014 01:13:14 +0000
Subject: Fix heap overflow in quantum.c, palm image handling and psd image
 handling.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17142 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
Origin: http://trac.imagemagick.org/changeset/17142

diff --git a/coders/palm.c b/coders/palm.c
index 0e58f91..864c706 100644
--- a/coders/palm.c
+++ b/coders/palm.c
@@ -332,7 +332,7 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
     bytes_per_row=ReadBlobMSBShort(image);
     flags=ReadBlobMSBShort(image);
     bits_per_pixel=(size_t) ReadBlobByte(image);
-    if (bits_per_pixel > 16)
+    if ((bits_per_pixel == 0) || (bits_per_pixel > 16))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     version=(size_t) ReadBlobByte(image);
     (void) version;
diff --git a/coders/psd.c b/coders/psd.c
index 039dae1..985e32d 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -1741,7 +1741,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info,
         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
           "  reading image resource blocks - %.20g bytes",(double)
           ((MagickOffsetType) length));
-      blocks=(unsigned char *) AcquireQuantumMemory((size_t) length,
+      blocks=(unsigned char *) AcquireQuantumMemory((size_t) length+16,
         sizeof(*blocks));
       if (blocks == (unsigned char *) NULL)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
diff --git a/magick/quantum.c b/magick/quantum.c
index bf44b5c..b94cd45 100644
--- a/magick/quantum.c
+++ b/magick/quantum.c
@@ -645,8 +645,9 @@ MagickExport void SetQuantumAlphaType(QuantumInfo *quantum_info,
 MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
   QuantumInfo *quantum_info,const size_t depth)
 {
-  MagickBooleanType
-    status;
+  size_t
+    extent,
+    quantum;
 
   /*
     Allocate the quantum pixel buffer.
@@ -670,9 +671,11 @@ MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
     }
   if (quantum_info->pixels != (unsigned char **) NULL)
     DestroyQuantumPixels(quantum_info);
-  status=AcquireQuantumPixels(quantum_info,(6+quantum_info->pad)*image->columns*
-    ((quantum_info->depth+7)/8));  /* allow for CMYKA + RLE byte + pad */
-  return(status);
+  quantum=(quantum_info->pad+6)*(quantum_info->depth+7)/8;
+  extent=image->columns*quantum;
+  if (quantum != (extent/image->columns))
+    return(MagickFalse);
+  return(AcquireQuantumPixels(quantum_info,extent));
 }
 
 /*
-- 
cgit v0.10.2

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional