From 09561d37839dbfa04e017eea14811312985095d8 Mon Sep 17 00:00:00 2001 From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Mon, 1 Dec 2014 01:13:14 +0000 Subject: Fix heap overflow in quantum.c, palm image handling and psd image handling. git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17142 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 Origin: http://trac.imagemagick.org/changeset/17142 diff --git a/coders/palm.c b/coders/palm.c index 0e58f91..864c706 100644 --- a/coders/palm.c +++ b/coders/palm.c @@ -332,7 +332,7 @@ static Image *ReadPALMImage(const ImageInfo *image_info, bytes_per_row=ReadBlobMSBShort(image); flags=ReadBlobMSBShort(image); bits_per_pixel=(size_t) ReadBlobByte(image); - if (bits_per_pixel > 16) + if ((bits_per_pixel == 0) || (bits_per_pixel > 16)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); version=(size_t) ReadBlobByte(image); (void) version; diff --git a/coders/psd.c b/coders/psd.c index 039dae1..985e32d 100644 --- a/coders/psd.c +++ b/coders/psd.c @@ -1741,7 +1741,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info, (void) LogMagickEvent(CoderEvent,GetMagickModule(), " reading image resource blocks - %.20g bytes",(double) ((MagickOffsetType) length)); - blocks=(unsigned char *) AcquireQuantumMemory((size_t) length, + blocks=(unsigned char *) AcquireQuantumMemory((size_t) length+16, sizeof(*blocks)); if (blocks == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); diff --git a/magick/quantum.c b/magick/quantum.c index bf44b5c..b94cd45 100644 --- a/magick/quantum.c +++ b/magick/quantum.c @@ -645,8 +645,9 @@ MagickExport void SetQuantumAlphaType(QuantumInfo *quantum_info, MagickExport MagickBooleanType SetQuantumDepth(const Image *image, QuantumInfo *quantum_info,const size_t depth) { - MagickBooleanType - status; + size_t + extent, + quantum; /* Allocate the quantum pixel buffer. @@ -670,9 +671,11 @@ MagickExport MagickBooleanType SetQuantumDepth(const Image *image, } if (quantum_info->pixels != (unsigned char **) NULL) DestroyQuantumPixels(quantum_info); - status=AcquireQuantumPixels(quantum_info,(6+quantum_info->pad)*image->columns* - ((quantum_info->depth+7)/8)); /* allow for CMYKA + RLE byte + pad */ - return(status); + quantum=(quantum_info->pad+6)*(quantum_info->depth+7)/8; + extent=image->columns*quantum; + if (quantum != (extent/image->columns)) + return(MagickFalse); + return(AcquireQuantumPixels(quantum_info,extent)); } /* -- cgit v0.10.2