From 69490f5cffbda612e15a2985699455bb0b45e276 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Tue, 2 Dec 2014 02:11:59 +0000
Subject: Fix handling of corrupted of psd, sun and xpm file
Fix a heap overflow in psd file.
Bail early in xpm file.
Fix error handling in sun file.
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17149 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17149
diff --git a/coders/psd.c b/coders/psd.c
index 985e32d..d818fe3 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -799,7 +799,7 @@ static MagickStatusType ReadPSDChannelRaw(Image *image,const size_t channels,
" layer data is RAW");
row_size=GetPSDRowSize(image);
- pixels=(unsigned char *) AcquireQuantumMemory(row_size,sizeof(*pixels));
+ pixels=(unsigned char *) AcquireQuantumMemory(8*row_size,sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image->filename);
@@ -868,7 +868,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info,
" layer data is RLE compressed");
row_size=GetPSDRowSize(image);
- pixels=(unsigned char *) AcquireQuantumMemory(row_size,sizeof(*pixels));
+ pixels=(unsigned char *) AcquireQuantumMemory(8*row_size,sizeof(*pixels));
if (pixels == (unsigned char *) NULL)
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image->filename);
diff --git a/coders/sun.c b/coders/sun.c
index 02251b3..9ab412b 100644
--- a/coders/sun.c
+++ b/coders/sun.c
@@ -308,9 +308,9 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
sun_info.maplength=ReadBlobMSBLong(image);
if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) &&
(sun_info.type != RT_FORMAT_RGB))
- ThrowReaderException(CoderError,"ImproperImageHeader");
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((sun_info.maptype == RMT_NONE) && (sun_info.maplength != 0))
- ThrowReaderException(CoderError,"ImproperImageHeader");
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((sun_info.depth == 0) || (sun_info.depth > 32))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((sun_info.maptype != RMT_NONE) && (sun_info.maptype != RMT_EQUAL_RGB) &&
diff --git a/coders/xpm.c b/coders/xpm.c
index 98e95ce..0faaf2d 100644
--- a/coders/xpm.c
+++ b/coders/xpm.c
@@ -166,7 +166,7 @@ static size_t CopyXPMColor(char *destination,const char *source,size_t length)
static char *NextXPMLine(char *p)
{
- assert(p != (char*)NULL);
+ assert(p != (char *)NULL);
p=strchr(p,'\n');
if (p != (char *) NULL)
p++;
@@ -223,24 +223,21 @@ static char *ParseXPMColor(char *color,MagickBooleanType search_start)
}
return((char *) NULL);
}
- else
+ for (p=color+1; *p != '\0'; p++)
+ {
+ if (*p == '\n')
+ break;
+ if (isspace((int) ((unsigned char) (*(p-1)))) == 0)
+ continue;
+ if (isspace((int) ((unsigned char) (*p))) != 0)
+ continue;
+ for (i=0; i < NumberTargets; i++)
{
- for (p=color+1; *p != '\0'; p++)
- {
- if (*p == '\n')
- break;
- if (isspace((int) ((unsigned char) (*(p-1)))) == 0)
- continue;
- if (isspace((int) ((unsigned char) (*p))) != 0)
- continue;
- for (i=0; i < NumberTargets; i++)
- {
- if (*p == *targets[i] && *(p+1) == *(targets[i]+1))
- return(p);
- }
- }
- return(p);
+ if ((*p == *targets[i]) && (*(p+1) == *(targets[i]+1)))
+ return(p);
}
+ }
+ return(p);
}
static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
@@ -381,7 +378,7 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
*/
image->depth=1;
next=NextXPMLine(xpm_buffer);
- for (j=0; (j < (ssize_t) image->colors) && (next != (char*) NULL); j++)
+ for (j=0; (j < (ssize_t) image->colors) && (next != (char *) NULL); j++)
{
MagickPixelPacket
pixel;
diff --git a/config/english.xml b/config/english.xml
index 6c864f2..9ef56c2 100644
--- a/config/english.xml
+++ b/config/english.xml
@@ -122,6 +122,9 @@
<message name="ImageIsNotTiled">
image is not tiled
</message>
+ <message name="ImproperImageHeader">
+ improper image header
+ </message>
<message name="IrregularChannelGeometryNotSupported">
irregular channel geometry not supported
</message>
@@ -255,9 +258,6 @@
<message name="ImageTypeNotSupported">
image type not supported
</message>
- <message name="ImproperImageHeader">
- improper image header
- </message>
<message name="InsufficientImageDataInFile">
insufficient image data in file
</message>
diff --git a/config/francais.xml b/config/francais.xml
index b421ecb..1a270f7 100644
--- a/config/francais.xml
+++ b/config/francais.xml
@@ -116,6 +116,9 @@
<message name="ImageDoesNotHaveAAlphaChannel">
l'image n'a pas de canal de transparence
</message>
+ <message name="ImproperImageHeader">
+ En-tête d'image incorrect
+ </message>
<message name="ImageIsNotTiled">
l'image n'a pas tiled
</message>
@@ -255,9 +258,6 @@
<message name="ImageTypeNotSupported">
type d'image non supporté
</message>
- <message name="ImproperImageHeader">
- En-tête d'image incorrect
- </message>
<message name="InsufficientImageDataInFile">
Pas assez de données d'image dans le fichier
</message>
--
cgit v0.10.2
