From c264f9c466f22736c9fd9f8a7051f6b71ecb2c0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 23 Dec 2014 14:53:08 +0100
Subject: Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm
 file

The rest of the upstream patch is only whitespace change. Do not commit it.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17166 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin:  http://trac.imagemagick.org/changeset/17166

diff --git a/coders/pcx.c b/coders/pcx.c
index 2257c71..c899bf0 100644
--- a/coders/pcx.c
+++ b/coders/pcx.c
@@ -404,7 +404,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     scanline=(unsigned char *) AcquireQuantumMemory(MagickMax(image->columns,
       pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline));
-    pixel_info=AcquireVirtualMemory(pcx_packets,sizeof(*pixels));
+    pixel_info=AcquireVirtualMemory(pcx_packets,2*sizeof(*pixels));
     if ((scanline == (unsigned char *) NULL) ||
         (pixel_info == (MemoryInfo *) NULL))
       {
diff --git a/coders/pict.c b/coders/pict.c
index 35fb56e..f6165a4 100644
--- a/coders/pict.c
+++ b/coders/pict.c
@@ -473,7 +473,8 @@ static unsigned char *DecodeImage(Image *blob,Image *image,
     return((unsigned char *) NULL);
   *extent=row_bytes*image->rows*sizeof(*pixels);
   (void) ResetMagickMemory(pixels,0,*extent);
-  scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,sizeof(*scanline));
+  scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,2*
+    sizeof(*scanline));
   if (scanline == (unsigned char *) NULL)
     return((unsigned char *) NULL);
   if (bytes_per_line < 8)
diff --git a/coders/psd.c b/coders/psd.c
index 2aff362..f4dec69 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -50,6 +50,7 @@
 #include "magick/cache.h"
 #include "magick/channel.h"
 #include "magick/colormap.h"
+#include "magick/colormap-private.h"
 #include "magick/colorspace.h"
 #include "magick/colorspace-private.h"
 #include "magick/constitute.h"
@@ -711,7 +712,7 @@ static MagickStatusType ReadPSDChannelPixels(Image *image,const size_t channels,
             else
               SetPixelIndex(indexes+x,ScaleQuantumToShort(pixel))
             SetPixelRGBO(q,image->colormap+(ssize_t)
-              GetPixelIndex(indexes+x));
+              ConstrainColormapIndex(image,GetPixelIndex(indexes+x)));
             if (image->depth == 1)
               {
                 ssize_t
@@ -799,7 +800,7 @@ static MagickStatusType ReadPSDChannelRaw(Image *image,const size_t channels,
        "      layer data is RAW");
 
   row_size=GetPSDRowSize(image);
-  pixels=(unsigned char *) AcquireQuantumMemory(8*row_size,sizeof(*pixels));
+  pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels));
   if (pixels == (unsigned char *) NULL)
     ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
       image->filename);
@@ -868,7 +869,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info,
        "      layer data is RLE compressed");
 
   row_size=GetPSDRowSize(image);
-  pixels=(unsigned char *) AcquireQuantumMemory(8*row_size,sizeof(*pixels));
+  pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels));
   if (pixels == (unsigned char *) NULL)
     ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
       image->filename);
@@ -884,7 +885,8 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info,
       ThrowBinaryException(CoderError,"InvalidLength",
         image->filename);
     }
-  compact_pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
+  compact_pixels=(unsigned char *) AcquireQuantumMemory(length,8*
+    sizeof(*pixels));
   if (compact_pixels == (unsigned char *) NULL)
     {
       pixels=(unsigned char *) RelinquishMagickMemory(pixels);
diff --git a/coders/wpg.c b/coders/wpg.c
index 24430c7..edcf4c2 100644
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -474,7 +474,7 @@ static int UnpackWPGRaster(Image *image,int bpp)
 
   ldblk=(ssize_t) ((bpp*image->columns+7)/8);
   BImgBuff=(unsigned char *) AcquireQuantumMemory((size_t) ldblk,
-    4*sizeof(*BImgBuff));
+    8*sizeof(*BImgBuff));
   if(BImgBuff==NULL) return(-2);
 
   while(y<(ssize_t) image->rows)
diff --git a/coders/xpm.c b/coders/xpm.c
index 0faaf2d..34d3511 100644
--- a/coders/xpm.c
+++ b/coders/xpm.c
@@ -166,7 +166,7 @@ static size_t CopyXPMColor(char *destination,const char *source,size_t length)
 
 static char *NextXPMLine(char *p)
 {
-  assert(p != (char *)NULL);
+  assert(p != (char *) NULL);
   p=strchr(p,'\n');
   if (p != (char *) NULL)
     p++;
@@ -396,6 +396,8 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
       {
         while ((isspace((int) ((unsigned char) *q)) == 0) && (*q != '\0'))
           q++;
+        if ((next-q) < 0)
+          break;
         if (next != (char *) NULL)
           (void) CopyXPMColor(target,q,MagickMin((size_t) (next-q),
             MaxTextExtent));
-- 
cgit v0.10.2