From b8df15144d91a19ed545893ea492363635a1cb29 Mon Sep 17 00:00:00 2001 From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74> Date: Wed, 17 Dec 2014 07:25:30 +0000 Subject: Fixed boundary checks in DecodePSDPixels. git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17310 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 Origin: http://trac.imagemagick.org/changeset/17310 diff --git a/coders/psd.c b/coders/psd.c index 8c99dc9..eaeb6bc 100644 --- a/coders/psd.c +++ b/coders/psd.c @@ -326,6 +326,16 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, const unsigned char *compact_pixels,const ssize_t depth, const size_t number_pixels,unsigned char *pixels) { +#define CheckNumberCompactPixels \ + if (packets == 0) \ + return(i); \ + packets-- + +#define CheckNumberPixels(count) \ + if (((ssize_t) i + count) > (ssize_t) number_pixels) \ + return(i); \ + i+=count + int pixel; @@ -342,23 +352,22 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, packets=(ssize_t) number_compact_pixels; for (i=0; (packets > 1) && (i < (ssize_t) number_pixels); ) { + CheckNumberCompactPixels; length=(size_t) (*compact_pixels++); - packets--; if (length == 128) continue; if (length > 128) { length=256-length+1; - if (((ssize_t) length+i) > (ssize_t) number_pixels) - length=number_pixels-(size_t) i; + CheckNumberCompactPixels; pixel=(*compact_pixels++); - packets--; for (j=0; j < (ssize_t) length; j++) { switch (depth) { case 1: { + CheckNumberPixels(8); *pixels++=(pixel >> 7) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 6) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 5) & 0x01 ? 0U : 255U; @@ -367,29 +376,28 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, *pixels++=(pixel >> 2) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 1) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 0) & 0x01 ? 0U : 255U; - i+=8; - break; - } - case 4: - { - *pixels++=(unsigned char) ((pixel >> 4) & 0xff); - *pixels++=(unsigned char) ((pixel & 0x0f) & 0xff); - i+=2; break; } case 2: { + CheckNumberPixels(4); *pixels++=(unsigned char) ((pixel >> 6) & 0x03); *pixels++=(unsigned char) ((pixel >> 4) & 0x03); *pixels++=(unsigned char) ((pixel >> 2) & 0x03); *pixels++=(unsigned char) ((pixel & 0x03) & 0x03); - i+=4; + break; + } + case 4: + { + CheckNumberPixels(2); + *pixels++=(unsigned char) ((pixel >> 4) & 0xff); + *pixels++=(unsigned char) ((pixel & 0x0f) & 0xff); break; } default: { + CheckNumberPixels(1); *pixels++=(unsigned char) pixel; - i++; break; } } @@ -397,14 +405,13 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, continue; } length++; - if (((ssize_t) length+i) > (ssize_t) number_pixels) - length=number_pixels-(size_t) i; for (j=0; j < (ssize_t) length; j++) { switch (depth) { case 1: { + CheckNumberPixels(8); *pixels++=(*compact_pixels >> 7) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 6) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 5) & 0x01 ? 0U : 255U; @@ -413,32 +420,32 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, *pixels++=(*compact_pixels >> 2) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 1) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 0) & 0x01 ? 0U : 255U; - i+=8; - break; - } - case 4: - { - *pixels++=(*compact_pixels >> 4) & 0xff; - *pixels++=(*compact_pixels & 0x0f) & 0xff; - i+=2; break; } case 2: { + CheckNumberPixels(4); *pixels++=(*compact_pixels >> 6) & 0x03; *pixels++=(*compact_pixels >> 4) & 0x03; *pixels++=(*compact_pixels >> 2) & 0x03; *pixels++=(*compact_pixels & 0x03) & 0x03; - i+=4; + break; + } + case 4: + { + CheckNumberPixels(2); + *pixels++=(*compact_pixels >> 4) & 0xff; + *pixels++=(*compact_pixels & 0x0f) & 0xff; break; } default: { + CheckNumberPixels(1); *pixels++=(*compact_pixels); - i++; break; } } + CheckNumberCompactPixels; compact_pixels++; } } @@ -800,7 +807,7 @@ static MagickStatusType ReadPSDChannelRaw(Image *image,const size_t channels, " layer data is RAW"); row_size=GetPSDRowSize(image); - pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels)); + pixels=(unsigned char *) AcquireQuantumMemory(row_size,sizeof(*pixels)); if (pixels == (unsigned char *) NULL) ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", image->filename); @@ -869,7 +876,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info, " layer data is RLE compressed"); row_size=GetPSDRowSize(image); - pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels)); + pixels=(unsigned char *) AcquireQuantumMemory(row_size,sizeof(*pixels)); if (pixels == (unsigned char *) NULL) ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", image->filename); @@ -879,14 +886,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info, if ((MagickOffsetType) length < offsets[y]) length=(size_t) offsets[y]; - if (length > row_size + 256) // arbitrary number - { - pixels=(unsigned char *) RelinquishMagickMemory(pixels); - ThrowBinaryException(CoderError,"InvalidLength", - image->filename); - } - compact_pixels=(unsigned char *) AcquireQuantumMemory(length,8* - sizeof(*pixels)); + compact_pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels)); if (compact_pixels == (unsigned char *) NULL) { pixels=(unsigned char *) RelinquishMagickMemory(pixels); -- cgit v0.10.2