Sophie

Sophie

distrib > Mageia > 5 > x86_64 > by-pkgid > 857b723175ea1d5f45c5b31f25037f76 > files > 4

imagemagick-6.8.9.9-4.2.mga5.src.rpm

From be644895456764f2c2670f297d9d9860ff0bdd75 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Thu, 20 Nov 2014 23:41:24 +0000
Subject: Fix a double free in pdb coder

Fix a double free and thus a DOS in pdb coder

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17080 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17080

diff --git a/coders/pdb.c b/coders/pdb.c
index 69490e0..117538d 100644
--- a/coders/pdb.c
+++ b/coders/pdb.c
@@ -34,13 +34,13 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %
 %
-    20071202 TS * rewrote RLE decoder - old version could cause buffer overflows
-                * failure of RLE decoding now thows error RLEDecoderError
-                * fixed bug in RLE decoding - now all rows are decoded, not just
-      the first one
-    * fixed bug in reader - record offsets now handled correctly
-    * fixed bug in reader - only bits 0..2 indicate compression type
-                * in writer: now using image color count instead of depth
+%   20071202 TS * rewrote RLE decoder - old version could cause buffer overflows
+%               * failure of RLE decoding now thows error RLEDecoderError
+%               * fixed bug in RLE decoding - now all rows are decoded, not just
+%     the first one
+%   * fixed bug in reader - record offsets now handled correctly
+%   * fixed bug in reader - only bits 0..2 indicate compression type
+%               * in writer: now using image color count instead of depth
 */
 
 /*
@@ -268,7 +268,7 @@ static MagickBooleanType IsPDB(const unsigned char *magick,const size_t length)
 static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   unsigned char
-    attributes, /* TS */
+    attributes,
     tag[3];
 
   Image
@@ -300,13 +300,13 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
 
   size_t
     bits_per_pixel,
-    num_pad_bytes, /* TS */
+    num_pad_bytes,
     one,
     packets;
 
   ssize_t
     count,
-    img_offset, /* TS */
+    img_offset,
     comment_offset = 0,
     y;
 
@@ -355,7 +355,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
   /*
     Read record header.
   */
-  img_offset=(int) ReadBlobMSBLong(image); /* TS */
+  img_offset=(ssize_t) ((int) ReadBlobMSBLong(image));
   attributes=(unsigned char) ReadBlobByte(image);
   (void) attributes;
   count=ReadBlob(image,3,(unsigned char *) tag);
@@ -363,7 +363,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
     ThrowReaderException(CorruptImageError,"CorruptImage");
   if (pdb_info.number_records > 1)
     {
-      comment_offset=(int) ReadBlobMSBLong(image);
+      comment_offset=(ssize_t) ((int) ReadBlobMSBLong(image));
       attributes=(unsigned char) ReadBlobByte(image);
       count=ReadBlob(image,3,(unsigned char *) tag);
       if (count != 3  ||  memcmp(tag,"\x6f\x80\x01",3) != 0)
@@ -376,7 +376,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
   */
   count=ReadBlob(image,32,(unsigned char *) pdb_image.name);
   pdb_image.version=ReadBlobByte(image);
-  pdb_image.type=ReadBlobByte(image);
+  pdb_image.type=(unsigned char) ReadBlobByte(image);
   pdb_image.reserved_1=ReadBlobMSBLong(image);
   pdb_image.note=ReadBlobMSBLong(image);
   pdb_image.x_last=(short) ReadBlobMSBShort(image);
@@ -408,7 +408,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
   if (pixels == (unsigned char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
 
-  switch (pdb_image.version & 7) /* TS */
+  switch (pdb_image.version & 0x07)
   {
     case 0:
     {
@@ -420,7 +420,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
     {
       image->compression=RLECompression;
       if (!DecodeImage(image, pixels, packets * image -> rows))
-        ThrowReaderException( CorruptImageError, "RLEDecoderError" ); /* TS */
+        ThrowReaderException( CorruptImageError, "RLEDecoderError" );
       break;
     }
     default:
@@ -533,7 +533,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
   if (EOFBlob(image) != MagickFalse)
     ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
       image->filename);
-  if (pdb_info.number_records > 1) /* TS */
+  if (pdb_info.number_records > 1)
     {
       char
         *comment;
@@ -742,16 +742,16 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
   if (status == MagickFalse)
     return(status);
   (void) TransformImageColorspace(image,sRGBColorspace);
-  if (image -> colors <= 2  ||  GetImageType( image, &image -> exception ) == BilevelType) { /* TS */
-    bits_per_pixel = 1;
-  } else if (image -> colors <= 4) {
-    bits_per_pixel = 2;
-  } else if (image -> colors <= 8) {
-    bits_per_pixel = 3;
+  if ((image -> colors <= 2 ) ||
+      (GetImageType(image,&image->exception ) == BilevelType)) {
+    bits_per_pixel=1;
+  } else if (image->colors <= 4) {
+    bits_per_pixel=2;
+  } else if (image->colors <= 8) {
+    bits_per_pixel=3;
   } else {
-    bits_per_pixel = 4;
+    bits_per_pixel=4;
   }
-
   (void) ResetMagickMemory(pdb_info.name,0,32);
   (void) CopyMagickString(pdb_info.name,image_info->filename,32);
   pdb_info.attributes=0;
@@ -801,7 +801,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
   if (image->columns % 16)
     pdb_image.width=(short) (16*(image->columns/16+1));
   pdb_image.height=(short) image->rows;
-  packets=(bits_per_pixel*image->columns/8)*image->rows;
+  packets=(bits_per_pixel*image->columns/8+4)*image->rows;
   runlength=(unsigned char *) AcquireQuantumMemory(2UL*packets,
     sizeof(*runlength));
   if (runlength == (unsigned char *) NULL)
@@ -834,7 +834,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
       break;
     (void) ExportQuantumPixels(image,(const CacheView *) NULL,quantum_info,
       GrayQuantum,scanline,&image->exception);
-    for (x=0; x < pdb_image.width; x++)
+    for (x=0; x < (ssize_t) pdb_image.width; x++)
     {
       if (x < (ssize_t) image->columns)
         buffer[literal+repeat]|=(0xff-scanline[x*packet_size]) >>
@@ -882,7 +882,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
       }
     }
     status=SetImageProgress(image,SaveImageTag,(MagickOffsetType) y,
-                image->rows);
+      image->rows);
     if (status == MagickFalse)
       break;
   }
@@ -893,8 +893,8 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
   /*
     Write the Image record header.
   */
-  (void) WriteBlobMSBLong(image,(unsigned int)
-    (TellBlob(image)+8*pdb_info.number_records));
+  (void) WriteBlobMSBLong(image,(unsigned int) (TellBlob(image)+8*
+    pdb_info.number_records));
   (void) WriteBlobByte(image,0x40);
   (void) WriteBlobByte(image,0x6f);
   (void) WriteBlobByte(image,0x80);
-- 
cgit v0.10.2

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional