From 6055ec3af7254dc188ccbac418093cbc6f19344b Mon Sep 17 00:00:00 2001
From: dirk <dirk@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Mon, 22 Dec 2014 01:26:10 +0000
Subject: Replaced calls to ConstrainColormapIndex with IsValidColormapIndex.

Avoid a memory leak.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17385 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17385

diff --git a/coders/rle.c b/coders/rle.c
index 8d50b7e..74f4968 100644
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -147,6 +147,9 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
   Image
     *image;
 
+  IndexPacket
+    index;
+
   int
     opcode,
     operand,
@@ -440,9 +443,6 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF));
     if (number_colormaps != 0)
       {
-        IndexPacket
-          index;
-
         MagickStatusType
           mask;
 
@@ -451,10 +451,13 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
         */
         mask=(MagickStatusType) (map_length-1);
         p=pixels;
+        x=(ssize_t) number_planes;
         if (number_colormaps == 1)
           for (i=0; i < (ssize_t) number_pixels; i++)
           {
-            index=ConstrainColormapIndex(image,*p & mask);
+            if (IsValidColormapIndex(image,*p & mask,&index,exception) ==
+                MagickFalse)
+              break;
             *p=colormap[index];
             p++;
           }
@@ -463,10 +466,18 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
             for (i=0; i < (ssize_t) number_pixels; i++)
               for (x=0; x < (ssize_t) number_planes; x++)
               {
-                index=ConstrainColormapIndex(image,x*map_length+(*p & mask));
+                if (IsValidColormapIndex(image,(size_t) (x*map_length+
+                    (*p & mask)),&index,exception) == MagickFalse)
+                  break;
                 *p=colormap[index];
                 p++;
               }
+        if ((i < (ssize_t) number_pixels) || (x < (ssize_t) number_planes))
+          {
+            colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+            pixel_info=RelinquishVirtualMemory(pixel_info);
+            ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+          }
       }
     /*
       Initialize image structure.
@@ -569,15 +580,23 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
                 break;
               for (x=0; x < (ssize_t) image->columns; x++)
               {
-                SetPixelRed(q,image->colormap[(ssize_t)
-                  ConstrainColormapIndex(image,*p++)].red);
-                SetPixelGreen(q,image->colormap[(ssize_t)
-                  ConstrainColormapIndex(image,*p++)].green);
-                SetPixelBlue(q,image->colormap[(ssize_t)
-                  ConstrainColormapIndex(image,*p++)].blue);
+                if (IsValidColormapIndex(image,*p++,&index,exception) ==
+                    MagickFalse)
+                  break;
+                SetPixelRed(q,image->colormap[(ssize_t) index].red);
+                if (IsValidColormapIndex(image,*p++,&index,exception) ==
+                    MagickFalse)
+                  break;
+                SetPixelGreen(q,image->colormap[(ssize_t) index].green);
+                if (IsValidColormapIndex(image,*p++,&index,exception) ==
+                    MagickFalse)
+                  break;
+                SetPixelBlue(q,image->colormap[(ssize_t) index].blue);
                 SetPixelAlpha(q,ScaleCharToQuantum(*p++));
                 q++;
               }
+              if (x < (ssize_t) image->columns)
+                break;
               if (SyncAuthenticPixels(image,exception) == MagickFalse)
                 break;
               if (image->previous == (Image *) NULL)
-- 
cgit v0.10.2