From 82f779cbc24045af2eaecb95d0842ca7b97c71f4 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Sun, 23 Nov 2014 16:36:18 +0000
Subject: Fix handling of corrupted dpc and xwd image

Avoid a segv thus a DOS.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17092 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17092

diff --git a/coders/dpx.c b/coders/dpx.c
index b7308aa..0352855 100644
--- a/coders/dpx.c
+++ b/coders/dpx.c
@@ -797,6 +797,8 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception)
     case 7: image->orientation=RightBottomOrientation; break;
   }
   dpx.image.number_elements=ReadBlobShort(image);
+  if (dpx.image.number_elements > 8)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   offset+=2;
   dpx.image.pixels_per_line=ReadBlobLong(image);
   offset+=4;
diff --git a/coders/xwd.c b/coders/xwd.c
index 7b16456..644afc7 100644
--- a/coders/xwd.c
+++ b/coders/xwd.c
@@ -275,6 +275,8 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
   if ((ximage->depth < 0) || (ximage->width < 0) || (ximage->height < 0) ||
       (ximage->bitmap_pad < 0) || (ximage->bytes_per_line < 0))
     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  if ((ximage->width > 65535) || (ximage->height > 65535))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   if ((ximage->bits_per_pixel > 32) || (ximage->bitmap_unit > 32))
     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   x_status=XInitImage(ximage);
@@ -407,14 +409,12 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
             {
               pixel=XGetPixel(ximage,(int) x,(int) y);
               index=(IndexPacket) ((pixel >> red_shift) & red_mask);
-              SetPixelRed(q,ScaleShortToQuantum(colors[(ssize_t)
-                index].red));
+              SetPixelRed(q,ScaleShortToQuantum(colors[(ssize_t) index].red));
               index=(IndexPacket) ((pixel >> green_shift) & green_mask);
               SetPixelGreen(q,ScaleShortToQuantum(colors[(ssize_t)
                 index].green));
               index=(IndexPacket) ((pixel >> blue_shift) & blue_mask);
-              SetPixelBlue(q,ScaleShortToQuantum(colors[(ssize_t)
-                index].blue));
+              SetPixelBlue(q,ScaleShortToQuantum(colors[(ssize_t) index].blue));
               q++;
             }
             if (SyncAuthenticPixels(image,exception) == MagickFalse)
@@ -436,18 +436,15 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception)
               color=(pixel >> red_shift) & red_mask;
               if (red_mask != 0)
                 color=(color*65535UL)/red_mask;
-              SetPixelRed(q,ScaleShortToQuantum((unsigned short)
-                color));
+              SetPixelRed(q,ScaleShortToQuantum((unsigned short) color));
               color=(pixel >> green_shift) & green_mask;
               if (green_mask != 0)
                 color=(color*65535UL)/green_mask;
-              SetPixelGreen(q,ScaleShortToQuantum((unsigned short)
-                color));
+              SetPixelGreen(q,ScaleShortToQuantum((unsigned short) color));
               color=(pixel >> blue_shift) & blue_mask;
               if (blue_mask != 0)
                 color=(color*65535UL)/blue_mask;
-              SetPixelBlue(q,ScaleShortToQuantum((unsigned short)
-                color));
+              SetPixelBlue(q,ScaleShortToQuantum((unsigned short) color));
               q++;
             }
             if (SyncAuthenticPixels(image,exception) == MagickFalse)
-- 
cgit v0.10.2