From 388a19a5de6fe4d1dbd2156fbe87920b0ba4c973 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Mon, 7 Dec 2015 16:04:17 +0100
Subject: Fix overflow in pict image parsing  Backport a small part of an
 upstream commit fixing  an issue with pict image parsing. Origin: backport,
 https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734
 Bug-Ubuntu:
 https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803
 Applied-Upstream: 7.0.0 Last-Update: 2015-11-27 --- This patch header follows
 DEP-3: http://dep.debian.net/deps/dep3/

---
 coders/pict.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/coders/pict.c b/coders/pict.c
index 93ffc22..2d4b50f 100644
--- a/coders/pict.c
+++ b/coders/pict.c
@@ -1595,7 +1595,8 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
     storage_class;
 
   ssize_t
-    y;
+    y,
+    row_bytes;
 
   unsigned char
     *buffer,
@@ -1605,7 +1606,6 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
 
   unsigned short
     base_address,
-    row_bytes,
     transfer_mode;
 
   /*
@@ -1636,7 +1636,7 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
   source_rectangle=size_rectangle;
   destination_rectangle=size_rectangle;
   base_address=0xff;
-  row_bytes=(unsigned short) (image->columns | 0x8000);
+  row_bytes=image->columns;
   bounds.top=0;
   bounds.left=0;
   bounds.bottom=(short) image->rows;
@@ -1666,7 +1666,7 @@ static MagickBooleanType WritePICTImage(const ImageInfo *image_info,
       pixmap.bits_per_pixel=32;
       pixmap.pack_type=0x04;
       transfer_mode=0x40;
-      row_bytes=(unsigned short) ((4*image->columns) | 0x8000);
+      row_bytes=4*image->columns;
     }
   /*
     Allocate memory.
-- 
cgit v0.11.2