--- ImageMagick-6.2.8.orig/coders/xcf.c 2008-01-29 12:08:30.000000000 +1000
+++ ImageMagick-6.2.8/coders/xcf.c 2008-02-07 15:06:49.000000000 +1000
@@ -310,6 +310,8 @@ static int load_tile (Image* image, Imag
sizeof(*xcfdata));
graydata = (unsigned char *)xcfdata; /* used by gray and indexed */
nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
+ if (nmemb_read_successfully > (ssize_t) (tile_image->columns*tile_image->rows))
+ ThrowBinaryException(CorruptImageError,"NotEnoughPixelData",image->filename);
q=SetImagePixels(tile_image,0,0,tile_image->columns,tile_image->rows);
@@ -556,6 +558,8 @@ static int load_level (Image* image, XCF
/* 1.5 is probably more
than we need to allow */
+ if (offset2-offset > (MagickOffsetType) (TILE_WIDTH * TILE_WIDTH * 4* 1.5))
+ ThrowBinaryException(CorruptImageError,"CorruptImage",image->filename);
/* seek to the tile offset */
(void) SeekBlob(image, offset, SEEK_SET);
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
74bdc23aeb29a62bae00d025b2b6f2cf
>
files
>
8
