From f95f67226e86c19c8ac740fd8064fa3468efc061 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Thu, 20 Nov 2014 23:41:24 +0000
Subject: [PATCH] Fix a double free in pdb coder

Fix a double free and thus a DOS in pdb coder

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17080 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin: http://trac.imagemagick.org/changeset/17080
---
 coders/pdb.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/coders/pdb.c b/coders/pdb.c
index b02a28a..1ef9d6b 100644
--- a/coders/pdb.c
+++ b/coders/pdb.c
@@ -34,13 +34,13 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %
 %
-    20071202 TS * rewrote RLE decoder - old version could cause buffer overflows
-                * failure of RLE decoding now thows error RLEDecoderError
-                * fixed bug in RLE decoding - now all rows are decoded, not just
-      the first one
-    * fixed bug in reader - record offsets now handled correctly
-    * fixed bug in reader - only bits 0..2 indicate compression type
-                * in writer: now using image color count instead of depth
+%   20071202 TS * rewrote RLE decoder - old version could cause buffer overflows
+%               * failure of RLE decoding now thows error RLEDecoderError
+%               * fixed bug in RLE decoding - now all rows are decoded, not just
+%     the first one
+%   * fixed bug in reader - record offsets now handled correctly
+%   * fixed bug in reader - only bits 0..2 indicate compression type
+%               * in writer: now using image color count instead of depth
 */
 
 /*
@@ -261,7 +261,7 @@ static MagickBooleanType IsPDB(const unsigned char *magick,const size_t length)
 static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   unsigned char
-    attributes, /* TS */
+    attributes,
     tag[3];
 
   Image
@@ -371,7 +371,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
   */
   count=ReadBlob(image,32,(unsigned char *) pdb_image.name);
   pdb_image.version=ReadBlobByte(image);
-  pdb_image.type=ReadBlobByte(image);
+  pdb_image.type=(unsigned char) ReadBlobByte(image);
   pdb_image.reserved_1=ReadBlobMSBLong(image);
   pdb_image.note=ReadBlobMSBLong(image);
   pdb_image.x_last=(short) ReadBlobMSBShort(image);
@@ -528,7 +528,7 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception)
   if (EOFBlob(image) != MagickFalse)
     ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
       image->filename);
-  if (pdb_info.number_records > 1) /* TS */
+  if (pdb_info.number_records > 1)
     {
       char
         *comment;
@@ -748,9 +748,8 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
   } else if (image -> colors <= 8) {
     bits_per_pixel = 3;
   } else {
-    bits_per_pixel = 4;
+    bits_per_pixel=4;
   }
-
   (void) ResetMagickMemory(pdb_info.name,0,32);
   (void) CopyMagickString(pdb_info.name,image_info->filename,32);
   pdb_info.attributes=0;
@@ -800,7 +799,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
   if (image->columns % 16)
     pdb_image.width=(short) (16*(image->columns/16+1));
   pdb_image.height=(short) image->rows;
-  packets=(bits_per_pixel*image->columns/8)*image->rows;
+  packets=(bits_per_pixel*image->columns/8+4)*image->rows;
   runlength=(unsigned char *) AcquireQuantumMemory(2UL*packets,
     sizeof(*runlength));
   if (runlength == (unsigned char *) NULL)
@@ -833,7 +832,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
       break;
     (void) ExportQuantumPixels(image,(const CacheView *) NULL,quantum_info,
       GrayQuantum,scanline,&image->exception);
-    for (x=0; x < pdb_image.width; x++)
+    for (x=0; x < (ssize_t) pdb_image.width; x++)
     {
       if (x < (long) image->columns)
         buffer[literal+repeat]|=(0xff-scanline[x*packet_size]) >>
-- 
2.1.4

