From aa7d807fbd2a376c006888288183e843aee306c6 Mon Sep 17 00:00:00 2001 From: cristy Date: Fri, 24 May 2013 15:52:52 +0000 Subject: [PATCH] Prepare security fix This is a least concern bug from a security point of view. It avoid to loop over comment in pnm file. However next patch need it in order to apply and it is safer to get it. git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@12347 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/12347 --- coders/pnm.c | 97 ++++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 55 insertions(+), 42 deletions(-) diff --git a/coders/pnm.c b/coders/pnm.c index cd83c2f..2289cdc 100644 --- a/coders/pnm.c +++ b/coders/pnm.c @@ -146,67 +146,70 @@ static inline long ConstrainPixel(Image *image,const long offset, return(offset); } -static unsigned long PNMInteger(Image *image,const unsigned int base) -{ - char - *comment; +static void PNMComment(Image *image) +{ int c; + char + *comment; + register char *p; size_t extent; - unsigned long + /* + Read comment. + */ + comment=AcquireString(GetImageProperty(image,"comment")); + extent=strlen(comment); + p=comment+strlen(comment); + for (c='#'; (c != EOF) && (c != (int) '\n'); p++) + { + if ((size_t) (p-comment+1) >= extent) + { + extent<<=1; + comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent, + sizeof(*comment)); + if (comment == (char *) NULL) + break; + p=comment+strlen(comment); + } + c=ReadBlobByte(image); + if (c != EOF) + { + *p=(char) c; + *(p+1)='\0'; + } + } + if (comment == (char *) NULL) + return; + (void) SetImageProperty(image,"comment",comment); + comment=DestroyString(comment); +} + +static size_t PNMInteger(Image *image,const unsigned int base) +{ + int + c; + + size_t value; /* Skip any leading whitespace. */ - extent=MaxTextExtent; - comment=(char *) NULL; - p=comment; do { c=ReadBlobByte(image); if (c == EOF) return(0); if (c == (int) '#') - { - /* - Read comment. - */ - if (comment == (char *) NULL) - comment=AcquireString((char *) NULL); - p=comment+strlen(comment); - for ( ; (c != EOF) && (c != (int) '\n'); p++) - { - if ((size_t) (p-comment+1) >= extent) - { - extent<<=1; - comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent, - sizeof(*comment)); - if (comment == (char *) NULL) - break; - p=comment+strlen(comment); - } - c=ReadBlobByte(image); - *p=(char) c; - *(p+1)='\0'; - } - if (comment == (char *) NULL) - return(0); - continue; - } + PNMComment(image); } while (isdigit(c) == MagickFalse); - if (comment != (char *) NULL) - { - (void) SetImageProperty(image,"comment",comment); - comment=DestroyString(comment); - } if (base == 2) return((unsigned long) (c-(int) '0')); /* @@ -342,6 +345,16 @@ static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception) { while (isspace((int) ((unsigned char) c)) != 0) c=ReadBlobByte(image); + if (c == '#') + { + /* + Comment. + */ + PNMComment(image); + c=ReadBlobByte(image); + while (isspace((int) ((unsigned char) c)) != 0) + c=ReadBlobByte(image); + } p=keyword; do { @@ -1195,6 +1208,8 @@ static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception) /* Convert PFM raster image to pixel packets. */ + if (format == 'f') + (void) SetImageColorspace(image,GRAYColorspace); quantum_type=format == 'f' ? GrayQuantum : RGBQuantum; image->endian=quantum_scale < 0.0 ? LSBEndian : MSBEndian; image->depth=32; @@ -1584,9 +1599,7 @@ static MagickBooleanType WritePNMImage(const ImageInfo *image_info,Image *image) for (p=value; *p != '\0'; p++) { (void) WriteBlobByte(image,(unsigned char) *p); - if ((*p == '\r') && (*(p+1) != '\0')) - (void) WriteBlobByte(image,'#'); - if ((*p == '\n') && (*(p+1) != '\0')) + if ((*p == '\n') || (*p == '\r')) (void) WriteBlobByte(image,'#'); } (void) WriteBlobByte(image,'\n'); -- 2.1.4