From 857ee656d167d8f8b7934e520f07f9ace9e34517 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Mon, 1 Dec 2014 01:13:14 +0000
Subject: [PATCH] Fix heap overflow in quantum.c, palm image handling and psd
 image handling.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17142 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
Origin: http://trac.imagemagick.org/changeset/17142
---
 coders/palm.c    |  2 +-
 coders/psd.c     |  2 +-
 magick/quantum.c | 13 ++++++++-----
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/coders/palm.c b/coders/palm.c
index f006bd6..9d5f7a5 100644
--- a/coders/palm.c
+++ b/coders/palm.c
@@ -333,7 +333,7 @@ static Image *ReadPALMImage(const ImageInfo *image_info,
     bytes_per_row=ReadBlobMSBShort(image);
     flags=ReadBlobMSBShort(image);
     bits_per_pixel=(unsigned long) ReadBlobByte(image);
-    if (bits_per_pixel > 16)
+    if ((bits_per_pixel == 0) || (bits_per_pixel > 16))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     version=(unsigned long) ReadBlobByte(image);
     nextDepthOffset=(unsigned long) ReadBlobMSBShort(image);
diff --git a/coders/psd.c b/coders/psd.c
index a2ff5d9..fe9678b 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -783,7 +783,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info,ExceptionInfo *exception)
       if (image->debug != MagickFalse)
         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
           "  reading image resource blocks - %ld bytes",(long) length);
-      blocks=(unsigned char *) AcquireQuantumMemory(length,sizeof(*blocks));
+      blocks=(unsigned char *) AcquireQuantumMemory(length+16,sizeof(*blocks));
       if (blocks == (unsigned char *) NULL)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
       count=ReadBlob(image,length,blocks);
diff --git a/magick/quantum.c b/magick/quantum.c
index 746e6a6..a282a0e 100644
--- a/magick/quantum.c
+++ b/magick/quantum.c
@@ -540,8 +540,9 @@ MagickExport void SetQuantumAlphaType(QuantumInfo *quantum_info,
 MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
   QuantumInfo *quantum_info,const unsigned long depth)
 {
-  MagickBooleanType
-    status;
+  size_t
+    extent,
+    quantum;
 
   /*
     Allocate the quantum pixel buffer.
@@ -565,9 +566,11 @@ MagickExport MagickBooleanType SetQuantumDepth(const Image *image,
     }
   if (quantum_info->pixels != (unsigned char **) NULL)
     DestroyQuantumPixels(quantum_info);
-  status=AcquireQuantumPixels(quantum_info,(quantum_info->pad+5)*image->columns*
-    ((quantum_info->depth+7)/8));
-  return(status);
+  quantum=(quantum_info->pad+6)*(quantum_info->depth+7)/8;
+  extent=image->columns*quantum;
+  if (quantum != (extent/image->columns))
+    return(MagickFalse);
+  return(AcquireQuantumPixels(quantum_info,extent));
 }
 
 /*
-- 
2.1.4