From 7ada2be8c8653ddbd27928b77f0ba86424a10e3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= Date: Tue, 23 Dec 2014 14:53:08 +0100 Subject: [PATCH] Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm file The rest of the upstream patch is only whitespace change. Do not commit it. Psd change file is ignored due to huge rewrite git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17166 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17166 --- coders/pcx.c | 8 +++++++- coders/pict.c | 3 ++- coders/sun.c | 2 ++ coders/wpg.c | 2 +- coders/xpm.c | 2 ++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/coders/pcx.c b/coders/pcx.c index 75c4c54..a64ae04 100644 --- a/coders/pcx.c +++ b/coders/pcx.c @@ -396,7 +396,13 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception) pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline)); if ((pcx_pixels == (unsigned char *) NULL) || (scanline == (unsigned char *) NULL)) - ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + { + if (scanline != (unsigned char *) NULL) + scanline=(unsigned char *) RelinquishMagickMemory(scanline); + if (pcx_pixels != (unsigned char *) NULL) + pcx_pixels=(unsigned char *) RelinquishMagickMemory(pcx_pixels); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } /* Uncompress image data. */ diff --git a/coders/pict.c b/coders/pict.c index fa47b06..bf270fd 100644 --- a/coders/pict.c +++ b/coders/pict.c @@ -474,7 +474,8 @@ static unsigned char *DecodeImage(Image *blob,Image *image, return((unsigned char *) NULL); *extent=row_bytes*image->rows*sizeof(*pixels); (void) ResetMagickMemory(pixels,0,*extent); - scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,sizeof(*scanline)); + scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,2* + sizeof(*scanline)); if (scanline == (unsigned char *) NULL) return((unsigned char *) NULL); if (bytes_per_line < 8) diff --git a/coders/sun.c b/coders/sun.c index 98631c9..42028c5 100644 --- a/coders/sun.c +++ b/coders/sun.c @@ -257,6 +257,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) size_t bytes_per_line, + extent, length; ssize_t @@ -305,6 +306,7 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) sun_info.type=ReadBlobMSBLong(image); sun_info.maptype=ReadBlobMSBLong(image); sun_info.maplength=ReadBlobMSBLong(image); + extent=sun_info.height*sun_info.width; if ((sun_info.height != 0) && (sun_info.width != extent/sun_info.height)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if ((sun_info.type != RT_STANDARD) && (sun_info.type != RT_ENCODED) && diff --git a/coders/wpg.c b/coders/wpg.c index 8c1b900..842be6d 100644 --- a/coders/wpg.c +++ b/coders/wpg.c @@ -458,7 +458,7 @@ static int UnpackWPGRaster(Image *image,int bpp) ldblk=(long) ((bpp*image->columns+7)/8); BImgBuff=(unsigned char *) AcquireQuantumMemory((size_t) ldblk, - 4*sizeof(*BImgBuff)); + 8*sizeof(*BImgBuff)); if(BImgBuff==NULL) return(-2); while(y<(long) image->rows) diff --git a/coders/xpm.c b/coders/xpm.c index 7b1af9a..b412b46 100644 --- a/coders/xpm.c +++ b/coders/xpm.c @@ -369,6 +369,8 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception) { while ((isspace((int) ((unsigned char) *q)) == 0) && (*q != '\0')) q++; + if ((next-q) < 0) + break; if (next != (char *) NULL) (void) CopyXPMColor(target,q,MagickMin((size_t) (next-q), MaxTextExtent)); -- 2.1.4