From 22289bcac76a7f77015cd72ad2d3df9693ff77c2 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Mon, 15 Dec 2014 11:30:43 +0000
Subject: [PATCH] Avoid a crash in coders/rle.c

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17255 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin:  http://trac.imagemagick.org/changeset/17255
---
 coders/rle.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/coders/rle.c b/coders/rle.c
index 23c1c6a..767d61c 100644
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -40,10 +40,12 @@
   Include declarations.
 */
 #include "magick/studio.h"
-#include "magick/property.h"
 #include "magick/blob.h"
 #include "magick/blob-private.h"
 #include "magick/cache.h"
+
+#include "magick/colormap.h"
+#include "magick/colormap-private.h"
 #include "magick/exception.h"
 #include "magick/exception-private.h"
 #include "magick/image.h"
@@ -54,6 +56,8 @@
 #include "magick/monitor.h"
 #include "magick/monitor-private.h"
 #include "magick/quantum-private.h"
+#include "magick/pixel.h"
+#include "magick/property.h"
 #include "magick/static.h"
 #include "magick/string_.h"
 #include "magick/module.h"
@@ -120,6 +124,14 @@ static MagickBooleanType IsRLE(const unsigned char *magick,const size_t length)
 %
 %
 */
+
+static inline size_t MagickMax(const size_t x,const size_t y)
+{
+  if (x > y)
+    return(x);
+  return(y);
+}
+
 static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
 #define SkipLinesOp  0x01
@@ -293,7 +305,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     rle_pixels=(unsigned char *) AcquireQuantumMemory(image->columns,
-      image->rows*number_planes*sizeof(*rle_pixels));
+      image->rows*MagickMax(number_planes,4)*sizeof(*rle_pixels));
     if (rle_pixels == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     if ((flags & 0x01) && !(flags & 0x02))
@@ -523,10 +535,13 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
                 break;
               for (x=0; x < (long) image->columns; x++)
               {
-                q->red=image->colormap[*p++].red;
-                q->green=image->colormap[*p++].green;
-                q->blue=image->colormap[*p++].blue;
-                q->opacity=(Quantum) (QuantumRange-ScaleCharToQuantum(*p++));
+                q->red=image->colormap[(ssize_t)
+                  ConstrainColormapIndex(image,*p++)].red;
+                q->green=image->colormap[(ssize_t)
+                  ConstrainColormapIndex(image,*p++)].green;
+                q->blue=image->colormap[(ssize_t)
+                  ConstrainColormapIndex(image,*p++)].blue;
+		q->opacity=(Quantum) (QuantumRange-ScaleCharToQuantum(*p++));
                 q++;
               }
               if (SyncAuthenticPixels(image,exception) == MagickFalse)
-- 
2.1.4