From 9409c2a9e99fcc97be22f54b23e7547a10cf02be Mon Sep 17 00:00:00 2001 From: dirk Date: Sat, 20 Dec 2014 13:40:37 +0000 Subject: [PATCH] Added checks to prevent overflow in rle file git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17348 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 origin: http://trac.imagemagick.org/changeset/17348 --- coders/rle.c | 37 ++++++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/coders/rle.c b/coders/rle.c index fdc58c9..7998b46 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -190,7 +190,10 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) bits_per_pixel, map_length, number_colormaps, - number_planes; + number_planes, + one, + offset, + pixel_info_length;; /* Open image file. @@ -304,8 +307,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_pixels=(MagickSizeType) image->columns*image->rows; if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes)) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - rle_pixels=(unsigned char *) AcquireQuantumMemory(image->columns, - image->rows*MagickMax(number_planes,4)*sizeof(*rle_pixels)); + pixel_info_length=image->columns*image->rows*MagickMax(number_planes,4); + rle_pixels=(unsigned char *) AcquireQuantumMemory(pixel_info_length,sizeof(*rle_pixels)); if (rle_pixels == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); if ((flags & 0x01) && !(flags & 0x02)) @@ -372,12 +375,20 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) operand=ReadBlobByte(image); if (opcode & 0x40) operand=(int) ReadBlobLSBShort(image); - p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ - x*number_planes+plane; + offset=((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane; operand++; + if (offset+((size_t) operand*number_planes) > pixel_info_length) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + rle_pixels=(unsigned char *) RelinquishMagickMemory(rle_pixels); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } + p=rle_pixels+offset; for (i=0; i < (long) operand; i++) { - pixel=(unsigned char) ReadBlobByte(image); + pixel=(unsigned char) ReadBlobByte(image); if ((y < (long) image->rows) && ((x+i) < (long) image->columns)) *p=pixel; p+=number_planes; @@ -395,9 +406,17 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) pixel=(unsigned char) ReadBlobByte(image); (void) ReadBlobByte(image); operand++; - p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ - x*number_planes+plane; - for (i=0; i < (long) operand; i++) + offset=((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane; + p=rle_pixels+offset; + if (offset+((size_t) operand*number_planes) > pixel_info_length) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + rle_pixels=(unsigned char *) RelinquishMagickMemory(rle_pixels); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } + for (i=0; i < (ssize_t) operand; i++) { if ((y < (long) image->rows) && ((x+i) < (long) image->columns)) *p=pixel; -- 2.1.4