From a0e356f80301ac6594758131d79b7557b402622c Mon Sep 17 00:00:00 2001 From: dirk Date: Mon, 3 Feb 2014 21:29:33 +0000 Subject: [PATCH] Added boundary checks in DecodePSDPixels MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running ImageMagick. This patch fix CVE-2014-1958 Bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1067276 Bug-debian: http://bugs.debian.org/740250 git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@14801 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74 Signed-off-by: Bastien ROUCARIÈS --- coders/psd.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/coders/psd.c b/coders/psd.c index 5c23992..cbc333c 100644 --- a/coders/psd.c +++ b/coders/psd.c @@ -268,13 +268,15 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, packets=(ssize_t) number_compact_pixels; for (i=0; (packets > 1) && (i < (ssize_t) number_pixels); ) { - length=(*compact_pixels++); + length=(size_t) (*compact_pixels++); packets--; if (length == 128) continue; if (length > 128) { length=256-length+1; + if ((ssize_t) length + i > (ssize_t) number_pixels) + length=number_pixels-(size_t) i; pixel=(*compact_pixels++); packets--; for (j=0; j < (ssize_t) length; j++) @@ -321,6 +323,8 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, continue; } length++; + if ((ssize_t) length + i > (ssize_t) number_pixels) + length=number_pixels-(size_t) i; for (j=0; j < (ssize_t) length; j++) { switch (depth) -- 1.8.3.2