From c264f9c466f22736c9fd9f8a7051f6b71ecb2c0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <roucaries.bastien@gmail.com>
Date: Tue, 23 Dec 2014 14:53:08 +0100
Subject: [PATCH] Fix heap overflow in pcx file, psd, pict and wpf files and
 DOS in xpm file

The rest of the upstream patch is only whitespace change. Do not commit it.

git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@17166 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
origin:  http://trac.imagemagick.org/changeset/17166
---
 coders/pcx.c  |  2 +-
 coders/pict.c |  3 ++-
 coders/psd.c  | 10 ++++++----
 coders/wpg.c  |  2 +-
 coders/xpm.c  |  4 +++-
 5 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/coders/pcx.c b/coders/pcx.c
index 2257c7174..c899bf0c4 100644
--- a/coders/pcx.c
+++ b/coders/pcx.c
@@ -404,7 +404,7 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     scanline=(unsigned char *) AcquireQuantumMemory(MagickMax(image->columns,
       pcx_info.bytes_per_line),MagickMax(8,pcx_info.planes)*sizeof(*scanline));
-    pixel_info=AcquireVirtualMemory(pcx_packets,sizeof(*pixels));
+    pixel_info=AcquireVirtualMemory(pcx_packets,2*sizeof(*pixels));
     if ((scanline == (unsigned char *) NULL) ||
         (pixel_info == (MemoryInfo *) NULL))
       {
diff --git a/coders/pict.c b/coders/pict.c
index 35fb56e1e..f6165a4c2 100644
--- a/coders/pict.c
+++ b/coders/pict.c
@@ -473,7 +473,8 @@ static unsigned char *DecodeImage(Image *blob,Image *image,
     return((unsigned char *) NULL);
   *extent=row_bytes*image->rows*sizeof(*pixels);
   (void) ResetMagickMemory(pixels,0,*extent);
-  scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,sizeof(*scanline));
+  scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,2*
+    sizeof(*scanline));
   if (scanline == (unsigned char *) NULL)
     return((unsigned char *) NULL);
   if (bytes_per_line < 8)
diff --git a/coders/psd.c b/coders/psd.c
index 2aff3623d..f4dec694a 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -50,6 +50,7 @@
 #include "magick/cache.h"
 #include "magick/channel.h"
 #include "magick/colormap.h"
+#include "magick/colormap-private.h"
 #include "magick/colorspace.h"
 #include "magick/colorspace-private.h"
 #include "magick/constitute.h"
@@ -711,7 +712,7 @@ static MagickStatusType ReadPSDChannelPixels(Image *image,const size_t channels,
             else
               SetPixelIndex(indexes+x,ScaleQuantumToShort(pixel))
             SetPixelRGBO(q,image->colormap+(ssize_t)
-              GetPixelIndex(indexes+x));
+              ConstrainColormapIndex(image,GetPixelIndex(indexes+x)));
             if (image->depth == 1)
               {
                 ssize_t
@@ -799,7 +800,7 @@ static MagickStatusType ReadPSDChannelRaw(Image *image,const size_t channels,
        "      layer data is RAW");
 
   row_size=GetPSDRowSize(image);
-  pixels=(unsigned char *) AcquireQuantumMemory(8*row_size,sizeof(*pixels));
+  pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels));
   if (pixels == (unsigned char *) NULL)
     ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
       image->filename);
@@ -868,7 +869,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info,
        "      layer data is RLE compressed");
 
   row_size=GetPSDRowSize(image);
-  pixels=(unsigned char *) AcquireQuantumMemory(8*row_size,sizeof(*pixels));
+  pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels));
   if (pixels == (unsigned char *) NULL)
     ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
       image->filename);
@@ -884,7 +885,8 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info,
       ThrowBinaryException(CoderError,"InvalidLength",
         image->filename);
     }
-  compact_pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
+  compact_pixels=(unsigned char *) AcquireQuantumMemory(length,8*
+    sizeof(*pixels));
   if (compact_pixels == (unsigned char *) NULL)
     {
       pixels=(unsigned char *) RelinquishMagickMemory(pixels);
diff --git a/coders/wpg.c b/coders/wpg.c
index 24430c79f..edcf4c24e 100644
--- a/coders/wpg.c
+++ b/coders/wpg.c
@@ -474,7 +474,7 @@ static int UnpackWPGRaster(Image *image,int bpp)
 
   ldblk=(ssize_t) ((bpp*image->columns+7)/8);
   BImgBuff=(unsigned char *) AcquireQuantumMemory((size_t) ldblk,
-    4*sizeof(*BImgBuff));
+    8*sizeof(*BImgBuff));
   if(BImgBuff==NULL) return(-2);
 
   while(y<(ssize_t) image->rows)
diff --git a/coders/xpm.c b/coders/xpm.c
index 0faaf2d7e..34d3511c6 100644
--- a/coders/xpm.c
+++ b/coders/xpm.c
@@ -166,7 +166,7 @@ static size_t CopyXPMColor(char *destination,const char *source,size_t length)
 
 static char *NextXPMLine(char *p)
 {
-  assert(p != (char *)NULL);
+  assert(p != (char *) NULL);
   p=strchr(p,'\n');
   if (p != (char *) NULL)
     p++;
@@ -396,6 +396,8 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception)
       {
         while ((isspace((int) ((unsigned char) *q)) == 0) && (*q != '\0'))
           q++;
+        if ((next-q) < 0)
+          break;
         if (next != (char *) NULL)
           (void) CopyXPMColor(target,q,MagickMin((size_t) (next-q),
             MaxTextExtent));