1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1648301533 18000
# Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12
# Parent 07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0
ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer.
--- graphicsmagick-1.4+really1.3.36+hg16481.orig/coders/miff.c
+++ graphicsmagick-1.4+really1.3.36+hg16481/coders/miff.c
@@ -1862,9 +1862,20 @@ static Image *ReadMIFFImage(const ImageI
else
{
length=ReadBlobMSBLong(image);
+ if (image->logging)
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "length = %"MAGICK_SIZE_T_F"u",
+ (MAGICK_SIZE_T) length);
+ if ((length == 0) || (length > compressed_length))
+ {
+ (void) BZ2_bzDecompressEnd(&bzip_info);
+ ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage,
+ image);
+ }
bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in);
if ((size_t) bzip_info.avail_in != length)
{
+ (void) BZ2_bzDecompressEnd(&bzip_info);
ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
image);
}
|
