File: 0064-improve-BMP-error-checking.patch

package info (click to toggle)
imagemagick 8%3A6.9.11.60%2Bdfsg-1.6%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 76,816 kB
  • sloc: ansic: 349,503; cpp: 21,804; xml: 11,029; perl: 6,417; sh: 5,877; makefile: 3,042; tcl: 459
file content (111 lines) | stat: -rw-r--r-- 3,154 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 18 Jan 2023 07:22:53 -0500
Subject: improve BMP error checking

bug; https://github.com/ImageMagick/ImageMagick/issues/5980
---
 coders/bmp.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/coders/bmp.c b/coders/bmp.c
index c5ccb70..4a3bff7 100644
--- a/coders/bmp.c
+++ b/coders/bmp.c
@@ -233,7 +233,7 @@ static MagickBooleanType DecodeImage(Image *image,const size_t compression,
     MagickBooleanType
       status;
 
-    if ((p < pixels) || (p > q))
+    if ((p < pixels) || (p >= q))
       break;
     count=ReadBlobByte(image);
     if (count == EOF)
@@ -269,7 +269,7 @@ static MagickBooleanType DecodeImage(Image *image,const size_t compression,
         if (count == EOF)
           break;
         if (count == 0x01)
-          return(MagickTrue);
+          break;
         switch (count)
         {
           case 0x00:
@@ -298,6 +298,8 @@ static MagickBooleanType DecodeImage(Image *image,const size_t compression,
               Absolute mode.
             */
             count=(int) MagickMin((ssize_t) count,(ssize_t) (q-p));
+            if (count < 0)
+              break;
             if (compression == BI_RLE8)
               for (i=0; i < (ssize_t) count; i++)
               {
@@ -318,6 +320,8 @@ static MagickBooleanType DecodeImage(Image *image,const size_t compression,
                 *p++=(unsigned char)
                   ((i & 0x01) != 0 ? (byte & 0x0f) : ((byte >> 4) & 0x0f));
               }
+            if (byte == EOF)
+              break;
             x+=count;
             /*
               Read pad byte.
@@ -343,7 +347,7 @@ static MagickBooleanType DecodeImage(Image *image,const size_t compression,
   }
   (void) ReadBlobByte(image);  /* end of line */
   (void) ReadBlobByte(image);
-  return(y < (ssize_t) image->rows ? MagickFalse : MagickTrue);
+  return((q-pixels) < (ssize_t) number_pixels ? MagickFalse : MagickTrue);
 }
 
 /*
@@ -517,7 +521,8 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
     *image;
 
   IndexPacket
-    index;
+    index,
+    *indexes;
 
   MagickBooleanType
     status;
@@ -534,19 +539,9 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
   MemoryInfo
     *pixel_info;
 
-  IndexPacket
-    *indexes;
-
   PixelPacket
     *q;
 
-  ssize_t
-    i,
-    x;
-
-  unsigned char
-    *p;
-
   size_t
     bit,
     bytes_per_line,
@@ -554,10 +549,13 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
 
   ssize_t
     count,
+    i,
+    x,
     y;
 
   unsigned char
     magick[12],
+    *p,
     *pixels;
 
   unsigned int
@@ -628,6 +626,8 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
     bmp_info.size=ReadBlobLSBLong(image);
     if (bmp_info.size > 124)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if (bmp_info.offset_bits < bmp_info.size)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     profile_data=0;
     profile_size=0;
     if (bmp_info.size == 12)