1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 28 Aug 2022 10:55:11 -0400
Subject: incorrect bounds checking for draw affine @
https://github.com/ImageMagick/ImageMagick/issues/5497
origin: https://github.com/ImageMagick/ImageMagick6/commit/c5a9368d871943eceafce143bb87612b2a9623b2.patch
---
magick/draw.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/magick/draw.c b/magick/draw.c
index 50ed8e0..14774d6 100644
--- a/magick/draw.c
+++ b/magick/draw.c
@@ -1206,12 +1206,12 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
assert(affine != (AffineMatrix *) NULL);
extent[0].x=0.0;
extent[0].y=0.0;
- extent[1].x=(double) source->columns-1.0;
+ extent[1].x=(double) source->columns;
extent[1].y=0.0;
- extent[2].x=(double) source->columns-1.0;
- extent[2].y=(double) source->rows-1.0;
+ extent[2].x=(double) source->columns;
+ extent[2].y=(double) source->rows;
extent[3].x=0.0;
- extent[3].y=(double) source->rows-1.0;
+ extent[3].y=(double) source->rows;
for (i=0; i < 4; i++)
{
point=extent[i];
@@ -1237,11 +1237,15 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
if (SetImageStorageClass(image,DirectClass) == MagickFalse)
return(MagickFalse);
status=MagickTrue;
- edge.x1=MagickMax(min.x,0.0);
- edge.y1=MagickMax(min.y,0.0);
- edge.x2=MagickMin(max.x,(double) image->columns-1.0);
- edge.y2=MagickMin(max.y,(double) image->rows-1.0);
+ edge.x1=min.x;
+ edge.y1=min.y;
+ edge.x2=max.x;
+ edge.y2=max.y;
inverse_affine=InverseAffineMatrix(affine);
+ if (edge.y1 < 0.0)
+ edge.y1=0.0;
+ if (edge.y2 > (image->rows-1.0))
+ edge.y2=image->rows-1.0;
GetMagickPixelPacket(image,&zero);
exception=(&image->exception);
start=CastDoubleToLong(ceil(edge.y1-0.5));
@@ -1281,6 +1285,10 @@ MagickExport MagickBooleanType DrawAffineImage(Image *image,
inverse_edge=AffineEdge(source,&inverse_affine,(double) y,&edge);
if (inverse_edge.x2 < inverse_edge.x1)
continue;
+ if (inverse_edge.x1 < 0.0)
+ inverse_edge.x1=0.0;
+ if (inverse_edge.x2 > image->columns-1.0)
+ inverse_edge.x2=image->columns-1.0;
q=GetCacheViewAuthenticPixels(image_view,CastDoubleToLong(
ceil(inverse_edge.x1-0.5)),y,(size_t) CastDoubleToLong(floor(
inverse_edge.x2+0.5)-ceil(inverse_edge.x1-0.5)+1),1,exception);
|
