...

[imagemagick] / coders / sfw.c

diff --git a/coders/sfw.c b/coders/sfw.c
index b3526a76082eaa58791e2ec07d3e1403be297d20..ddd503f111521f8570827b8e038ea9d1256da9b4 100644 (file)
--- a/coders/sfw.c
+++ b/coders/sfw.c
@@ -17,7 +17,7 @@
 %                                 July 1992                                   %
 %                                                                             %
 %                                                                             %
-%  Copyright 1999-2017 ImageMagick Studio LLC, a non-profit organization      %
+%  Copyright 1999-2018 ImageMagick Studio LLC, a non-profit organization      %
 %  dedicated to making software imaging solutions freely available.           %
 %                                                                             %
 %  You may not use this file except in compliance with the License.  You may  %
@@ -126,16 +126,15 @@ static unsigned char *SFWScan(const unsigned char *p,const unsigned char *q,
   register ssize_t
     i;
 
-  if ((p+length) < q)
-    while (p < q)
-    {
-      for (i=0; i < (ssize_t) length; i++)
-        if (p[i] != target[i])
-          break;
-      if (i == (ssize_t) length)
-        return((unsigned char *) p);
-      p++;
-    }
+  while ((p+length) < q)
+  {
+    for (i=0; i < (ssize_t) length; i++)
+      if (p[i] != target[i])
+        break;
+    if (i == (ssize_t) length)
+      return((unsigned char *) p);
+    p++;
+  }
   return((unsigned char *) NULL);
 }
 
@@ -253,21 +252,27 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception)
   */
   if (GetBlobSize(image) != (size_t) GetBlobSize(image))
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-  buffer=(unsigned char *) AcquireQuantumMemory((size_t) GetBlobSize(image),
-    sizeof(*buffer));
+  if (GetBlobSize(image) < 141)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+  buffer=(unsigned char *) AcquireQuantumMemory((size_t) GetBlobSize(image)+
+    MagickPathExtent,sizeof(*buffer));
   if (buffer == (unsigned char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
   count=ReadBlob(image,(size_t) GetBlobSize(image),buffer);
   if ((count != (ssize_t) GetBlobSize(image)) ||
       (LocaleNCompare((char *) buffer,"SFW",3) != 0))
-    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    {
+      buffer=(unsigned char *) RelinquishMagickMemory(buffer);
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    }
   (void) CloseBlob(image);
   /*
     Find the start of the JFIF data
   */
   header=SFWScan(buffer,buffer+count-1,(const unsigned char *)
     "\377\310\377\320",4);
-  if (header == (unsigned char *) NULL)
+  if ((header == (unsigned char *) NULL) ||
+      ((header+140) > (buffer+GetBlobSize(image))))
     {
       buffer=(unsigned char *) RelinquishMagickMemory(buffer);
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
@@ -353,7 +358,8 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception)
       image=DestroyImageList(image);
       return(jpeg_image);
     }
-  (void) CopyMagickString(jpeg_image->filename,image->filename,MagickPathExtent);
+  (void) CopyMagickString(jpeg_image->filename,image->filename,
+    MagickPathExtent);
   (void) CopyMagickString(jpeg_image->magick,image->magick,MagickPathExtent);
   image=DestroyImageList(image);
   image=jpeg_image;
@@ -401,6 +407,7 @@ ModuleExport size_t RegisterSFWImage(void)
   entry=AcquireMagickInfo("SFW","SFW","Seattle Film Works");
   entry->decoder=(DecodeImageHandler *) ReadSFWImage;
   entry->magick=(IsImageFormatHandler *) IsSFW;
+  entry->flags|=CoderDecoderSeekableStreamFlag;
   entry->flags^=CoderAdjoinFlag;
   (void) RegisterMagickInfo(entry);
   return(MagickImageCoderSignature);