2016-06-04 7.0.1-10 Cristy <quetzlzacatenango@image...>
* Deny indirect reads by policy, remove policy to permit, e.g.,
convert caption:@mytext.txt ...
+ * RLE check for pixel offset less than 0 (heap overflow report from Craig
+ Young).
2016-06-03 7.0.1-9 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.1-9, GIT revision 10847:339f803:20160602.
number_planes,
number_planes_filled,
one,
- offset,
pixel_info_length;
ssize_t
count,
+ offset,
y;
unsigned char
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
- if (offset+((size_t) operand*number_planes) > pixel_info_length)
+ if ((offset < 0) ||
+ (offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
- if (offset+((size_t) operand*number_planes) > pixel_info_length)
+ if ((offset < 0) ||
+ (offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);