]> granicus.if.org Git - imagemagick/commitdiff
projects / imagemagick / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f3132f9)
RLE check for pixel offset less than 0 (heap overflow report from Craig Young)
authorCristy <urban-warrior@imagemagick.org>
Sun, 5 Jun 2016 18:25:18 +0000 (14:25 -0400)
committerCristy <urban-warrior@imagemagick.org>
Sun, 5 Jun 2016 18:25:18 +0000 (14:25 -0400)
ChangeLog patch | blob | history
coders/rle.c patch | blob | history

diff --git a/ChangeLog b/ChangeLog
index 4f9c488d050447c8dbf1c26c5357590552c64a2d..6164e264144c5f0358f9caaac6390a0945764fff 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,8 @@
 2016-06-04  7.0.1-10 Cristy  <quetzlzacatenango@image...>
   * Deny indirect reads by policy, remove policy to permit, e.g.,
     convert caption:@mytext.txt ...
+  * RLE check for pixel offset less than 0 (heap overflow report from Craig
+    Young).
 
 2016-06-03  7.0.1-9 Cristy  <quetzlzacatenango@image...>
   * Release ImageMagick version 7.0.1-9, GIT revision 10847:339f803:20160602.
diff --git a/coders/rle.c b/coders/rle.c
index 59e2411942d92b08e767e9a6fa498a664b051205..e13e5c8b5cc87e2963454797451ff132e819f20a 100644 (file)
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -175,11 +175,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     number_planes,
     number_planes_filled,
     one,
-    offset,
     pixel_info_length;
 
   ssize_t
     count,
+    offset,
     y;
 
   unsigned char
@@ -389,7 +389,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
           offset=((image->rows-y-1)*image->columns*number_planes)+x*
             number_planes+plane;
           operand++;
-          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+          if ((offset < 0) ||
+              (offset+((size_t) operand*number_planes) > pixel_info_length))
             {
               if (number_colormaps != 0)
                 colormap=(unsigned char *) RelinquishMagickMemory(colormap);
@@ -420,7 +421,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
           offset=((image->rows-y-1)*image->columns*number_planes)+x*
             number_planes+plane;
           operand++;
-          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+          if ((offset < 0) ||
+              (offset+((size_t) operand*number_planes) > pixel_info_length))
             {
               if (number_colormaps != 0)
                 colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Unnamed repository; edit this file 'description' to name the repository.