Check length of LOOP and ENDL chunks.

author glennrp <glennrp@git.imagemagick.org>

Sat, 24 Jan 2015 03:54:57 +0000 (03:54 +0000)

committer glennrp <glennrp@git.imagemagick.org>

Sat, 24 Jan 2015 03:54:57 +0000 (03:54 +0000)
author glennrp <glennrp@git.imagemagick.org>
Sat, 24 Jan 2015 03:54:57 +0000 (03:54 +0000)
committer glennrp <glennrp@git.imagemagick.org>
Sat, 24 Jan 2015 03:54:57 +0000 (03:54 +0000)
diff --git a/coders/png.c b/coders/png.c

index 3af6949b5bbec894828b49f9b02a63b487dd8bac..9d2244f8bcea8318431f65c8a3262850cded3df6 100644 (file)
--- a/coders/png.c
+++ b/coders/png.c
@@ -5779,7 +5779,7 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
          if (memcmp(type,mng_LOOP,4) == 0)
            {
              ssize_t loop_iters=1;
-            if (length > 0) /* To do: check spec, if empty LOOP is allowed */
+            if (length > 4)
                {
                  loop_level=chunk[0];
                  mng_info->loop_active[loop_level]=1;  /* mark loop active */
@@ -5809,57 +5809,61 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
  
          if (memcmp(type,mng_ENDL,4) == 0)
            {
-            loop_level=chunk[0];
-
-            if (skipping_loop > 0)
+            if (length > 0)
                {
-                if (skipping_loop == loop_level)
+                loop_level=chunk[0];
+
+                if (skipping_loop > 0)
                    {
-                    /*
-                      Found end of zero-iteration loop.
-                    */
-                    skipping_loop=(-1);
-                    mng_info->loop_active[loop_level]=0;
+                    if (skipping_loop == loop_level)
+                      {
+                        /*
+                          Found end of zero-iteration loop.
+                        */
+                        skipping_loop=(-1);
+                        mng_info->loop_active[loop_level]=0;
+                      }
                    }
-              }
  
-            else
-              {
-                if (mng_info->loop_active[loop_level] == 1)
+                else
                    {
-                    mng_info->loop_count[loop_level]--;
-                    mng_info->loop_iteration[loop_level]++;
-
-                    if (logging != MagickFalse)
-                      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
-                        "  ENDL: LOOP level %.20g has %.20g remaining iters ",
-                        (double) loop_level,(double)
-                        mng_info->loop_count[loop_level]);
-
-                    if (mng_info->loop_count[loop_level] != 0)
+                    if (mng_info->loop_active[loop_level] == 1)
                        {
-                        offset=SeekBlob(image,mng_info->loop_jump[loop_level],
-                          SEEK_SET);
+                        mng_info->loop_count[loop_level]--;
+                        mng_info->loop_iteration[loop_level]++;
  
-                        if (offset < 0)
-                          ThrowReaderException(CorruptImageError,
-                            "ImproperImageHeader");
-                      }
+                        if (logging != MagickFalse)
+                          (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                          "  ENDL: LOOP level %.20g has %.20g remaining iters ",
+                            (double) loop_level,(double)
+                            mng_info->loop_count[loop_level]);
  
-                    else
-                      {
-                        short
-                          last_level;
+                        if (mng_info->loop_count[loop_level] != 0)
+                          {
+                            offset=
+                              SeekBlob(image,mng_info->loop_jump[loop_level],
+                              SEEK_SET);
  
-                        /*
-                          Finished loop.
-                        */
-                        mng_info->loop_active[loop_level]=0;
-                        last_level=(-1);
-                        for (i=0; i < loop_level; i++)
-                          if (mng_info->loop_active[i] == 1)
-                            last_level=(short) i;
-                        loop_level=last_level;
+                            if (offset < 0)
+                              ThrowReaderException(CorruptImageError,
+                                "ImproperImageHeader");
+                          }
+
+                        else
+                          {
+                            short
+                              last_level;
+
+                            /*
+                              Finished loop.
+                            */
+                            mng_info->loop_active[loop_level]=0;
+                            last_level=(-1);
+                            for (i=0; i < loop_level; i++)
+                              if (mng_info->loop_active[i] == 1)
+                                last_level=(short) i;
+                            loop_level=last_level;
+                          }
                        }
                    }
                }
author	glennrp <glennrp@git.imagemagick.org>
	Sat, 24 Jan 2015 03:54:57 +0000 (03:54 +0000)
committer	glennrp <glennrp@git.imagemagick.org>
	Sat, 24 Jan 2015 03:54:57 +0000 (03:54 +0000)