Add field width to sscanf() to prevent buffer overflow

diff --git a/MagickCore/pixel-accessor.h b/MagickCore/pixel-accessor.h
index 52c1a708fd5ffb4027d4983252cf822036ba944e..2e9e8d1c7fb669f2932539d62523fbb8a673fe2e 100644 (file)
--- a/MagickCore/pixel-accessor.h
+++ b/MagickCore/pixel-accessor.h
@@ -443,7 +443,7 @@ static inline MagickBooleanType IsPixelAtDepth(const Quantum pixel,
 static inline MagickBooleanType IsPixelEquivalent(const Image *restrict image,
   const Quantum *restrict p,const PixelInfo *restrict q)
 {
-#define ScaleAbsolutePixelValue(alpha)  AbsolutePixelValue(QuantumScale*(alpha))
+#define ScaleAbsolutePixelValue(alpha)  (QuantumScale*AbsolutePixelValue(alpha))
 
   MagickRealType
     value;

diff --git a/MagickCore/property.c b/MagickCore/property.c
index 50c78bb69fc76d06fa1e94717417b5eb3dc30472..26ecc214521727e2472bb9a13d7cd987d3f291ea 100644 (file)
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -596,8 +596,8 @@ static MagickBooleanType Get8BIMProperty(const Image *image,const char *key,
   profile=GetImageProfile(image,"8bim");
   if (profile == (StringInfo *) NULL)
     return(MagickFalse);
-  count=(ssize_t) sscanf(key,"8BIM:%ld,%ld:%[^\n]\n%[^\n]",&start,&stop,name,
-    format);
+  count=(ssize_t) sscanf(key,"8BIM:%ld,%ld:%1024[^\n]\n%1024[^\n]",&start,&stop,
+    name,format);
   if ((count != 2) && (count != 3) && (count != 4))
     return(MagickFalse);
   if (count < 4)

diff --git a/coders/gradient.c b/coders/gradient.c
index eca241f17e0dcfea95dc825be7606b12fee74b30..1391b1e9774cf437d1f4f0111cf3ebe4673696b6 100644 (file)
--- a/coders/gradient.c
+++ b/coders/gradient.c
@@ -96,7 +96,7 @@ static Image *ReadGRADIENTImage(const ImageInfo *image_info,
   ExceptionInfo *exception)
 {
   char
-    colorname[MagickPathExtent];
+    colorname[MagickPathExtent+4];
 
   Image
     *image;

diff --git a/coders/xbm.c b/coders/xbm.c
index 32dd8c5899d208e9db0d5129dcf1fb730bda6477..563970316d4ad5a5e3ab8064399167e227f54d0d 100644 (file)
--- a/coders/xbm.c
+++ b/coders/xbm.c
@@ -233,12 +233,12 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
   width=0;
   height=0;
   while (ReadBlobString(image,buffer) != (char *) NULL)
-    if (sscanf(buffer,"#define %s %u",name,&width) == 2)
+    if (sscanf(buffer,"#define %32s %u",name,&width) == 2)
       if ((strlen(name) >= 6) &&
           (LocaleCompare(name+strlen(name)-6,"_width") == 0))
         break;
   while (ReadBlobString(image,buffer) != (char *) NULL)
-    if (sscanf(buffer,"#define %s %u",name,&height) == 2)
+    if (sscanf(buffer,"#define %32s %u",name,&height) == 2)
       if ((strlen(name) >= 7) &&
           (LocaleCompare(name+strlen(name)-7,"_height") == 0))
         break;
@@ -253,13 +253,13 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception)
   version=11;
   while (ReadBlobString(image,buffer) != (char *) NULL)
   {
-    if (sscanf(buffer,"static short %s = {",name) == 1)
+    if (sscanf(buffer,"static short %32s = {",name) == 1)
       version=10;
     else
-      if (sscanf(buffer,"static unsigned char %s = {",name) == 1)
+      if (sscanf(buffer,"static unsigned char %32s = {",name) == 1)
         version=11;
       else
-        if (sscanf(buffer,"static char %s = {",name) == 1)
+        if (sscanf(buffer,"static char %32s = {",name) == 1)
           version=11;
         else
           continue;

diff --git a/coders/xtrn.c b/coders/xtrn.c
index 97747094827f6611c1796f0b87692fd69d25aaf7..e73f333faf1bc21321706d9fe618aec681c1791b 100644 (file)
--- a/coders/xtrn.c
+++ b/coders/xtrn.c
@@ -168,7 +168,8 @@ static Image *ReadXTRNImage(const ImageInfo *image_info,
       char
         filename[MagickPathExtent];
 
-      (void) sscanf(clone_info->filename,"%lx,%lx,%s",&param1,&param2,&filename);
+      (void) sscanf(clone_info->filename,"%lx,%lx,%2048s",&param1,&param2,
+        filename);
       blob_data=(char **) param1;
       blob_length=(size_t *) param2;
       image=BlobToImage(clone_info,*blob_data,*blob_length,exception);
@@ -194,7 +195,7 @@ static Image *ReadXTRNImage(const ImageInfo *image_info,
         blob_length;
 
       *filename='\0';
-      (void) sscanf(clone_info->filename,"%lx,%s",&param1,&filename);
+      (void) sscanf(clone_info->filename,"%lx,%2048s",&param1,filename);
       hr=S_OK;
       pSafeArray=(SAFEARRAY *) param1;
       if (pSafeArray)
@@ -464,13 +465,14 @@ static MagickBooleanType WriteXTRNImage(const ImageInfo *image_info,
       clone_info=CloneImageInfo(image_info);
       if (clone_info->filename[0])
         {
-          (void) sscanf(clone_info->filename,"%lx,%lx,%s",
-            &param1,&param2,&filename);
+          (void) sscanf(clone_info->filename,"%lx,%lx,%2048s",
+            &param1,&param2,filename);
 
           blob_data=(char **) param1;
           blob_length=(size_t *) param2;
           scene = 0;
-          (void) CopyMagickString(clone_info->filename,filename,MagickPathExtent);
+          (void) CopyMagickString(clone_info->filename,filename,
+            MagickPathExtent);
           for (p=image; p != (Image *) NULL; p=GetNextImageInList(p))
           {
             (void) CopyMagickString(p->filename,filename,MagickPathExtent);
@@ -504,10 +506,11 @@ static MagickBooleanType WriteXTRNImage(const ImageInfo *image_info,
       clone_info=CloneImageInfo(image_info);
       if (*clone_info->filename != '\0')
         {
-          (void) sscanf(clone_info->filename,"%lx,%s",&param1,&filename);
+          (void) sscanf(clone_info->filename,"%lx,%2048s",&param1,filename);
           image->client_data=param1;
           scene=0;
-          (void) CopyMagickString(clone_info->filename,filename,MagickPathExtent);
+          (void) CopyMagickString(clone_info->filename,filename,
+            MagickPathExtent);
           for (p=image; p != (Image *) NULL; p=GetNextImageInList(p))
           {
             (void) CopyMagickString(p->filename,filename,MagickPathExtent);