Added check for the length of the profile.

author Dirk Lemstra <dirk@git.imagemagick.org>

Fri, 2 Feb 2018 20:26:34 +0000 (21:26 +0100)

committer Dirk Lemstra <dirk@git.imagemagick.org>

Fri, 2 Feb 2018 20:26:34 +0000 (21:26 +0100)
author Dirk Lemstra <dirk@git.imagemagick.org>
Fri, 2 Feb 2018 20:26:34 +0000 (21:26 +0100)
committer Dirk Lemstra <dirk@git.imagemagick.org>
Fri, 2 Feb 2018 20:26:34 +0000 (21:26 +0100)
diff --git a/coders/miff.c b/coders/miff.c

index 683b4320acc95021c1afac70b518108f63b2e737..8bf9178b6c51d9cd3ab07f9e955cf5e7e9648e77 100644 (file)
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -893,6 +893,9 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
                  if ((LocaleNCompare(keyword,"profile:",8) == 0) ||
                      (LocaleNCompare(keyword,"profile-",8) == 0))
                    {
+                    size_t
+                      length;
+
                      StringInfo
                        *profile;
  
@@ -900,8 +903,16 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
                        profiles=NewLinkedList(0);
                      (void) AppendValueToLinkedList(profiles,
                        AcquireString(keyword+8));
-                    profile=BlobToStringInfo((const void *) NULL,(size_t)
-                      StringToLong(options));
+                    length=(size_t) StringToLong(options);
+                    if (length > sizeof(keyword)-8)
+                      {
+                        options=DestroyString(options);
+                        profiles=DestroyLinkedList(profiles,
+                          RelinquishMagickMemory);
+                        ThrowReaderException(CorruptImageError,
+                          "ImproperImageHeader");
+                      }
+                    profile=BlobToStringInfo((const void *) NULL,length);
                      if (profile == (StringInfo *) NULL)
                        {
                          options=DestroyString(options);
diff --git a/coders/mpc.c b/coders/mpc.c

index 39a557fea120bec000c3400e4d6d9c94f9f27426..41b469b94cdccd49d8e63a9ea85026da1263b7bc 100644 (file)
--- a/coders/mpc.c
+++ b/coders/mpc.c
@@ -628,12 +628,22 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
                  if ((LocaleNCompare(keyword,"profile:",8) == 0) ||
                      (LocaleNCompare(keyword,"profile-",8) == 0))
                    {
+                    size_t
+                      length;
+
                      if (profiles == (LinkedListInfo *) NULL)
                        profiles=NewLinkedList(0);
                      (void) AppendValueToLinkedList(profiles,
                        AcquireString(keyword+8));
-                    profile=BlobToStringInfo((const void *) NULL,(size_t)
-                      StringToLong(options));
+                    if (length > sizeof(keyword)-8)
+                      {
+                        options=DestroyString(options);
+                        profiles=DestroyLinkedList(profiles,
+                          RelinquishMagickMemory);
+                        ThrowReaderException(CorruptImageError,
+                          "ImproperImageHeader");
+                      }
+                    profile=BlobToStringInfo((const void *) NULL,length);
                      if (profile == (StringInfo *) NULL)
                        {
                          options=DestroyString(options);
author	Dirk Lemstra <dirk@git.imagemagick.org>
	Fri, 2 Feb 2018 20:26:34 +0000 (21:26 +0100)
committer	Dirk Lemstra <dirk@git.imagemagick.org>
	Fri, 2 Feb 2018 20:26:34 +0000 (21:26 +0100)
coders/miff.c		patch \| blob \| history
coders/mpc.c		patch \| blob \| history