]> granicus.if.org Git - imagemagick/commitdiff
projects / imagemagick / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4cc9c1d)
Added check for the layer size (https://bugs.chromium.org/p/oss-fuzz/issues/detail...
authorDirk Lemstra <dirk@git.imagemagick.org>
Sun, 4 Mar 2018 22:41:59 +0000 (23:41 +0100)
committerDirk Lemstra <dirk@git.imagemagick.org>
Sun, 4 Mar 2018 22:41:59 +0000 (23:41 +0100)
coders/xcf.c patch | blob | history

diff --git a/coders/xcf.c b/coders/xcf.c
index c471609cb8fb6778e28490e325353bb37ffbafb6..c29b1fff06eea05e0ea13d2b5974d83011102677 100644 (file)
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -815,6 +815,10 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
   if (EOFBlob(image) != MagickFalse)
     ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
       image->filename);
+  if ((outLayer->width < 1) || (outLayer->width > image->columns) ||
+      (outLayer->height < 1) || (outLayer->height > image->rows))
+    ThrowBinaryException(CorruptImageError,"ImproperImageHeader",
+      image->filename);
   /* read the layer properties! */
   foundPropEnd = 0;
   while ( (foundPropEnd == MagickFalse) && (EOFBlob(image) == MagickFalse) ) {
@@ -927,6 +931,7 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
     exception);
   if (outLayer->image == (Image *) NULL)
     return(MagickFalse);
+  outLayer->width=outLayer->image->columns;
   status=SetImageExtent(outLayer->image,outLayer->image->columns,
     outLayer->image->rows,exception);
   if (status == MagickFalse)
Unnamed repository; edit this file 'description' to name the repository.