Prevent buffer overflow in BMP coder (bug report from pwchen of tencent).

diff --git a/ChangeLog b/ChangeLog
index 7c9cad2e50cbdcd3c1ffe8c6a23c7333d1daf984..14b82002dc1cde45f9f83e58635c83c98663da00 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2016-08-15  7.0.2-10 Cristy  <quetzlzacatenango@image...>
+  * Prevent buffer overflow in BMP coder (bug report from pwchen of tencent).
+
 2016-08-14  7.0.2-9 Cristy  <quetzlzacatenango@image...>
   * Release ImageMagick version 7.0.2-9, GIT revision 18707:2c02f09:20160814.
 

diff --git a/coders/bmp.c b/coders/bmp.c
index 85741e173a549992a0a149888b8223152b1ca8e2..47aeae964c0e46f0c8f3215c249cc5097ecbf4f4 100644 (file)
--- a/coders/bmp.c
+++ b/coders/bmp.c
@@ -1682,10 +1682,13 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image,
           bmp_info.file_size+=extra_size;
           bmp_info.offset_bits+=extra_size;
         }
+    if ((image->columns != (signed int) image->columns) ||
+        (image->rows != (signed int) image->rows))
+      ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit");
     bmp_info.width=(ssize_t) image->columns;
     bmp_info.height=(ssize_t) image->rows;
     bmp_info.planes=1;
-    bmp_info.image_size=(unsigned int) (bytes_per_line*image->rows);
+    bmp_info.image_size=(unsigned long) (bytes_per_line*image->rows);
     bmp_info.file_size+=bmp_info.image_size;
     bmp_info.x_pixels=75*39;
     bmp_info.y_pixels=75*39;