Added extra checks to avoid out of bound writes.

author Dirk Lemstra <dirk@git.imagemagick.org>

Tue, 23 Jan 2018 22:18:58 +0000 (23:18 +0100)

committer Dirk Lemstra <dirk@git.imagemagick.org>

Tue, 23 Jan 2018 22:18:58 +0000 (23:18 +0100)
author Dirk Lemstra <dirk@git.imagemagick.org>
Tue, 23 Jan 2018 22:18:58 +0000 (23:18 +0100)
committer Dirk Lemstra <dirk@git.imagemagick.org>
Tue, 23 Jan 2018 22:18:58 +0000 (23:18 +0100)
diff --git a/coders/sixel.c b/coders/sixel.c

index bd006629dac41a60bbc57c931685d2d5e9c4a0a4..01dfa8d93e420072abea26c7c710007bc32c1d05 100644 (file)
--- a/coders/sixel.c
+++ b/coders/sixel.c
@@ -245,6 +245,7 @@ MagickBooleanType sixel_decode(unsigned char              /* in */  *p,
      int imsx, imsy;
      int dmsx, dmsy;
      int y;
+    size_t offset;
  
      posision_x = posision_y = 0;
      max_x = max_y = 0;
@@ -459,7 +460,13 @@ MagickBooleanType sixel_decode(unsigned char              /* in */  *p,
                  if (repeat_count <= 1) {
                      for (i = 0; i < 6; i++) {
                          if ((b & sixel_vertical_mask) != 0) {
-                            imbuf[imsx * (posision_y + i) + posision_x] = color_index;
+                            offset=(size_t) imsx * (posision_y + i) + posision_x;
+                            if (offset >= (size_t) imsx * imsy)
+                              {
+                                imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
+                                return (MagickFalse);
+                              }
+                            imbuf[offset] = color_index;
                              if (max_x < posision_x) {
                                  max_x = posision_x;
                              }
@@ -482,7 +489,13 @@ MagickBooleanType sixel_decode(unsigned char              /* in */  *p,
                                  c <<= 1;
                              }
                              for (y = posision_y + i; y < posision_y + i + n; ++y) {
-                                (void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count);
+                                offset=(size_t) imsx * y + posision_x;
+                                if (offset + repeat_count >= (size_t) imsx * imsy)
+                                  {
+                                    imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
+                                    return (MagickFalse);
+                                  }
+                                (void) ResetMagickMemory(imbuf + offset, color_index, repeat_count);
                              }
                              if (max_x < (posision_x + repeat_count - 1)) {
                                  max_x = posision_x + repeat_count - 1;
author	Dirk Lemstra <dirk@git.imagemagick.org>
	Tue, 23 Jan 2018 22:18:58 +0000 (23:18 +0100)
committer	Dirk Lemstra <dirk@git.imagemagick.org>
	Tue, 23 Jan 2018 22:18:58 +0000 (23:18 +0100)