]> granicus.if.org Git - imagemagick/commitdiff
Fix potential overflow while reading the MNG TERM chunk (issue #541)
authorGlenn Randers-Pehrson <glennrp@gmail.com>
Mon, 10 Jul 2017 12:49:19 +0000 (08:49 -0400)
committerGlenn Randers-Pehrson <glennrp@gmail.com>
Mon, 10 Jul 2017 12:49:19 +0000 (08:49 -0400)
coders/png.c

index ea6dce6ab5f862a70a5ef5c2287127ded3125930..37becf5c515e006dff02e8ad2bd71d5c72e2afb0 100644 (file)
@@ -5427,7 +5427,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
             if (length != 0)
               repeat=p[0];
 
-            if (repeat == 3)
+            if (repeat == 3 && length > 8)
               {
                 final_delay=(png_uint_32) mng_get_long(&p[2]);
                 mng_iterations=(png_uint_32) mng_get_long(&p[6]);
@@ -5756,7 +5756,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
                     change_clipping=(*p++);
                     p++; /* change_sync */
 
-                    if (change_delay)
+                    if (change_delay && ((p-chunk) < (ssize_t) (length-4)))
                       {
                         frame_delay=1UL*image->ticks_per_second*
                           mng_get_long(p);
@@ -5777,7 +5777,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
                             "    Framing_delay=%.20g",(double) frame_delay);
                       }
 
-                    if (change_timeout)
+                    if (change_timeout && ((p-chunk) < (ssize_t) (length-4)))
                       {
                         frame_timeout=1UL*image->ticks_per_second*
                           mng_get_long(p);
@@ -5798,7 +5798,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
                             "    Framing_timeout=%.20g",(double) frame_timeout);
                       }
 
-                    if (change_clipping)
+                    if (change_clipping && ((p-chunk) < (ssize_t) (length-16)))
                       {
                         fb=mng_read_box(previous_fb,(char) p[0],&p[1]);
                         p+=17;