Check for resource overflow

Credit OSS Fuzz

diff --git a/MagickCore/magick-type.h b/MagickCore/magick-type.h
index b5229de6ad546e370bc6fa9d23416c7e62028c3f..cc00cd390824501c39ca483c66bad15e0a69f585 100644 (file)
--- a/MagickCore/magick-type.h
+++ b/MagickCore/magick-type.h
@@ -29,11 +29,11 @@ extern "C" {
 #endif
 
 #if defined(MAGICKCORE_WINDOWS_SUPPORT) && !defined(__MINGW32__)
-#  define MagickLLConstant(c)  (MagickOffsetType) (c ## i64)
-#  define MagickULLConstant(c)  (MagickSizeType) (c ## ui64)
+#  define MagickLLConstant(c)  ((MagickOffsetType) (c ## i64))
+#  define MagickULLConstant(c)  ((MagickSizeType) (c ## ui64))
 #else
-#  define MagickLLConstant(c)  (MagickOffsetType) (c ## LL)
-#  define MagickULLConstant(c)  (MagickSizeType) (c ## ULL)
+#  define MagickLLConstant(c)  ((MagickOffsetType) (c ## LL))
+#  define MagickULLConstant(c)  ((MagickSizeType) (c ## ULL))
 #endif
 
 #if MAGICKCORE_SIZEOF_FLOAT_T == 0

diff --git a/MagickCore/resource.c b/MagickCore/resource.c
index 650e967e0059c77feb4eaf2ea0d6aa016cc84bf8..5e81531d70627d3e1ef4c83ea2e390d58fc26526 100644 (file)
--- a/MagickCore/resource.c
+++ b/MagickCore/resource.c
@@ -181,6 +181,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type,
   MagickSizeType
     limit;
 
+  if ((MagickOffsetType) size < 0)
+    return(MagickFalse);
   status=MagickFalse;
   logging=IsEventLogging();
   if (resource_semaphore == (SemaphoreInfo *) NULL)
@@ -207,6 +209,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type,
     }
     case MemoryResource:
     {
+      if ((resource_info.memory+(MagickOffsetType) size) < 0)
+        return(MagickFalse);
       resource_info.memory+=(MagickOffsetType) size;
       limit=resource_info.memory_limit;
       if ((limit == MagickResourceInfinity) ||
@@ -227,6 +231,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type,
     }
     case MapResource:
     {
+      if ((resource_info.map+(MagickOffsetType) size) < 0)
+        return(MagickFalse);
       resource_info.map+=(MagickOffsetType) size;
       limit=resource_info.map_limit;
       if ((limit == MagickResourceInfinity) ||
@@ -247,6 +253,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type,
     }
     case DiskResource:
     {
+      if ((resource_info.disk+(MagickOffsetType) size) < 0)
+        return(MagickFalse);
       resource_info.disk+=(MagickOffsetType) size;
       limit=resource_info.disk_limit;
       if ((limit == MagickResourceInfinity) ||
@@ -267,6 +275,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type,
     }
     case FileResource:
     {
+      if ((resource_info.file+(MagickOffsetType) size) < 0)
+        return(MagickFalse);
       resource_info.file+=(MagickOffsetType) size;
       limit=resource_info.file_limit;
       if ((limit == MagickResourceInfinity) ||
@@ -341,6 +351,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type,
     }
     case TimeResource:
     {
+      if ((resource_info.time+(MagickOffsetType) size) < 0)
+        return(MagickFalse);
       resource_info.time+=(MagickOffsetType) size;
       limit=resource_info.time_limit;
       if ((limit == MagickResourceInfinity) ||