Added extra checks for the list length to exit earlier.

author Dirk Lemstra <dirk@git.imagemagick.org>

Sat, 3 Feb 2018 09:13:02 +0000 (10:13 +0100)

committer Dirk Lemstra <dirk@git.imagemagick.org>

Sat, 3 Feb 2018 09:13:29 +0000 (10:13 +0100)
author Dirk Lemstra <dirk@git.imagemagick.org>
Sat, 3 Feb 2018 09:13:02 +0000 (10:13 +0100)
committer Dirk Lemstra <dirk@git.imagemagick.org>
Sat, 3 Feb 2018 09:13:29 +0000 (10:13 +0100)
diff --git a/coders/dds.c b/coders/dds.c

index 92e3a80d01ca84181a5f267b9e824efb634e7887..872668d7c411554df12936943d5cc4b8c26496be 100644 (file)
--- a/coders/dds.c
+++ b/coders/dds.c
@@ -1795,6 +1795,9 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception)
    if ((num_images == 0) || (num_images > GetBlobSize(image)))
      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
  
+  if (GetMagickResourceLimit(ListLengthResource) < (MagickSizeType) num_images)
+    ThrowReaderException(ImageError,"ListLengthExceedsLimit");
+
    option=GetImageOption(image_info,"dds:skip-mipmaps");
    if (IsStringFalse(option) != MagickFalse)
      read_mipmaps=MagickTrue;
diff --git a/coders/gif.c b/coders/gif.c

index a778a142d579a02997af11b810faa2eae4c422e9..69d479879e65fe8186f2c56079fa2119a61017b2 100644 (file)
--- a/coders/gif.c
+++ b/coders/gif.c
@@ -66,6 +66,7 @@
  #include "MagickCore/property.h"
  #include "MagickCore/quantize.h"
  #include "MagickCore/quantum-private.h"
+#include "MagickCore/resource_.h"
  #include "MagickCore/static.h"
  #include "MagickCore/string_.h"
  #include "MagickCore/string-private.h"
@@ -958,6 +959,9 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
    MagickBooleanType
      status;
  
+  MagickSizeType
+    max_image_count;
+
    register ssize_t
      i;
  
@@ -1038,6 +1042,7 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
    duration=0;
    opacity=(-1);
    image_count=0;
+  max_image_count=GetMagickResourceLimit(ListLengthResource);
    for ( ; ; )
    {
      count=ReadBlob(image,1,&c);
@@ -1228,8 +1233,16 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
        }
      if (c != (unsigned char) ',')
        continue;
-    if (image_count != 0)
+    image_count++;
+    if (image_count != 1)
        {
+        if ((MagickSizeType) image_count == max_image_count)
+          {
+            image=DestroyImageList(image);
+            global_colormap=(unsigned char *) RelinquishMagickMemory(
+              global_colormap);
+            ThrowReaderException(CorruptImageError,"ListLengthExceedsLimit");
+          }
          /*
            Allocate next image structure.
          */
@@ -1243,7 +1256,6 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
            }
          image=SyncNextImageInList(image);
        }
-    image_count++;
      /*
        Read image attributes.
      */
author	Dirk Lemstra <dirk@git.imagemagick.org>
	Sat, 3 Feb 2018 09:13:02 +0000 (10:13 +0100)
committer	Dirk Lemstra <dirk@git.imagemagick.org>
	Sat, 3 Feb 2018 09:13:29 +0000 (10:13 +0100)
coders/dds.c		patch \| blob \| history
coders/gif.c		patch \| blob \| history