Corrected overflow checks.

diff --git a/coders/sun.c b/coders/sun.c
index 57fdde982bc049a92d2511c1ef65cf57d6909864..ac0ab5642fc540a71a214e505a09ad35d0a22299 100644 (file)
--- a/coders/sun.c
+++ b/coders/sun.c
@@ -57,6 +57,7 @@
 #include "MagickCore/list.h"
 #include "MagickCore/magick.h"
 #include "MagickCore/memory_.h"
+#include "MagickCore/memory-private.h"
 #include "MagickCore/monitor.h"
 #include "MagickCore/monitor-private.h"
 #include "MagickCore/pixel-accessor.h"
@@ -260,7 +261,6 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
 
   size_t
     bytes_per_line,
-    data_length,
     extent,
     height,
     pixels_length;
@@ -420,15 +420,15 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
     if ((sun_info.type != RT_ENCODED) &&
         ((number_pixels*sun_info.depth) > (8UL*sun_info.length)))
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if (HeapOverflowSanityCheck(sun_info.width,sun_info.depth) != MagickFalse)
+      ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     bytes_per_line=sun_info.width*sun_info.depth;
-    data_length=(size_t) MagickMax(sun_info.length,bytes_per_line*
-      sun_info.width)+7;
-    sun_data=(unsigned char *) AcquireQuantumMemory(data_length,
+    sun_data=(unsigned char *) AcquireQuantumMemory(sun_info.length,
       sizeof(*sun_data));
     if (sun_data == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    count=(ssize_t) ReadBlob(image,data_length,sun_data);
-    if (count != (ssize_t) data_length)
+    count=(ssize_t) ReadBlob(image,sun_info.length,sun_data);
+    if (count != (ssize_t) sun_info.length)
       {
         sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
         ThrowReaderException(CorruptImageError,"UnableToReadImageData");
@@ -448,7 +448,12 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
         ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
       }
     bytes_per_line>>=4;
-    pixels_length=height*(MagickMax(image->columns,bytes_per_line)+1);
+    if (HeapOverflowSanityCheck(height,bytes_per_line) != MagickFalse)
+      {
+        sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
+        ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
+      }
+    pixels_length=height*bytes_per_line;
     sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length,
       sizeof(*sun_pixels));
     if (sun_pixels == (unsigned char *) NULL)
@@ -458,16 +463,20 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception)
       }
     ResetMagickMemory(sun_pixels,0,pixels_length*sizeof(*sun_pixels));
     if (sun_info.type == RT_ENCODED)
-      (void) DecodeImage(sun_data,data_length,sun_pixels,pixels_length);
+      {
+        status=DecodeImage(sun_data,sun_info.length,sun_pixels,pixels_length);
+        if (status == MagickFalse)
+          ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+      }
     else
       {
-        if (data_length > pixels_length)
+        if (sun_info.length > pixels_length)
           {
             sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
             sun_pixels=(unsigned char *) RelinquishMagickMemory(sun_pixels);
             ThrowReaderException(ResourceLimitError,"ImproperImageHeader");
           }
-        (void) CopyMagickMemory(sun_pixels,sun_data,data_length);
+        (void) CopyMagickMemory(sun_pixels,sun_data,sun_info.length);
       }
     sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
     /*