Fixed Issue 602 in coders/png.c

author Glenn Randers-Pehrson <glennrp@gmail.com>

Sun, 23 Jul 2017 15:00:31 +0000 (11:00 -0400)

committer Glenn Randers-Pehrson <glennrp@gmail.com>

Sun, 23 Jul 2017 15:00:31 +0000 (11:00 -0400)
author Glenn Randers-Pehrson <glennrp@gmail.com>
Sun, 23 Jul 2017 15:00:31 +0000 (11:00 -0400)
committer Glenn Randers-Pehrson <glennrp@gmail.com>
Sun, 23 Jul 2017 15:00:31 +0000 (11:00 -0400)
diff --git a/ChangeLog b/ChangeLog

index 3f4a5bbac42af3eff66b0df89f09378217158e97..6f1f58dcc01728ca3c4caf0a482ca00766fbdf28 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2017-07-23  7.0.6-3 Glenn Randers-Pehrson <glennrp@image...>
+  * Fix memory leak when reading a malformed JNG image:
+    https://github.com/ImageMagick/ImageMagick/issues/602).
+
  2017-07-21  7.0.6-2 Cristy  <quetzlzacatenango@image...>
    * Release ImageMagick version 7.0.6-2, GIT revision 20549:62fcf3d96:20170721.
  
diff --git a/coders/png.c b/coders/png.c

index 9818312e5a39a6817c79f9dcfa26d7486475aec0..7e715dc6a77b17c60e759f385e8bda9d4699cc42 100644 (file)
--- a/coders/png.c
+++ b/coders/png.c
@@ -4238,6 +4238,34 @@ static Image *ReadPNGImage(const ImageInfo *image_info,
  %    o exception: return any errors or warnings in this structure.
  %
  */
+void
+DestroyJNG(unsigned char *chunk,Image **color_image,
+   ImageInfo **color_image_info,
+   Image **alpha_image,ImageInfo **alpha_image_info)
+{
+  if (chunk)
+    (void) RelinquishMagickMemory(chunk);
+  if (*color_image_info)
+  {
+    DestroyImageInfo(*color_image_info);
+    *color_image_info = (ImageInfo *)NULL;
+  }
+  if (*alpha_image_info)
+  {
+    DestroyImageInfo(*alpha_image_info);
+    *alpha_image_info = (ImageInfo *)NULL;
+  }
+  if (*color_image)
+  {
+    DestroyImage(*color_image);
+    *color_image = (Image *)NULL;
+  }
+  if (*alpha_image)
+  {
+    DestroyImage(*alpha_image);
+    *alpha_image = (Image *)NULL;
+  }
+}
  static Image *ReadOneJNGImage(MngInfo *mng_info,
      const ImageInfo *image_info, ExceptionInfo *exception)
  {
@@ -4365,10 +4393,8 @@ static Image *ReadOneJNGImage(MngInfo *mng_info,
  
      if (length > PNG_UINT_31_MAX || count == 0)
        {
-        if (color_image != (Image *) NULL)
-          color_image=DestroyImage(color_image);
-        if (color_image_info != (ImageInfo *) NULL)
-          color_image_info=DestroyImageInfo(color_image_info);
+        DestroyJNG(NULL,&color_image,&color_image_info,
+          &alpha_image,&alpha_image_info);
          ThrowReaderException(CorruptImageError,"CorruptImage");
        }
  
@@ -4451,6 +4477,18 @@ static Image *ReadOneJNGImage(MngInfo *mng_info,
          if (length != 0)
            chunk=(unsigned char *) RelinquishMagickMemory(chunk);
  
+        if (jng_width > 65535 || jng_height > 65535 ||
+             (long) jng_width > GetMagickResourceLimit(WidthResource) ||
+             (long) jng_height > GetMagickResourceLimit(HeightResource))
+          {
+            (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+               "    JNG width or height too large: (%lu x %lu)",
+                (long) jng_width, (long) jng_height);
+            DestroyJNG(chunk,&color_image,&color_image_info,
+              &alpha_image,&alpha_image_info);
+            ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+          }
+
          continue;
        }
author	Glenn Randers-Pehrson <glennrp@gmail.com>
	Sun, 23 Jul 2017 15:00:31 +0000 (11:00 -0400)
committer	Glenn Randers-Pehrson <glennrp@gmail.com>
	Sun, 23 Jul 2017 15:00:31 +0000 (11:00 -0400)
ChangeLog		patch \| blob \| history
coders/png.c		patch \| blob \| history