https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1492881

diff --git a/coders/aai.c b/coders/aai.c
index 8f0d143a01fc00cae397d37cd024be30e5ff09e4..832dd46f51c67325c263d424fa844d8a79312249 100644 (file)
--- a/coders/aai.c
+++ b/coders/aai.c
@@ -389,8 +389,8 @@ static MagickBooleanType WriteAAIImage(const ImageInfo *image_info,Image *image,
         *q++=ScaleQuantumToChar(GetPixelBlue(image,p));
         *q++=ScaleQuantumToChar(GetPixelGreen(image,p));
         *q++=ScaleQuantumToChar(GetPixelRed(image,p));
-        *q=ScaleQuantumToChar((Quantum) (image->alpha_trait != UndefinedPixelTrait ?
-          GetPixelAlpha(image,p) : OpaqueAlpha));
+        *q=ScaleQuantumToChar((Quantum) (image->alpha_trait !=
+          UndefinedPixelTrait ? GetPixelAlpha(image,p) : OpaqueAlpha));
         if (*q == 255)
           *q=254;
         p+=GetPixelChannels(image);

diff --git a/coders/png.c b/coders/png.c
index a03222fe7a2dcef8951ea92d7fe921da76e3c8ac..c4924605404226f9ed256c6665b4abcf5a22e336 100644 (file)
--- a/coders/png.c
+++ b/coders/png.c
@@ -4600,7 +4600,8 @@ static Image *ReadOneJNGImage(MngInfo *mng_info,
        o destroy the secondary image.
   */
 
-  (void) CloseBlob(color_image);
+  if (color_image != (Image *) NULL)
+    (void) CloseBlob(color_image);
 
   if (logging != MagickFalse)
     (void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -5131,6 +5132,13 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
 
         if (memcmp(type,mng_MHDR,4) == 0)
           {
+            if (length != 28)
+              {
+                if (chunk)
+                  chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+                ThrowReaderException(CorruptImageError,"CorruptImage");
+              }
+
             mng_info->mng_width=(size_t) ((p[0] << 24) | (p[1] << 16) |
                 (p[2] << 8) | p[3]);
 
@@ -5158,11 +5166,8 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
             frame_delay=default_frame_delay;
             simplicity=0;
 
-            if (length > 16)
-              {
-                p+=16;
-                simplicity=(size_t) mng_get_long(p);
-              }
+            p+=16;
+            simplicity=(size_t) mng_get_long(p);
 
             mng_type=1;    /* Full MNG */
 
@@ -5214,7 +5219,6 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
             int
               repeat=0;
 
-
             if (length != 0)
               repeat=p[0];
 
@@ -5247,6 +5251,13 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
                 CoderError,"DEFI chunk found in MNG-VLC datastream","`%s'",
                 image->filename);
 
+            if (length < 2)
+              {
+                if (chunk)
+                  chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+                ThrowReaderException(CorruptImageError,"CorruptImage");
+              }
+
             object_id=(p[0] << 8) | p[1];
 
             if (mng_type == 2 && object_id != 0)
@@ -5405,7 +5416,7 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
           {
             /* read global tRNS */
 
-            if (length < 257)
+            if (length > 0 && length < 257)
               for (i=0; i < (ssize_t) length; i++)
                 mng_info->global_trns[i]=p[i];
 
@@ -5735,9 +5746,9 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
                 register ssize_t
                   j;
 
-                for (j=0; j < (ssize_t) length; j+=2)
+                for (j=1; j < (ssize_t) length; j+=2)
                 {
-                  i=p[j] << 8 | p[j+1];
+                  i=p[j-1] << 8 | p[j];
                   MngInfoDiscardObject(mng_info,i);
                 }
               }