From: Cristy Date: Sun, 5 Jun 2016 18:25:18 +0000 (-0400) Subject: RLE check for pixel offset less than 0 (heap overflow report from Craig Young) X-Git-Tag: 7.0.1-10~12 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=139d4323c40d7363bfdd2382c3821a6f76d69430;p=imagemagick RLE check for pixel offset less than 0 (heap overflow report from Craig Young) --- diff --git a/ChangeLog b/ChangeLog index 4f9c488d0..6164e2641 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ 2016-06-04 7.0.1-10 Cristy * Deny indirect reads by policy, remove policy to permit, e.g., convert caption:@mytext.txt ... + * RLE check for pixel offset less than 0 (heap overflow report from Craig + Young). 2016-06-03 7.0.1-9 Cristy * Release ImageMagick version 7.0.1-9, GIT revision 10847:339f803:20160602. diff --git a/coders/rle.c b/coders/rle.c index 59e241194..e13e5c8b5 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -175,11 +175,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_planes, number_planes_filled, one, - offset, pixel_info_length; ssize_t count, + offset, y; unsigned char @@ -389,7 +389,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; operand++; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); @@ -420,7 +421,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; operand++; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap);