From: glennrp Date: Sat, 24 Jan 2015 03:54:57 +0000 (+0000) Subject: Check length of LOOP and ENDL chunks. X-Git-Tag: 7.0.1-0~1393 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=24e6d42307643613e0430bac65beddf8a43671bd;p=imagemagick Check length of LOOP and ENDL chunks. --- diff --git a/coders/png.c b/coders/png.c index 3af6949b5..9d2244f8b 100644 --- a/coders/png.c +++ b/coders/png.c @@ -5779,7 +5779,7 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception) if (memcmp(type,mng_LOOP,4) == 0) { ssize_t loop_iters=1; - if (length > 0) /* To do: check spec, if empty LOOP is allowed */ + if (length > 4) { loop_level=chunk[0]; mng_info->loop_active[loop_level]=1; /* mark loop active */ @@ -5809,57 +5809,61 @@ static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception) if (memcmp(type,mng_ENDL,4) == 0) { - loop_level=chunk[0]; - - if (skipping_loop > 0) + if (length > 0) { - if (skipping_loop == loop_level) + loop_level=chunk[0]; + + if (skipping_loop > 0) { - /* - Found end of zero-iteration loop. - */ - skipping_loop=(-1); - mng_info->loop_active[loop_level]=0; + if (skipping_loop == loop_level) + { + /* + Found end of zero-iteration loop. + */ + skipping_loop=(-1); + mng_info->loop_active[loop_level]=0; + } } - } - else - { - if (mng_info->loop_active[loop_level] == 1) + else { - mng_info->loop_count[loop_level]--; - mng_info->loop_iteration[loop_level]++; - - if (logging != MagickFalse) - (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " ENDL: LOOP level %.20g has %.20g remaining iters ", - (double) loop_level,(double) - mng_info->loop_count[loop_level]); - - if (mng_info->loop_count[loop_level] != 0) + if (mng_info->loop_active[loop_level] == 1) { - offset=SeekBlob(image,mng_info->loop_jump[loop_level], - SEEK_SET); + mng_info->loop_count[loop_level]--; + mng_info->loop_iteration[loop_level]++; - if (offset < 0) - ThrowReaderException(CorruptImageError, - "ImproperImageHeader"); - } + if (logging != MagickFalse) + (void) LogMagickEvent(CoderEvent,GetMagickModule(), + " ENDL: LOOP level %.20g has %.20g remaining iters ", + (double) loop_level,(double) + mng_info->loop_count[loop_level]); - else - { - short - last_level; + if (mng_info->loop_count[loop_level] != 0) + { + offset= + SeekBlob(image,mng_info->loop_jump[loop_level], + SEEK_SET); - /* - Finished loop. - */ - mng_info->loop_active[loop_level]=0; - last_level=(-1); - for (i=0; i < loop_level; i++) - if (mng_info->loop_active[i] == 1) - last_level=(short) i; - loop_level=last_level; + if (offset < 0) + ThrowReaderException(CorruptImageError, + "ImproperImageHeader"); + } + + else + { + short + last_level; + + /* + Finished loop. + */ + mng_info->loop_active[loop_level]=0; + last_level=(-1); + for (i=0; i < loop_level; i++) + if (mng_info->loop_active[i] == 1) + last_level=(short) i; + loop_level=last_level; + } } } }