From: Cristy Date: Sun, 23 Dec 2018 18:22:05 +0000 (-0500) Subject: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12180 X-Git-Tag: 7.0.8-20~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2bb47faae170b0996dc92659cd1dc3eb30ae9aec;p=imagemagick https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12180 --- diff --git a/coders/cube.c b/coders/cube.c index aa119bc48..3e2a54e3e 100644 --- a/coders/cube.c +++ b/coders/cube.c @@ -175,7 +175,9 @@ static Image *ReadCUBEImage(const ImageInfo *image_info, cube_info=RelinquishVirtualMemory(cube_info); GetNextToken(q,&q,MagickPathExtent,value); cube_level=(size_t) StringToLong(value); - if ((cube_level < 2) || (cube_level > 65536)) + if (LocaleCompare(token,"LUT_1D_SIZE") == 0) + cube_level=(size_t) ceil(pow((double) cube_level,1.0/3.0)); + if ((cube_level < 2) || (cube_level > 256)) { buffer=DestroyString(buffer); ThrowReaderException(CorruptImageError,"ImproperImageHeader"); @@ -207,6 +209,8 @@ static Image *ReadCUBEImage(const ImageInfo *image_info, cube[n].g=StringToDouble(q,&q); cube[n].b=StringToDouble(q,&q); n++; + if (n >= (cube_level*cube_level*cube_level)) + break; } else if (('+' < *buffer) && (*buffer < ':'))