From: Cristy Date: Mon, 15 Aug 2016 19:54:42 +0000 (-0400) Subject: Prevent buffer overflow in BMP coder (bug report from pwchen of tencent). X-Git-Tag: 7.0.2-10~18 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4cc6ec8a4197d4c008577127736bf7985d632323;p=imagemagick Prevent buffer overflow in BMP coder (bug report from pwchen of tencent). --- diff --git a/ChangeLog b/ChangeLog index 7c9cad2e5..14b82002d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2016-08-15 7.0.2-10 Cristy + * Prevent buffer overflow in BMP coder (bug report from pwchen of tencent). + 2016-08-14 7.0.2-9 Cristy * Release ImageMagick version 7.0.2-9, GIT revision 18707:2c02f09:20160814. diff --git a/coders/bmp.c b/coders/bmp.c index 85741e173..47aeae964 100644 --- a/coders/bmp.c +++ b/coders/bmp.c @@ -1682,10 +1682,13 @@ static MagickBooleanType WriteBMPImage(const ImageInfo *image_info,Image *image, bmp_info.file_size+=extra_size; bmp_info.offset_bits+=extra_size; } + if ((image->columns != (signed int) image->columns) || + (image->rows != (signed int) image->rows)) + ThrowWriterException(ImageError,"WidthOrHeightExceedsLimit"); bmp_info.width=(ssize_t) image->columns; bmp_info.height=(ssize_t) image->rows; bmp_info.planes=1; - bmp_info.image_size=(unsigned int) (bytes_per_line*image->rows); + bmp_info.image_size=(unsigned long) (bytes_per_line*image->rows); bmp_info.file_size+=bmp_info.image_size; bmp_info.x_pixels=75*39; bmp_info.y_pixels=75*39;