From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Tue, 29 Aug 2017 19:28:19 +0000 (+0200)
Subject: Added extra checks for issue reported in #705.
X-Git-Tag: 7.0.7-0~38
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5a3897693a8b4e97add649c0ca1d538bd90f59c9;p=imagemagick

Added extra checks for issue reported in #705.
---

diff --git a/coders/thumbnail.c b/coders/thumbnail.c
index d61166fde..69bb5ef15 100644
--- a/coders/thumbnail.c
+++ b/coders/thumbnail.c
@@ -177,7 +177,7 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
     offset;
 
   unsigned char
-    magick[MagickPathExtent];
+    *q;
 
   profile=GetImageProfile(image,"exif");
   if (profile == (const StringInfo *) NULL)
@@ -186,23 +186,22 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
   if (property == (const char *) NULL)
     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
   offset=(ssize_t) StringToLong(property);
+  if (offset < 0)
+    ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
   property=GetImageProperty(image,"exif:JPEGInterchangeFormatLength",exception);
   if (property == (const char *) NULL)
     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
   length=(size_t) StringToLong(property);
-  if (((offset+length) < 2) || ((offset+length) > GetStringInfoLength(profile)))
-    ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
-  (void) ResetMagickMemory(magick,0,sizeof(magick));
-  for (i=0; i < (ssize_t) length; i++)
+  q=GetStringInfoDatum(profile)+offset;
+  for (i=offset; i < (ssize_t) GetStringInfoLength(profile) - 3; i++)
   {
-    magick[0]=magick[1];
-    magick[1]=magick[2];
-    magick[2]=GetStringInfoDatum(profile)[offset+i];
-    if (memcmp(magick,"\377\330\377",3) == 0)
+    if (memcmp(q,"\377\330\377",3) == 0)
       break;
+    q++;
   }
-  thumbnail_image=BlobToImage(image_info,GetStringInfoDatum(profile)+offset+i-2,
-    length,exception);
+  if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
+    ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
+  thumbnail_image=BlobToImage(image_info,q,length,exception);
   if (thumbnail_image == (Image *) NULL)
     return(MagickFalse);
   (void) SetImageType(thumbnail_image,thumbnail_image->alpha_trait ==