From: Glenn Randers-Pehrson Date: Mon, 10 Jul 2017 12:49:19 +0000 (-0400) Subject: Fix potential overflow while reading the MNG TERM chunk (issue #541) X-Git-Tag: 7.0.6-1~29 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6a4f9c1feb7153807f22435ac6853956a1648707;p=imagemagick Fix potential overflow while reading the MNG TERM chunk (issue #541) --- diff --git a/coders/png.c b/coders/png.c index ea6dce6ab..37becf5c5 100644 --- a/coders/png.c +++ b/coders/png.c @@ -5427,7 +5427,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, if (length != 0) repeat=p[0]; - if (repeat == 3) + if (repeat == 3 && length > 8) { final_delay=(png_uint_32) mng_get_long(&p[2]); mng_iterations=(png_uint_32) mng_get_long(&p[6]); @@ -5756,7 +5756,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, change_clipping=(*p++); p++; /* change_sync */ - if (change_delay) + if (change_delay && ((p-chunk) < (ssize_t) (length-4))) { frame_delay=1UL*image->ticks_per_second* mng_get_long(p); @@ -5777,7 +5777,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, " Framing_delay=%.20g",(double) frame_delay); } - if (change_timeout) + if (change_timeout && ((p-chunk) < (ssize_t) (length-4))) { frame_timeout=1UL*image->ticks_per_second* mng_get_long(p); @@ -5798,7 +5798,7 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info, " Framing_timeout=%.20g",(double) frame_timeout); } - if (change_clipping) + if (change_clipping && ((p-chunk) < (ssize_t) (length-16))) { fb=mng_read_box(previous_fb,(char) p[0],&p[1]); p+=17;