From: dirk Date: Wed, 17 Dec 2014 07:25:25 +0000 (+0000) Subject: Fixed boundary checks in DecodePSDPixels. X-Git-Tag: 7.0.1-0~1609 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=891df41d828a641db63d8bae45ca027d0e28341d;p=imagemagick Fixed boundary checks in DecodePSDPixels. --- diff --git a/coders/psd.c b/coders/psd.c index b4c0eb1f8..8efc5e8fb 100644 --- a/coders/psd.c +++ b/coders/psd.c @@ -328,6 +328,16 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, const unsigned char *compact_pixels,const ssize_t depth, const size_t number_pixels,unsigned char *pixels) { +#define CheckNumberCompactPixels \ + if (packets == 0) \ + return(i); \ + packets-- + +#define CheckNumberPixels(count) \ + if (((ssize_t) i + count) > (ssize_t) number_pixels) \ + return(i); \ + i+=count + int pixel; @@ -344,23 +354,22 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, packets=(ssize_t) number_compact_pixels; for (i=0; (packets > 1) && (i < (ssize_t) number_pixels); ) { + CheckNumberCompactPixels; length=(size_t) (*compact_pixels++); - packets--; if (length == 128) continue; if (length > 128) { length=256-length+1; - if (((ssize_t) length+i) > (ssize_t) number_pixels) - length=number_pixels-(size_t) i; + CheckNumberCompactPixels; pixel=(*compact_pixels++); - packets--; for (j=0; j < (ssize_t) length; j++) { switch (depth) { case 1: { + CheckNumberPixels(8); *pixels++=(pixel >> 7) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 6) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 5) & 0x01 ? 0U : 255U; @@ -369,29 +378,28 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, *pixels++=(pixel >> 2) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 1) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 0) & 0x01 ? 0U : 255U; - i+=8; - break; - } - case 4: - { - *pixels++=(unsigned char) ((pixel >> 4) & 0xff); - *pixels++=(unsigned char) ((pixel & 0x0f) & 0xff); - i+=2; break; } case 2: { + CheckNumberPixels(4); *pixels++=(unsigned char) ((pixel >> 6) & 0x03); *pixels++=(unsigned char) ((pixel >> 4) & 0x03); *pixels++=(unsigned char) ((pixel >> 2) & 0x03); *pixels++=(unsigned char) ((pixel & 0x03) & 0x03); - i+=4; + break; + } + case 4: + { + CheckNumberPixels(2); + *pixels++=(unsigned char) ((pixel >> 4) & 0xff); + *pixels++=(unsigned char) ((pixel & 0x0f) & 0xff); break; } default: { + CheckNumberPixels(1); *pixels++=(unsigned char) pixel; - i++; break; } } @@ -399,14 +407,13 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, continue; } length++; - if (((ssize_t) length+i) > (ssize_t) number_pixels) - length=number_pixels-(size_t) i; for (j=0; j < (ssize_t) length; j++) { switch (depth) { case 1: { + CheckNumberPixels(8); *pixels++=(*compact_pixels >> 7) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 6) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 5) & 0x01 ? 0U : 255U; @@ -415,32 +422,32 @@ static ssize_t DecodePSDPixels(const size_t number_compact_pixels, *pixels++=(*compact_pixels >> 2) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 1) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 0) & 0x01 ? 0U : 255U; - i+=8; - break; - } - case 4: - { - *pixels++=(*compact_pixels >> 4) & 0xff; - *pixels++=(*compact_pixels & 0x0f) & 0xff; - i+=2; break; } case 2: { + CheckNumberPixels(4); *pixels++=(*compact_pixels >> 6) & 0x03; *pixels++=(*compact_pixels >> 4) & 0x03; *pixels++=(*compact_pixels >> 2) & 0x03; *pixels++=(*compact_pixels & 0x03) & 0x03; - i+=4; + break; + } + case 4: + { + CheckNumberPixels(2); + *pixels++=(*compact_pixels >> 4) & 0xff; + *pixels++=(*compact_pixels & 0x0f) & 0xff; break; } default: { + CheckNumberPixels(1); *pixels++=(*compact_pixels); - i++; break; } } + CheckNumberCompactPixels; compact_pixels++; } } @@ -806,7 +813,7 @@ static MagickStatusType ReadPSDChannelRaw(Image *image,const size_t channels, " layer data is RAW"); row_size=GetPSDRowSize(image); - pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels)); + pixels=(unsigned char *) AcquireQuantumMemory(row_size,sizeof(*pixels)); if (pixels == (unsigned char *) NULL) ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", image->filename); @@ -875,7 +882,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info, " layer data is RLE compressed"); row_size=GetPSDRowSize(image); - pixels=(unsigned char *) AcquireQuantumMemory(row_size,8*sizeof(*pixels)); + pixels=(unsigned char *) AcquireQuantumMemory(row_size,sizeof(*pixels)); if (pixels == (unsigned char *) NULL) ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed", image->filename); @@ -892,8 +899,7 @@ static MagickStatusType ReadPSDChannelRLE(Image *image,const PSDInfo *psd_info, image->filename); } - compact_pixels=(unsigned char *) AcquireQuantumMemory(length, - 8*sizeof(*pixels)); + compact_pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels)); if (compact_pixels == (unsigned char *) NULL) { pixels=(unsigned char *) RelinquishMagickMemory(pixels);