From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 22 Aug 2017 10:20:23 +0000 (-0400)
Subject: https://github.com/ImageMagick/ImageMagick/issues/651
X-Git-Tag: 7.0.7-0~82
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b0323e6509f4530a228c8788db11a49ff9255b69;p=imagemagick

https://github.com/ImageMagick/ImageMagick/issues/651
---

diff --git a/coders/bmp.c b/coders/bmp.c
index 207118ed1..7a9e9cbca 100644
--- a/coders/bmp.c
+++ b/coders/bmp.c
@@ -942,14 +942,16 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
       bmp_info.bits_per_pixel<<=1;
     bytes_per_line=4*((image->columns*bmp_info.bits_per_pixel+31)/32);
     length=(size_t) bytes_per_line*image->rows;
-    pixel_info=AcquireVirtualMemory((size_t) image->rows,
-      MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
-    if (pixel_info == (MemoryInfo *) NULL)
-      ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
     if ((bmp_info.compression == BI_RGB) ||
         (bmp_info.compression == BI_BITFIELDS))
       {
+        if (length > GetBlobSize(image))
+          ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile");
+        pixel_info=AcquireVirtualMemory((size_t) image->rows,
+          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+        if (pixel_info == (MemoryInfo *) NULL)
+          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
         if (image->debug != MagickFalse)
           (void) LogMagickEvent(CoderEvent,GetMagickModule(),
             "  Reading pixels (%.20g bytes)",(double) length);
@@ -966,6 +968,11 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception)
         /*
           Convert run-length encoded raster pixels.
         */
+        pixel_info=AcquireVirtualMemory((size_t) image->rows,
+          MagickMax(bytes_per_line,image->columns+256UL)*sizeof(*pixels));
+        if (pixel_info == (MemoryInfo *) NULL)
+          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+        pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
         status=DecodeImage(image,bmp_info.compression,pixels);
         if (status == MagickFalse)
           {