From: Cristy Date: Fri, 25 Mar 2016 13:56:00 +0000 (-0400) Subject: Prevent buffer overflow for RLE0-encoded SUN raster images X-Git-Tag: 7.0.1-0~144 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b8f791ac5089a8c1f462835899b5cca3226e86bd;p=imagemagick Prevent buffer overflow for RLE0-encoded SUN raster images --- diff --git a/coders/sun.c b/coders/sun.c index 5411f2bfc..cd7b209f4 100644 --- a/coders/sun.c +++ b/coders/sun.c @@ -139,10 +139,9 @@ static MagickBooleanType IsSUN(const unsigned char *magick,const size_t length) % */ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, - const size_t length,unsigned char *pixels,size_t maxpixels) + const size_t length,unsigned char *pixels,size_t extent) { register const unsigned char - *l, *p; register unsigned char @@ -159,8 +158,8 @@ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, assert(pixels != (unsigned char *) NULL); p=compressed_pixels; q=pixels; - l=q+maxpixels; - while (((size_t) (p-compressed_pixels) < length) && (q < l)) + while (((size_t) (p-compressed_pixels) < length) && + ((size_t) (q-pixels) < extent)) { byte=(*p++); if (byte != 128U) @@ -168,19 +167,25 @@ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, else { /* - Runlength-encoded packet: + Runlength-encoded packet: . */ - count=(ssize_t) (*p++); + if (((size_t) (p-compressed_pixels) >= length)) + break; + count=(*p++); if (count > 0) - byte=(*p++); - while ((count >= 0) && (q < l)) + { + if (((size_t) (p-compressed_pixels) >= length)) + break; + byte=(*p++); + } + while ((count >= 0) && ((size_t) (q-pixels) < extent)) { *q++=byte; count--; } } } - return(MagickTrue); + return(((size_t) (q-pixels) == extent) ? MagickTrue : MagickFalse); } /*