From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 14 Sep 2017 11:43:22 +0000 (-0400)
Subject: ...
X-Git-Tag: 7.0.7-3~35
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c29d15c70d0eda9d7ffe26a0ccc181f4f0a07ca5;p=imagemagick

...
---

diff --git a/coders/yuv.c b/coders/yuv.c
index e74800aa5..a203ea768 100644
--- a/coders/yuv.c
+++ b/coders/yuv.c
@@ -124,10 +124,13 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
   ssize_t
     count,
     horizontal_factor,
-    quantum,
     vertical_factor,
     y;
 
+  size_t
+    length,
+    quantum;
+
   unsigned char
     *scanline;
 
@@ -201,6 +204,7 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
       (size_t) quantum*sizeof(*scanline));
   if (scanline == (unsigned char *) NULL)
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+  status=MagickTrue;
   do
   {
     chroma_image=CloneImage(image,(image->columns+horizontal_factor-1)/
@@ -235,7 +239,17 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
       if (interlace == NoInterlace)
         {
           if ((y > 0) || (GetPreviousImageInList(image) == (Image *) NULL))
-            count=ReadBlob(image,(size_t) (2*quantum*image->columns),scanline);
+            {
+              length=2*quantum*image->columns;
+              count=ReadBlob(image,length,scanline);
+              if (count != (ssize_t) length)
+                {
+                  status=MagickFalse;
+                  ThrowFileException(exception,CorruptImageError,
+                    "UnexpectedEndOfFile",image->filename);
+                  break;
+                }
+            }
           p=scanline;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
           if (q == (Quantum *) NULL)
@@ -290,7 +304,17 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
       else
         {
           if ((y > 0) || (GetPreviousImageInList(image) == (Image *) NULL))
-            count=ReadBlob(image,(size_t) quantum*image->columns,scanline);
+            {
+              length=quantum*image->columns;
+              count=ReadBlob(image,length,scanline);
+              if (count != (ssize_t) length)
+                {
+                  status=MagickFalse;
+                  ThrowFileException(exception,CorruptImageError,
+                    "UnexpectedEndOfFile",image->filename);
+                  break;
+                }
+            }
           p=scanline;
           q=QueueAuthenticPixels(image,0,y,image->columns,1,exception);
           if (q == (Quantum *) NULL)
@@ -337,7 +361,15 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
       {
         for (y=0; y < (ssize_t) chroma_image->rows; y++)
         {
-          count=ReadBlob(image,(size_t) quantum*chroma_image->columns,scanline);
+          length=quantum*chroma_image->columns;
+          count=ReadBlob(image,length,scanline);
+          if (count != (ssize_t) length)
+            {
+              status=MagickFalse;
+              ThrowFileException(exception,CorruptImageError,
+                "UnexpectedEndOfFile",image->filename);
+              break;
+            }
           p=scanline;
           q=QueueAuthenticPixels(chroma_image,0,y,chroma_image->columns,1,
             exception);
@@ -373,7 +405,15 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
         }
       for (y=0; y < (ssize_t) chroma_image->rows; y++)
       {
-        count=ReadBlob(image,(size_t) quantum*chroma_image->columns,scanline);
+        length=quantum*chroma_image->columns;
+        count=ReadBlob(image,length,scanline);
+        if (count != (ssize_t) length)
+          {
+            status=MagickFalse;
+            ThrowFileException(exception,CorruptImageError,
+              "UnexpectedEndOfFile",image->filename);
+            break;
+          }
         p=scanline;
         q=GetAuthenticPixels(chroma_image,0,y,chroma_image->columns,1,
           exception);
@@ -463,6 +503,8 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception)
   } while (count != 0);
   scanline=(unsigned char *) RelinquishMagickMemory(scanline);
   (void) CloseBlob(image);
+  if (status == MagickFalse)
+    return(DestroyImageList(image));
   return(GetFirstImageInList(image));
 }