From: Cristy Date: Tue, 23 Aug 2016 21:42:10 +0000 (-0400) Subject: Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report from Donghai... X-Git-Tag: 7.0.2-10~8 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eedd0c35bb2d8af7aa05f215689fdebd11633fa1;p=imagemagick Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report from Donghai Zhu) --- diff --git a/ChangeLog b/ChangeLog index ff89b2021..12c8c95f0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 2016-08-15 7.0.2-10 Cristy * Prevent buffer overflow in BMP & SGI coders (bug report from pwchen&rayzhong of tencent). + * Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report + from Donghai Zhu). 2016-08-14 7.0.2-9 Cristy * Release ImageMagick version 7.0.2-9, GIT revision 18707:2c02f09:20160814. diff --git a/coders/map.c b/coders/map.c index 5b6e5749f..bd7f03501 100644 --- a/coders/map.c +++ b/coders/map.c @@ -396,22 +396,23 @@ static MagickBooleanType WriteMAPImage(const ImageInfo *image_info,Image *image, Write colormap to file. */ q=colormap; - if (image->depth <= 8) + q=colormap; + if (image->colors <= 256) for (i=0; i < (ssize_t) image->colors; i++) { - *q++=(unsigned char) image->colormap[i].red; - *q++=(unsigned char) image->colormap[i].green; - *q++=(unsigned char) image->colormap[i].blue; + *q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].red); + *q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].green); + *q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].blue); } else for (i=0; i < (ssize_t) image->colors; i++) { - *q++=(unsigned char) ((size_t) image->colormap[i].red >> 8); - *q++=(unsigned char) image->colormap[i].red; - *q++=(unsigned char) ((size_t) image->colormap[i].green >> 8); - *q++=(unsigned char) image->colormap[i].green; - *q++=(unsigned char) ((size_t) image->colormap[i].blue >> 8); - *q++=(unsigned char) image->colormap[i].blue; + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) >> 8); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) & 0xff); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) >> 8); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) & 0xff);; + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) >> 8); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) & 0xff); } (void) WriteBlob(image,packet_size*image->colors,colormap); colormap=(unsigned char *) RelinquishMagickMemory(colormap); diff --git a/coders/pdb.c b/coders/pdb.c index ed9e3d93b..849c1dfcd 100644 --- a/coders/pdb.c +++ b/coders/pdb.c @@ -826,7 +826,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image, buffer=(unsigned char *) AcquireQuantumMemory(512,sizeof(*buffer)); if (buffer == (unsigned char *) NULL) ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); - packet_size=(size_t) (image->depth > 8 ? 2: 1); + packet_size=(size_t) (image->depth > 8 ? 2 : 1); scanline=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size* sizeof(*scanline)); if (scanline == (unsigned char *) NULL) @@ -839,6 +839,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image, quantum_info=AcquireQuantumInfo(image_info,image); if (quantum_info == (QuantumInfo *) NULL) ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); + status=SetQuantumDepth(image,quantum_info,image->depth > 8 ? 16 : 8); bits=8/(int) bits_per_pixel-1; /* start at most significant bits */ literal=0; repeat=0; diff --git a/coders/sixel.c b/coders/sixel.c index b9901ba73..b5f2f7bbd 100644 --- a/coders/sixel.c +++ b/coders/sixel.c @@ -257,7 +257,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, imsx = 2048; imsy = 2048; - imbuf = (unsigned char *) AcquireQuantumMemory(imsx * imsy,1); + imbuf = (unsigned char *) AcquireQuantumMemory(imsx , imsy); if (imbuf == NULL) { return(MagickFalse); @@ -284,7 +284,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, sixel_palet[n] = SIXEL_RGB(255, 255, 255); } - (void) ResetMagickMemory(imbuf, background_color_index, imsx * imsy); + (void) ResetMagickMemory(imbuf, background_color_index, (size_t) imsx * imsy); while (*p != '\0') { if ((p[0] == '\033' && p[1] == 'P') || *p == 0x90) { @@ -358,12 +358,12 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, if (imsx < attributed_ph || imsy < attributed_pv) { dmsx = imsx > attributed_ph ? imsx : attributed_ph; dmsy = imsy > attributed_pv ? imsy : attributed_pv; - dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1); + dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy); if (dmbuf == (unsigned char *) NULL) { imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); return (MagickFalse); } - (void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy); + (void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy); for (y = 0; y < imsy; ++y) { (void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx); } @@ -432,12 +432,12 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, dmsx = nx; dmsy = ny; - dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1); + dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy); if (dmbuf == (unsigned char *) NULL) { imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); return (MagickFalse); } - (void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy); + (void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy); for (y = 0; y < imsy; ++y) { (void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx); } @@ -482,7 +482,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, c <<= 1; } for (y = posision_y + i; y < posision_y + i + n; ++y) { - (void) ResetMagickMemory(imbuf + imsx * y + posision_x, color_index, repeat_count); + (void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count); } if (max_x < (posision_x + repeat_count - 1)) { max_x = posision_x + repeat_count - 1; @@ -515,7 +515,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, if (imsx > max_x || imsy > max_y) { dmsx = max_x; dmsy = max_y; - if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1)) == NULL) { + if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy)) == NULL) { imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); return (MagickFalse); } diff --git a/coders/tiff.c b/coders/tiff.c index fd171099d..32ed20427 100644 --- a/coders/tiff.c +++ b/coders/tiff.c @@ -2493,8 +2493,8 @@ static MagickBooleanType WriteGROUP4Image(const ImageInfo *image_info, (void) SetImageType(huffman_image,BilevelType,exception); write_info=CloneImageInfo((ImageInfo *) NULL); SetImageInfoFile(write_info,file); - (void) SetImageType(image,BilevelType,exception); (void) SetImageDepth(image,1,exception); + (void) SetImageType(image,BilevelType,exception); write_info->compression=Group4Compression; write_info->type=BilevelType; (void) SetImageOption(write_info,"quantum:polarity","min-is-white");