From: Cristy Date: Fri, 12 May 2017 11:12:29 +0000 (-0400) Subject: Check for EOF conditions for RLE image format X-Git-Tag: 7.0.5-6~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f6240ee77847787f6d7618b669d3a2040a2d6d40;p=imagemagick Check for EOF conditions for RLE image format --- diff --git a/ChangeLog b/ChangeLog index 843544840..3d934d28e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,7 @@ https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31862). * Ensure backwards compatibility for the -combine option (reference https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31855). + * Check for EOF conditions for RLE image format. 2017-04-24 7.0.5-5 Cristy * Release ImageMagick version 7.0.5-5, GIT revision 19915:12eec43:20170424. diff --git a/coders/rle.c b/coders/rle.c index cfb20f556..e2d68ead3 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -132,6 +132,14 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) #define ByteDataOp 0x05 #define RunDataOp 0x06 #define EOFOp 0x07 +#define ThrowRLEException(exception,message) \ +{ \ + if (colormap != (unsigned char *) NULL) \ + colormap=(unsigned char *) RelinquishMagickMemory(colormap); \ + if (pixel_info != (MemoryInfo *) NULL) \ + pixel_info=RelinquishVirtualMemory(pixel_info); \ + ThrowReaderException((exception),(message)); \ +} char magick[12]; @@ -206,6 +214,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) /* Determine if this a RLE file. */ + colormap=(unsigned char *) NULL; + pixel_info=(MemoryInfo *) NULL; count=ReadBlob(image,2,(unsigned char *) magick); if ((count != 2) || (memcmp(magick,"\122\314",2) != 0)) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); @@ -214,8 +224,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) /* Read image header. */ - image->page.x=ReadBlobLSBShort(image); - image->page.y=ReadBlobLSBShort(image); + image->page.x=(ssize_t) ReadBlobLSBShort(image); + image->page.y=(ssize_t) ReadBlobLSBShort(image); image->columns=ReadBlobLSBShort(image); image->rows=ReadBlobLSBShort(image); flags=(MagickStatusType) ReadBlobByte(image); @@ -226,6 +236,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) map_length=(unsigned char) ReadBlobByte(image); if (map_length >= 22) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); one=1; map_length=one << map_length; if ((number_planes == 0) || (number_planes == 2) || @@ -253,12 +265,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((number_planes & 0x01) == 0) (void) ReadBlobByte(image); if (EOFBlob(image) != MagickFalse) - { - ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", - image->filename); - break; - } - colormap=(unsigned char *) NULL; + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (number_colormaps != 0) { /* @@ -271,8 +278,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) p=colormap; for (i=0; i < (ssize_t) number_colormaps; i++) for (x=0; x < (ssize_t) map_length; x++) + { *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum( ReadBlobLSBShort(image))); + if (EOFBlob(image) != MagickFalse) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } } if ((flags & 0x08) != 0) { @@ -300,11 +311,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) } } if (EOFBlob(image) != MagickFalse) - { - ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile", - image->filename); - break; - } + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; @@ -359,6 +366,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) x=0; y=0; opcode=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); do { switch (opcode & 0x3f) @@ -366,8 +375,14 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) case SkipLinesOp: { operand=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) - operand=ReadBlobLSBSignedShort(image); + { + operand=ReadBlobLSBSignedShort(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } x=0; y+=operand; break; @@ -375,6 +390,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) case SetColorOp: { operand=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); plane=(unsigned char) operand; if (plane == 255) plane=(unsigned char) (number_planes-1); @@ -384,21 +401,33 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) case SkipPixelsOp: { operand=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) - operand=ReadBlobLSBSignedShort(image); + { + operand=ReadBlobLSBSignedShort(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } x+=operand; break; } case ByteDataOp: { operand=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) - operand=ReadBlobLSBSignedShort(image); - offset=((image->rows-y-1)*image->columns*number_planes)+x* - number_planes+plane; + { + operand=ReadBlobLSBSignedShort(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } + offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane); operand++; if ((offset < 0) || - (offset+((size_t) operand*number_planes) > pixel_info_length)) + ((offset+operand*number_planes) > (ssize_t) pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); @@ -422,15 +451,21 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) case RunDataOp: { operand=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); if (opcode & 0x40) - operand=ReadBlobLSBSignedShort(image); + { + operand=ReadBlobLSBSignedShort(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); + } pixel=(unsigned char) ReadBlobByte(image); (void) ReadBlobByte(image); - offset=((image->rows-y-1)*image->columns*number_planes)+x* - number_planes+plane; + offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane); operand++; if ((offset < 0) || - (offset+((size_t) operand*number_planes) > pixel_info_length)) + ((offset+operand*number_planes) > (ssize_t) pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); @@ -452,6 +487,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) break; } opcode=ReadBlobByte(image); + if (opcode == EOF) + ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile"); } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF)); if (number_colormaps != 0) { @@ -467,7 +504,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) if (number_colormaps == 1) for (i=0; i < (ssize_t) number_pixels; i++) { - ValidateColormapValue(image,*p & mask,&index,exception); + ValidateColormapValue(image,(ssize_t) (*p & mask),&index,exception); *p=colormap[(ssize_t) index]; p++; } @@ -476,7 +513,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) for (i=0; i < (ssize_t) number_pixels; i++) for (x=0; x < (ssize_t) number_planes; x++) { - ValidateColormapValue(image,(size_t) (x*map_length+ + ValidateColormapValue(image,(ssize_t) (x*map_length+ (*p & mask)),&index,exception); *p=colormap[(ssize_t) index]; p++; @@ -570,7 +607,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) break; for (x=0; x < (ssize_t) image->columns; x++) { - SetPixelIndex(image,*p++,q); + SetPixelIndex(image,(Quantum) *p++,q); q+=GetPixelChannels(image); } if (SyncAuthenticPixels(image,exception) == MagickFalse)