From: Cristy Date: Sat, 27 Apr 2019 12:32:23 +0000 (-0400) Subject: https://github.com/ImageMagick/ImageMagick/issues/1554 X-Git-Tag: 7.0.8-43~19 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f7206618d27c2e69d977abf40e3035a33e5f6be0;p=imagemagick https://github.com/ImageMagick/ImageMagick/issues/1554 --- diff --git a/coders/mat.c b/coders/mat.c index 776ed9a0f..8d704fde2 100644 --- a/coders/mat.c +++ b/coders/mat.c @@ -641,6 +641,7 @@ static Image *ReadMATImageV4(const ImageInfo *image_info,Image *image, Object parser loop. */ ldblk=ReadBlobLSBLong(image); + if(EOFBlob(image)) break; if ((ldblk > 9999) || (ldblk < 0)) break; HDR.Type[3]=ldblk % 10; ldblk /= 10; /* T digit */ @@ -961,10 +962,10 @@ MATLAB_KO: } filepos = TellBlob(image); - while(!EOFBlob(image)) /* object parser loop */ + while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */ { Frames = 1; - if (filepos != (unsigned int) filepos) + if(filepos > GetBlobSize(image) || filepos < 0) break; if(SeekBlob(image,filepos,SEEK_SET) != filepos) break; /* printf("pos=%X\n",TellBlob(image)); */ @@ -973,7 +974,7 @@ MATLAB_KO: if(EOFBlob(image)) break; MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image); if(EOFBlob(image)) break; - if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) > GetBlobSize(image)) + if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image)) goto MATLAB_KO; filepos += (MagickOffsetType) MATLAB_HDR.ObjectSize + 4 + 4; @@ -1276,6 +1277,7 @@ RestoreMSCWarning { if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), " MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1)); + ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); goto ExitLoop; } if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL))