From 03f3270d5675647ca77f1124b0197e4c81162acf Mon Sep 17 00:00:00 2001 From: Cristy Date: Sat, 22 Dec 2018 19:38:49 -0500 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12158 --- MagickCore/cache.c | 5 ++++- coders/dcm.c | 15 +++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/MagickCore/cache.c b/MagickCore/cache.c index b4f9b9e8b..f29cafd4c 100644 --- a/MagickCore/cache.c +++ b/MagickCore/cache.c @@ -3761,7 +3761,10 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, cache_info->length); } if (cache_info->pixels == (Quantum *) NULL) - cache_info->pixels=source_info.pixels; + { + cache_info->mapped=source_info.mapped; + cache_info->pixels=source_info.pixels; + } else { /* diff --git a/coders/dcm.c b/coders/dcm.c index cc6389899..2a75e1342 100644 --- a/coders/dcm.c +++ b/coders/dcm.c @@ -2961,11 +2961,11 @@ static MagickBooleanType ReadDCMPixels(Image *image,DCMInfo *info, if (info->scale != (Quantum *) NULL) { if ((MagickSizeType) pixel.red <= GetQuantumRange(info->depth)) - pixel.red=info->scale[pixel.red]; + pixel.red=(unsigned int) info->scale[pixel.red]; if ((MagickSizeType) pixel.green <= GetQuantumRange(info->depth)) - pixel.green=info->scale[pixel.green]; + pixel.green=(unsigned int) info->scale[pixel.green]; if ((MagickSizeType) pixel.blue <= GetQuantumRange(info->depth)) - pixel.blue=info->scale[pixel.blue]; + pixel.blue=(unsigned int) info->scale[pixel.blue]; } } if (first_segment != MagickFalse) @@ -3994,7 +3994,14 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) ThrowDCMException(ResourceLimitError,"MemoryAllocationFailed"); for (i=0; i < (ssize_t) stream_info->offset_count; i++) { - stream_info->offsets[i]=(ssize_t) ReadBlobLSBSignedLong(image); + MagickOffsetType + offset; + + offset=(MagickOffsetType) ReadBlobLSBSignedLong(image); + if (offset > (MagickOffsetType) GetBlobSize(image)) + ThrowDCMException(CorruptImageError, + "InsufficientImageDataInFile"); + stream_info->offsets[i]=(ssize_t) offset; if (EOFBlob(image) != MagickFalse) break; } -- 2.40.0