From 06beaa808eb4effbfd9991c110e8c848642231c7 Mon Sep 17 00:00:00 2001 From: cristy Date: Fri, 11 May 2012 11:18:16 +0000 Subject: [PATCH] --- coders/sfw.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/coders/sfw.c b/coders/sfw.c index 7d092d290..cfefefe55 100644 --- a/coders/sfw.c +++ b/coders/sfw.c @@ -120,24 +120,22 @@ static MagickBooleanType IsSFW(const unsigned char *magick,const size_t length) % */ -static unsigned char *SFWScan(unsigned char *p,const unsigned char *q, +static unsigned char *SFWScan(const unsigned char *p,const unsigned char *q, const unsigned char *target,const size_t length) { register ssize_t i; - for ( ; p < q; p++) - { - if (*p != *target) - continue; - if (length == 1) - return(p); - for (i=1; i < (ssize_t) length; i++) - if (*(p+i) != *(target+i)) - break; - if (i == (ssize_t) length) - return(p); - } + if ((p+length) < q) + while (p < q) + { + for (i=0; i < length; i++) + if (p[i] != target[i]) + break; + if (i == length) + return((unsigned char *) p); + p++; + } return((unsigned char *) NULL); } @@ -281,13 +279,18 @@ static Image *ReadSFWImage(const ImageInfo *image_info,ExceptionInfo *exception) Translate remaining markers. */ offset=header+2; - offset+=(offset[2] << 8)+offset[3]+2; + offset+=(((unsigned int) offset[2]) << 8)+offset[3]+2; for ( ; ; ) { + if ((offset+4) > (buffer+count-1)) + { + buffer=(unsigned char *) RelinquishMagickMemory(buffer); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } TranslateSFWMarker(offset); if (offset[1] == 0xda) break; - offset+=(offset[2] << 8)+offset[3]+2; + offset+=(((unsigned int) offset[2]) << 8)+offset[3]+2; } offset--; data=SFWScan(offset,buffer+count-1,(const unsigned char *) "\377\311",2); -- 2.40.0