From 4b14b0e8f554128291e66ba2d87a5ef3c2c7e50c Mon Sep 17 00:00:00 2001 From: Cristy Date: Sun, 4 Feb 2018 17:32:59 -0500 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5765 --- MagickCore/cache.c | 13 ++++++++++--- MagickCore/resource.c | 1 + 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/MagickCore/cache.c b/MagickCore/cache.c index 89368056f..21bcf4efe 100644 --- a/MagickCore/cache.c +++ b/MagickCore/cache.c @@ -1580,6 +1580,9 @@ static Cache GetImagePixelCache(Image *image,const MagickBooleanType clone, destroy, status; + MagickSizeType + length; + static MagickSizeType cache_timelimit = MagickResourceInfinity, cpu_throttle = MagickResourceInfinity, @@ -1606,6 +1609,13 @@ static Cache GetImagePixelCache(Image *image,const MagickBooleanType clone, #endif ThrowFatalException(ResourceLimitFatalError,"TimeLimitExceeded"); } + length=GetImageListLength(image); + if (AcquireMagickResource(ListLengthResource,length) == MagickFalse) + { + (void) ThrowMagickException(exception,GetMagickModule(),ImageError, + "ListLengthExceedsLimit","`%s'",image->filename); + return((Cache) NULL); + } LockSemaphoreInfo(image->semaphore); assert(image->cache != (Cache) NULL); cache_info=(CacheInfo *) image->cache; @@ -3485,9 +3495,6 @@ static MagickBooleanType OpenPixelCache(Image *image,const MapMode mode, ThrowBinaryException(CacheError,"NoPixelsDefinedInCache",image->filename); cache_info=(CacheInfo *) image->cache; assert(cache_info->signature == MagickCoreSignature); - length=GetImageListLength(image); - if (AcquireMagickResource(ListLengthResource,length) == MagickFalse) - ThrowBinaryException(ImageError,"ListLengthExceedsLimit",image->filename); if ((AcquireMagickResource(WidthResource,image->columns) == MagickFalse) || (AcquireMagickResource(HeightResource,image->rows) == MagickFalse)) ThrowBinaryException(ImageError,"WidthOrHeightExceedsLimit", diff --git a/MagickCore/resource.c b/MagickCore/resource.c index 09352f330..9df603853 100644 --- a/MagickCore/resource.c +++ b/MagickCore/resource.c @@ -1365,6 +1365,7 @@ MagickPrivate MagickBooleanType ResourceComponentGenesis(void) 100.0)); limit=DestroyString(limit); } + (void) SetMagickResourceLimit(ListLengthResource,MagickResourceInfinity); limit=GetEnvironmentValue("MAGICK_LIST_LENGTH_LIMIT"); if (limit != (char *) NULL) { -- 2.40.0