From 614d7b140cd03a0d38f76ae55a7fcb2c9d76012a Mon Sep 17 00:00:00 2001 From: Dirk Lemstra Date: Tue, 23 Jan 2018 23:18:58 +0100 Subject: [PATCH] Added extra checks to avoid out of bound writes. Credit to OSS-Fuzz --- coders/sixel.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/coders/sixel.c b/coders/sixel.c index bd006629d..01dfa8d93 100644 --- a/coders/sixel.c +++ b/coders/sixel.c @@ -245,6 +245,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, int imsx, imsy; int dmsx, dmsy; int y; + size_t offset; posision_x = posision_y = 0; max_x = max_y = 0; @@ -459,7 +460,13 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, if (repeat_count <= 1) { for (i = 0; i < 6; i++) { if ((b & sixel_vertical_mask) != 0) { - imbuf[imsx * (posision_y + i) + posision_x] = color_index; + offset=(size_t) imsx * (posision_y + i) + posision_x; + if (offset >= (size_t) imsx * imsy) + { + imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); + return (MagickFalse); + } + imbuf[offset] = color_index; if (max_x < posision_x) { max_x = posision_x; } @@ -482,7 +489,13 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, c <<= 1; } for (y = posision_y + i; y < posision_y + i + n; ++y) { - (void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count); + offset=(size_t) imsx * y + posision_x; + if (offset + repeat_count >= (size_t) imsx * imsy) + { + imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); + return (MagickFalse); + } + (void) ResetMagickMemory(imbuf + offset, color_index, repeat_count); } if (max_x < (posision_x + repeat_count - 1)) { max_x = posision_x + repeat_count - 1; -- 2.40.0