From 6387479aa974709d5c329c8efbde38175f386844 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Fri, 15 Sep 2017 15:43:06 -0400 Subject: [PATCH] Address JNG decoder Issue 760 --- ChangeLog | 6 +++++- coders/png.c | 28 ++++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 297232852..0086e8a08 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ -2017-09-12 7.0.7-3 Glenn Randers-Pehrson + +2017-09-15 7.0.7-3 Glenn Randers-Pehrson + * Stop poential leaks in the JNG decoder (reference: + https://github.com/ImageMagick/ImageMagick/issues/760). * Maximum valid hour is 23, not 24, in the PNG tIME chunk, and maximum valid minute is 59, not 60. + 2017-09-12 7.0.7-2 Cristy * Release ImageMagick version 7.0.7-2, GIT revision 21089:4e46ad9dd:20170912. diff --git a/coders/png.c b/coders/png.c index d41bdfb78..4dbb8998c 100644 --- a/coders/png.c +++ b/coders/png.c @@ -4532,8 +4532,13 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, jng_width=(png_uint_32)mng_get_long(p); jng_height=(png_uint_32)mng_get_long(&p[4]); if ((jng_width == 0) || (jng_height == 0)) + { + DestroyJNG(chunk,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); + ThrowReaderException(CorruptImageError, "NegativeOrZeroImageSize"); + } jng_color_type=p[8]; jng_image_sample_depth=p[9]; jng_image_compression_method=p[10]; @@ -4605,13 +4610,21 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, color_image_info=(ImageInfo *)AcquireMagickMemory(sizeof(ImageInfo)); if (color_image_info == (ImageInfo *) NULL) + { + DestroyJNG(chunk,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } GetImageInfo(color_image_info); color_image=AcquireImage(color_image_info,exception); if (color_image == (Image *) NULL) + { + DestroyJNG(chunk,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } if (logging != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), @@ -4623,7 +4636,8 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, if (status == MagickFalse) { - color_image=DestroyImage(color_image); + DestroyJNG(chunk,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); return(DestroyImageList(image)); } @@ -4634,7 +4648,8 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, if (alpha_image_info == (ImageInfo *) NULL) { - color_image=DestroyImage(color_image); + DestroyJNG(chunk,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed"); } @@ -4644,8 +4659,8 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, if (alpha_image == (Image *) NULL) { - alpha_image_info=DestroyImageInfo(alpha_image_info); - color_image=DestroyImage(color_image); + DestroyJNG(chunk,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); ThrowReaderException(ResourceLimitError, "MemoryAllocationFailed"); } @@ -4944,7 +4959,12 @@ static Image *ReadOneJNGImage(MngInfo *mng_info, color_image_info=DestroyImageInfo(color_image_info); if (jng_image == (Image *) NULL) + { + DestroyJNG(NULL,&color_image,&color_image_info, + &alpha_image,&alpha_image_info); return(DestroyImageList(image)); + } + if (logging != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), -- 2.40.0