From 69ae73e15e4e2286f54229ba68955b1a093343b6 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sun, 11 Feb 2018 10:57:18 -0500 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6226 --- coders/miff.c | 74 +++++++++-------------------- coders/mpc.c | 128 +++++++++++++++++++++++--------------------------- 2 files changed, 81 insertions(+), 121 deletions(-) diff --git a/coders/miff.c b/coders/miff.c index f79216ab9..37b63eece 100644 --- a/coders/miff.c +++ b/coders/miff.c @@ -901,46 +901,14 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, image->intensity=(PixelIntensityMethod) intensity; break; } - if ((LocaleNCompare(keyword,"profile:",8) == 0) || - (LocaleNCompare(keyword,"profile-",8) == 0)) + if (LocaleCompare(keyword,"profile") == 0) { - size_t - length; - - StringInfo - *profile; - - length=(size_t) StringToLong(options); - if ((MagickSizeType) length > GetBlobSize(image)) - { - if (profiles != (LinkedListInfo *) NULL) - profiles=DestroyLinkedList(profiles, - RelinquishMagickMemory); - options=DestroyString(options); - ThrowReaderException(CorruptImageError, - "InsufficientImageDataInFile"); - } if (profiles == (LinkedListInfo *) NULL) profiles=NewLinkedList(0); (void) AppendValueToLinkedList(profiles, - AcquireString(keyword+8)); - profile=BlobToStringInfo((const void *) NULL,length); - if (profile == (StringInfo *) NULL) - { - options=DestroyString(options); - profiles=DestroyLinkedList(profiles, - RelinquishMagickMemory); - ThrowReaderException(ResourceLimitError, - "MemoryAllocationFailed"); - } - if (EOFBlob(image) == MagickFalse) - (void) SetImageProfile(image,keyword+8,profile, - exception); - profile=DestroyStringInfo(profile); + AcquireString(options)); break; } - if (LocaleCompare(keyword,"profile") == 0) - break; (void) SetImageProperty(image,keyword,options,exception); break; } @@ -1168,7 +1136,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, const char *name; - const StringInfo + StringInfo *profile; /* @@ -1178,16 +1146,20 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, name=(const char *) GetNextValueInLinkedList(profiles); while (name != (const char *) NULL) { - profile=GetImageProfile(image,name); - if (profile != (StringInfo *) NULL) + length=ReadBlobMSBLong(image); + profile=AcquireStringInfo(length); + if (profile == (StringInfo *) NULL) + break; + count=ReadBlob(image,length,GetStringInfoDatum(profile)); + if (count != (ssize_t) length) { - register unsigned char - *p; - - p=GetStringInfoDatum(profile); - count=ReadBlob(image,GetStringInfoLength(profile),p); - (void) count; + profile=DestroyStringInfo(profile); + break; } + status=SetImageProfile(image,name,profile,exception); + profile=DestroyStringInfo(profile); + if (status == MagickFalse) + break; name=(const char *) GetNextValueInLinkedList(profiles); } profiles=DestroyLinkedList(profiles,RelinquishMagickMemory); @@ -2315,18 +2287,16 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, *profile; /* - Write image profiles. + Write image profile names. */ ResetImageProfileIterator(image); - name=GetNextImageProfile(image); - while (name != (const char *) NULL) + for (name=GetNextImageProfile(image); name != (const char *) NULL; ) { profile=GetImageProfile(image,name); if (profile != (StringInfo *) NULL) { - (void) FormatLocaleString(buffer,MagickPathExtent, - "profile:%s=%.20g\n",name,(double) - GetStringInfoLength(profile)); + (void) FormatLocaleString(buffer,MagickPathExtent,"profile=%s\n", + name); (void) WriteBlobString(image,buffer); } name=GetNextImageProfile(image); @@ -2389,7 +2359,7 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, image->directory); (void) WriteBlobByte(image,'\0'); } - if (image->profiles != (void *) NULL) + if (image->profiles != 0) { const char *name; @@ -2398,13 +2368,15 @@ static MagickBooleanType WriteMIFFImage(const ImageInfo *image_info, *profile; /* - Generic profile. + Write image profile blob. */ ResetImageProfileIterator(image); name=GetNextImageProfile(image); while (name != (const char *) NULL) { profile=GetImageProfile(image,name); + (void) WriteBlobMSBLong(image,(unsigned int) + GetStringInfoLength(profile)); (void) WriteBlob(image,GetStringInfoLength(profile), GetStringInfoDatum(profile)); name=GetNextImageProfile(image); diff --git a/coders/mpc.c b/coders/mpc.c index 83525dd9b..d1777525e 100644 --- a/coders/mpc.c +++ b/coders/mpc.c @@ -622,46 +622,14 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) image->intensity=(PixelIntensityMethod) intensity; break; } - if ((LocaleNCompare(keyword,"profile:",8) == 0) || - (LocaleNCompare(keyword,"profile-",8) == 0)) + if (LocaleCompare(keyword,"profile") == 0) { - size_t - length; - - StringInfo - *profile; - - length=StringToLong(options); - if ((MagickSizeType) length > GetBlobSize(image)) - { - if (profiles != (LinkedListInfo *) NULL) - profiles=DestroyLinkedList(profiles, - RelinquishMagickMemory); - options=DestroyString(options); - ThrowReaderException(CorruptImageError, - "InsufficientImageDataInFile"); - } if (profiles == (LinkedListInfo *) NULL) profiles=NewLinkedList(0); (void) AppendValueToLinkedList(profiles, - AcquireString(keyword+8)); - profile=BlobToStringInfo((const void *) NULL,length); - if (profile == (StringInfo *) NULL) - { - options=DestroyString(options); - profiles=DestroyLinkedList(profiles, - RelinquishMagickMemory); - ThrowReaderException(ResourceLimitError, - "MemoryAllocationFailed"); - } - if (EOFBlob(image) == MagickFalse) - (void) SetImageProfile(image,keyword+8,profile, - exception); - profile=DestroyStringInfo(profile); + AcquireString(options)); break; } - if (LocaleCompare(keyword,"profile") == 0) - break; (void) SetImageProperty(image,keyword,options,exception); break; } @@ -860,30 +828,35 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) *p++=(char) c; } while (c != (int) '\0'); } - if (profiles != (LinkedListInfo *) NULL) + if (profiles != (LinkedListInfo *) NULL) { const char *name; - const StringInfo + StringInfo *profile; - register unsigned char - *p; - /* - Read image profiles. + Read image profile blobs. */ ResetLinkedListIterator(profiles); name=(const char *) GetNextValueInLinkedList(profiles); while (name != (const char *) NULL) { - profile=GetImageProfile(image,name); - if (profile != (StringInfo *) NULL) + length=ReadBlobMSBLong(image); + profile=AcquireStringInfo(length); + if (profile == (StringInfo *) NULL) + break; + count=ReadBlob(image,length,GetStringInfoDatum(profile)); + if (count != (ssize_t) length) { - p=GetStringInfoDatum(profile); - count=ReadBlob(image,GetStringInfoLength(profile),p); + profile=DestroyStringInfo(profile); + break; } + status=SetImageProfile(image,name,profile,exception); + profile=DestroyStringInfo(profile); + if (status == MagickFalse) + break; name=(const char *) GetNextValueInLinkedList(profiles); } profiles=DestroyLinkedList(profiles,RelinquishMagickMemory); @@ -901,7 +874,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) Create image colormap. */ packet_size=(size_t) (3UL*depth/8UL); - if ((packet_size*image->colors) > GetBlobSize(image)) + if ((MagickSizeType) (packet_size*image->colors) > GetBlobSize(image)) ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"); image->colormap=(PixelInfo *) AcquireQuantumMemory(image->colors+1, sizeof(*image->colormap)); @@ -938,11 +911,14 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) for (i=0; i < (ssize_t) image->colors; i++) { p=PushCharPixel(p,&pixel); - image->colormap[i].red=ScaleCharToQuantum(pixel); + image->colormap[i].red=(MagickRealType) + ScaleCharToQuantum(pixel); p=PushCharPixel(p,&pixel); - image->colormap[i].green=ScaleCharToQuantum(pixel); + image->colormap[i].green=(MagickRealType) + ScaleCharToQuantum(pixel); p=PushCharPixel(p,&pixel); - image->colormap[i].blue=ScaleCharToQuantum(pixel); + image->colormap[i].blue=(MagickRealType) + ScaleCharToQuantum(pixel); } break; } @@ -954,11 +930,14 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) for (i=0; i < (ssize_t) image->colors; i++) { p=PushShortPixel(MSBEndian,p,&pixel); - image->colormap[i].red=ScaleShortToQuantum(pixel); + image->colormap[i].red=(MagickRealType) + ScaleShortToQuantum(pixel); p=PushShortPixel(MSBEndian,p,&pixel); - image->colormap[i].green=ScaleShortToQuantum(pixel); + image->colormap[i].green=(MagickRealType) + ScaleShortToQuantum(pixel); p=PushShortPixel(MSBEndian,p,&pixel); - image->colormap[i].blue=ScaleShortToQuantum(pixel); + image->colormap[i].blue=(MagickRealType) + ScaleShortToQuantum(pixel); } break; } @@ -970,11 +949,14 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) for (i=0; i < (ssize_t) image->colors; i++) { p=PushLongPixel(MSBEndian,p,&pixel); - image->colormap[i].red=ScaleLongToQuantum(pixel); + image->colormap[i].red=(MagickRealType) + ScaleLongToQuantum(pixel); p=PushLongPixel(MSBEndian,p,&pixel); - image->colormap[i].green=ScaleLongToQuantum(pixel); + image->colormap[i].green=(MagickRealType) + ScaleLongToQuantum(pixel); p=PushLongPixel(MSBEndian,p,&pixel); - image->colormap[i].blue=ScaleLongToQuantum(pixel); + image->colormap[i].blue=(MagickRealType) + ScaleLongToQuantum(pixel); } break; } @@ -1357,7 +1339,7 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, *profile; /* - Generic profile. + Write image profile names. */ ResetImageProfileIterator(image); for (name=GetNextImageProfile(image); name != (const char *) NULL; ) @@ -1365,9 +1347,8 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, profile=GetImageProfile(image,name); if (profile != (StringInfo *) NULL) { - (void) FormatLocaleString(buffer,MagickPathExtent, - "profile:%s=%.20g\n",name,(double) - GetStringInfoLength(profile)); + (void) FormatLocaleString(buffer,MagickPathExtent,"profile=%s\n", + name); (void) WriteBlobString(image,buffer); } name=GetNextImageProfile(image); @@ -1407,7 +1388,7 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, { if (value[i] == (int) '}') (void) WriteBlobByte(image,'\\'); - (void) WriteBlobByte(image,value[i]); + (void) WriteBlobByte(image,(unsigned char) value[i]); } (void) WriteBlobByte(image,'}'); } @@ -1434,13 +1415,15 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, *profile; /* - Write image profiles. + Write image profile blobs. */ ResetImageProfileIterator(image); name=GetNextImageProfile(image); while (name != (const char *) NULL) { profile=GetImageProfile(image,name); + (void) WriteBlobMSBLong(image,(unsigned int) + GetStringInfoLength(profile)); (void) WriteBlob(image,GetStringInfoLength(profile), GetStringInfoDatum(profile)); name=GetNextImageProfile(image); @@ -1478,11 +1461,12 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, unsigned int pixel; - pixel=ScaleQuantumToLong(image->colormap[i].red); + pixel=ScaleQuantumToLong(ClampToQuantum(image->colormap[i].red)); q=PopLongPixel(MSBEndian,pixel,q); - pixel=ScaleQuantumToLong(image->colormap[i].green); + pixel=ScaleQuantumToLong(ClampToQuantum( + image->colormap[i].green)); q=PopLongPixel(MSBEndian,pixel,q); - pixel=ScaleQuantumToLong(image->colormap[i].blue); + pixel=ScaleQuantumToLong(ClampToQuantum(image->colormap[i].blue)); q=PopLongPixel(MSBEndian,pixel,q); break; } @@ -1491,11 +1475,13 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, unsigned short pixel; - pixel=ScaleQuantumToShort(image->colormap[i].red); + pixel=ScaleQuantumToShort(ClampToQuantum(image->colormap[i].red)); q=PopShortPixel(MSBEndian,pixel,q); - pixel=ScaleQuantumToShort(image->colormap[i].green); + pixel=ScaleQuantumToShort(ClampToQuantum( + image->colormap[i].green)); q=PopShortPixel(MSBEndian,pixel,q); - pixel=ScaleQuantumToShort(image->colormap[i].blue); + pixel=ScaleQuantumToShort(ClampToQuantum( + image->colormap[i].blue)); q=PopShortPixel(MSBEndian,pixel,q); break; } @@ -1504,12 +1490,14 @@ static MagickBooleanType WriteMPCImage(const ImageInfo *image_info,Image *image, unsigned char pixel; - pixel=(unsigned char) ScaleQuantumToChar(image->colormap[i].red); + pixel=(unsigned char) ScaleQuantumToChar(ClampToQuantum( + image->colormap[i].red)); q=PopCharPixel(pixel,q); - pixel=(unsigned char) ScaleQuantumToChar( - image->colormap[i].green); + pixel=(unsigned char) ScaleQuantumToChar(ClampToQuantum( + image->colormap[i].green)); q=PopCharPixel(pixel,q); - pixel=(unsigned char) ScaleQuantumToChar(image->colormap[i].blue); + pixel=(unsigned char) ScaleQuantumToChar(ClampToQuantum( + image->colormap[i].blue)); q=PopCharPixel(pixel,q); break; } -- 2.40.0