From 7c6821692041be9b465eac289ffa17a0bab20e6e Mon Sep 17 00:00:00 2001 From: Dirk Lemstra Date: Sat, 5 May 2018 10:19:56 +0200 Subject: [PATCH] Fixed incorrect check for memory request. --- MagickCore/memory-private.h | 3 ++ MagickCore/memory.c | 57 +++++++++++++++++++++++++++---------- coders/miff.c | 17 ++++------- 3 files changed, 50 insertions(+), 27 deletions(-) diff --git a/MagickCore/memory-private.h b/MagickCore/memory-private.h index 4c524b0f7..09d86721f 100644 --- a/MagickCore/memory-private.h +++ b/MagickCore/memory-private.h @@ -46,6 +46,9 @@ extern "C" { MagickExport MagickBooleanType HeapOverflowSanityCheck(const size_t,const size_t) magick_alloc_sizes(1,2); +MagickExport size_t + GetMaxMemoryRequest(void); + extern MagickPrivate void ResetMaxMemoryRequest(void), ResetVirtualAnonymousMemory(void); diff --git a/MagickCore/memory.c b/MagickCore/memory.c index 4ef438614..85e168736 100644 --- a/MagickCore/memory.c +++ b/MagickCore/memory.c @@ -582,19 +582,7 @@ MagickExport MemoryInfo *AcquireVirtualMemory(const size_t count, if (HeapOverflowSanityCheck(count,quantum) != MagickFalse) return((MemoryInfo *) NULL); - if (max_memory_request == 0) - { - max_memory_request=(size_t) MagickULLConstant(~0); - value=GetPolicyValue("system:max-memory-request"); - if (value != (char *) NULL) - { - /* - The security policy sets a max memory request limit. - */ - max_memory_request=StringToSizeType(value,100.0); - value=DestroyString(value); - } - } + (void) GetMaxMemoryRequest(); if (virtual_anonymous_memory == 0) { virtual_anonymous_memory=1; @@ -901,6 +889,45 @@ MagickExport void GetMagickMemoryMethods( % % % % % % ++ G e t M a x M e m o r y R e q u e s t % +% % +% % +% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% GetMaxMemoryRequest() returns the max_memory_request value. +% +% The format of the GetMaxMemoryRequest method is: +% +% size_t GetMaxMemoryRequest(void) +% +*/ +MagickExport size_t GetMaxMemoryRequest(void) +{ + if (max_memory_request == 0) + { + char + *value; + + max_memory_request=(size_t) MagickULLConstant(~0); + value=GetPolicyValue("system:max-memory-request"); + if (value != (char *) NULL) + { + /* + The security policy sets a max memory request limit. + */ + max_memory_request=StringToSizeType(value,100.0); + value=DestroyString(value); + } + } + return(max_memory_request); +} + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% % +% % +% % % G e t V i r t u a l M e m o r y B l o b % % % % % @@ -1167,7 +1194,7 @@ MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size) % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % -% ResetMaxMemoryRequest() resets the anonymous_memory value. +% ResetMaxMemoryRequest() resets the max_memory_request value. % % The format of the ResetMaxMemoryRequest method is: % @@ -1190,7 +1217,7 @@ MagickPrivate void ResetMaxMemoryRequest(void) % % %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% % -% ResetVirtualAnonymousMemory() resets the anonymous_memory value. +% ResetVirtualAnonymousMemory() resets the virtual_anonymous_memory value. % % The format of the ResetVirtualAnonymousMemory method is: % diff --git a/coders/miff.c b/coders/miff.c index 6e40a9d34..cb0b9ae9f 100644 --- a/coders/miff.c +++ b/coders/miff.c @@ -167,19 +167,12 @@ static void *AcquireCompressionMemory(void *context, size_t extent; + (void) context; if (HeapOverflowSanityCheck(items,size) != MagickFalse) return((void *) NULL); extent=items*size; - /* Check if the buffer is big enough when we get a large request */ - if ((context != (void *) NULL) && (extent > 2000000)) - { - Image - *image; - - image=(Image *) context; - if ((MagickSizeType) extent > GetBlobSize(image)) - return((void *) NULL); - } + if (extent > GetMaxMemoryRequest()) + return((void *) NULL); return(AcquireMagickMemory(extent)); } @@ -1567,7 +1560,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, if (length == 0) { count=ReadBlob(image,packet_size,pixels); - if (count != packet_size) + if (count != (ssize_t) packet_size) ThrowMIFFException(CorruptImageError,"UnableToReadImageData"); PushRunlengthPacket(image,pixels,&length,&pixel,exception); } @@ -1591,7 +1584,7 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, default: { count=ReadBlob(image,packet_size*image->columns,pixels); - if (count != (packet_size*image->columns)) + if (count != (ssize_t) (packet_size*image->columns)) ThrowMIFFException(CorruptImageError,"UnableToReadImageData"); (void) ImportQuantumPixels(image,(CacheView *) NULL,quantum_info, quantum_type,pixels,exception); -- 2.40.0