From 7ec893210d13a7424e5a7c3200568f1bf5317040 Mon Sep 17 00:00:00 2001
From: dirk <dirk@git.imagemagick.org>
Date: Tue, 16 Dec 2014 22:50:15 +0000
Subject: [PATCH] Fixed parsing resource block.

---
 coders/psd.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/coders/psd.c b/coders/psd.c
index 091462561..d05cf4bae 100644
--- a/coders/psd.c
+++ b/coders/psd.c
@@ -527,7 +527,7 @@ static void NegateCMYK(Image *image,ExceptionInfo *exception)
   (void) SetImageChannelMask(image,channel_mask);
 }
 
-static MagickBooleanType ParseImageResourceBlocks(Image *image,
+static void ParseImageResourceBlocks(Image *image,
   const unsigned char *blocks,size_t length,
   MagickBooleanType *has_merged_image,ExceptionInfo *exception)
 {
@@ -546,7 +546,7 @@ static MagickBooleanType ParseImageResourceBlocks(Image *image,
     short_sans;
 
   if (length < 16)
-    return(MagickFalse);
+    return;
   profile=BlobToStringInfo((const void *) NULL,length);
   SetStringInfoDatum(profile,blocks);
   (void) SetImageProfile(image,"8bim",profile,exception);
@@ -559,6 +559,8 @@ static MagickBooleanType ParseImageResourceBlocks(Image *image,
     p=PushShortPixel(MSBEndian,p,&id);
     p=PushShortPixel(MSBEndian,p,&short_sans);
     p=PushLongPixel(MSBEndian,p,&count);
+    if (p+count > blocks+length)
+      return;
     switch (id)
     {
       case 0x03ed:
@@ -605,7 +607,7 @@ static MagickBooleanType ParseImageResourceBlocks(Image *image,
     if ((count & 0x01) != 0)
       p++;
   }
-  return(MagickTrue);
+  return;
 }
 
 static CompositeOperator PSDBlendModeToCompositeOperator(const char *mode)
@@ -1751,7 +1753,7 @@ static Image *ReadPSDImage(const ImageInfo *image_info,
         (void) LogMagickEvent(CoderEvent,GetMagickModule(),
           "  reading image resource blocks - %.20g bytes",(double)
           ((MagickOffsetType) length));
-      blocks=(unsigned char *) AcquireQuantumMemory((size_t) length+16,
+      blocks=(unsigned char *) AcquireQuantumMemory((size_t) length,
         sizeof(*blocks));
       if (blocks == (unsigned char *) NULL)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
@@ -1762,8 +1764,8 @@ static Image *ReadPSDImage(const ImageInfo *image_info,
           blocks=(unsigned char *) RelinquishMagickMemory(blocks);
           ThrowReaderException(CorruptImageError,"ImproperImageHeader");
         }
-      (void) ParseImageResourceBlocks(image,blocks,(size_t) length,
-        &has_merged_image,exception);
+      ParseImageResourceBlocks(image,blocks,(size_t) length,&has_merged_image,
+        exception);
       blocks=(unsigned char *) RelinquishMagickMemory(blocks);
     }
   /*
-- 
2.40.0