From afa878a689870c28b6994ecf3bb8dbfb2b76d135 Mon Sep 17 00:00:00 2001 From: Cristy Date: Mon, 27 Aug 2018 19:35:15 -0400 Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1269 --- coders/pict.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/coders/pict.c b/coders/pict.c index 35dadfeee..3600c1215 100644 --- a/coders/pict.c +++ b/coders/pict.c @@ -982,6 +982,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, Clipping rectangle. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (length != 0x000a) { for (i=0; i < (ssize_t) (length-2); i++) @@ -1030,6 +1033,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, if (pattern != 1) ThrowPICTException(CorruptImageError,"UnknownPatternType"); length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (ReadRectangle(image,&frame) == MagickFalse) ThrowPICTException(CorruptImageError,"ImproperImageHeader"); if (ReadPixmap(image,&pixmap) == MagickFalse) @@ -1041,6 +1047,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, (void) ReadBlobMSBLong(image); flags=(ssize_t) ReadBlobMSBShort(image); length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i <= (ssize_t) length; i++) (void) ReadBlobMSBLong(image); width=(size_t) (frame.bottom-frame.top); @@ -1101,6 +1110,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, Skip polygon or region. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) (length-2); i++) if (ReadBlobByte(image) == EOF) break; @@ -1223,6 +1235,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, Skip region. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) (length-2); i++) if (ReadBlobByte(image) == EOF) break; @@ -1345,6 +1360,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, */ type=ReadBlobMSBShort(image); length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (length == 0) break; (void) ReadBlobMSBLong(image); @@ -1454,6 +1472,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, ThrowPICTException(FileOpenError,"UnableToCreateTemporaryFile"); } length=ReadBlobMSBLong(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); if (length > 154) { for (i=0; i < 6; i++) @@ -1505,6 +1526,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, Skip reserved. */ length=ReadBlobMSBShort(image); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) length; i++) if (ReadBlobByte(image) == EOF) break; @@ -1516,6 +1540,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info, Skip reserved. */ length=(size_t) ((code >> 7) & 0xff); + if (length > GetBlobSize(image)) + ThrowPICTException(CorruptImageError, + "InsufficientImageDataInFile"); for (i=0; i < (ssize_t) length; i++) if (ReadBlobByte(image) == EOF) break; -- 2.40.0