From b48da02fb6d3951ee95bca3b8ac206ad1fd39110 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sat, 20 Jan 2018 17:14:44 -0500 Subject: [PATCH] Check for resource overflow Credit OSS Fuzz --- MagickCore/magick-type.h | 8 ++++---- MagickCore/resource.c | 12 ++++++++++++ 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/MagickCore/magick-type.h b/MagickCore/magick-type.h index b5229de6a..cc00cd390 100644 --- a/MagickCore/magick-type.h +++ b/MagickCore/magick-type.h @@ -29,11 +29,11 @@ extern "C" { #endif #if defined(MAGICKCORE_WINDOWS_SUPPORT) && !defined(__MINGW32__) -# define MagickLLConstant(c) (MagickOffsetType) (c ## i64) -# define MagickULLConstant(c) (MagickSizeType) (c ## ui64) +# define MagickLLConstant(c) ((MagickOffsetType) (c ## i64)) +# define MagickULLConstant(c) ((MagickSizeType) (c ## ui64)) #else -# define MagickLLConstant(c) (MagickOffsetType) (c ## LL) -# define MagickULLConstant(c) (MagickSizeType) (c ## ULL) +# define MagickLLConstant(c) ((MagickOffsetType) (c ## LL)) +# define MagickULLConstant(c) ((MagickSizeType) (c ## ULL)) #endif #if MAGICKCORE_SIZEOF_FLOAT_T == 0 diff --git a/MagickCore/resource.c b/MagickCore/resource.c index 650e967e0..5e81531d7 100644 --- a/MagickCore/resource.c +++ b/MagickCore/resource.c @@ -181,6 +181,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type, MagickSizeType limit; + if ((MagickOffsetType) size < 0) + return(MagickFalse); status=MagickFalse; logging=IsEventLogging(); if (resource_semaphore == (SemaphoreInfo *) NULL) @@ -207,6 +209,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type, } case MemoryResource: { + if ((resource_info.memory+(MagickOffsetType) size) < 0) + return(MagickFalse); resource_info.memory+=(MagickOffsetType) size; limit=resource_info.memory_limit; if ((limit == MagickResourceInfinity) || @@ -227,6 +231,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type, } case MapResource: { + if ((resource_info.map+(MagickOffsetType) size) < 0) + return(MagickFalse); resource_info.map+=(MagickOffsetType) size; limit=resource_info.map_limit; if ((limit == MagickResourceInfinity) || @@ -247,6 +253,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type, } case DiskResource: { + if ((resource_info.disk+(MagickOffsetType) size) < 0) + return(MagickFalse); resource_info.disk+=(MagickOffsetType) size; limit=resource_info.disk_limit; if ((limit == MagickResourceInfinity) || @@ -267,6 +275,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type, } case FileResource: { + if ((resource_info.file+(MagickOffsetType) size) < 0) + return(MagickFalse); resource_info.file+=(MagickOffsetType) size; limit=resource_info.file_limit; if ((limit == MagickResourceInfinity) || @@ -341,6 +351,8 @@ MagickExport MagickBooleanType AcquireMagickResource(const ResourceType type, } case TimeResource: { + if ((resource_info.time+(MagickOffsetType) size) < 0) + return(MagickFalse); resource_info.time+=(MagickOffsetType) size; limit=resource_info.time_limit; if ((limit == MagickResourceInfinity) || -- 2.40.0