From b8f791ac5089a8c1f462835899b5cca3226e86bd Mon Sep 17 00:00:00 2001 From: Cristy Date: Fri, 25 Mar 2016 09:56:00 -0400 Subject: [PATCH] Prevent buffer overflow for RLE0-encoded SUN raster images --- coders/sun.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/coders/sun.c b/coders/sun.c index 5411f2bfc..cd7b209f4 100644 --- a/coders/sun.c +++ b/coders/sun.c @@ -139,10 +139,9 @@ static MagickBooleanType IsSUN(const unsigned char *magick,const size_t length) % */ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, - const size_t length,unsigned char *pixels,size_t maxpixels) + const size_t length,unsigned char *pixels,size_t extent) { register const unsigned char - *l, *p; register unsigned char @@ -159,8 +158,8 @@ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, assert(pixels != (unsigned char *) NULL); p=compressed_pixels; q=pixels; - l=q+maxpixels; - while (((size_t) (p-compressed_pixels) < length) && (q < l)) + while (((size_t) (p-compressed_pixels) < length) && + ((size_t) (q-pixels) < extent)) { byte=(*p++); if (byte != 128U) @@ -168,19 +167,25 @@ static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels, else { /* - Runlength-encoded packet: + Runlength-encoded packet: . */ - count=(ssize_t) (*p++); + if (((size_t) (p-compressed_pixels) >= length)) + break; + count=(*p++); if (count > 0) - byte=(*p++); - while ((count >= 0) && (q < l)) + { + if (((size_t) (p-compressed_pixels) >= length)) + break; + byte=(*p++); + } + while ((count >= 0) && ((size_t) (q-pixels) < extent)) { *q++=byte; count--; } } } - return(MagickTrue); + return(((size_t) (q-pixels) == extent) ? MagickTrue : MagickFalse); } /* -- 2.40.0