From ce07f720d2db4a7f5584ff886a88ac930e563257 Mon Sep 17 00:00:00 2001 From: dirk Date: Thu, 2 Jun 2016 22:37:46 +0200 Subject: [PATCH] Corrected overflow checks. --- coders/sun.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/coders/sun.c b/coders/sun.c index 57fdde982..ac0ab5642 100644 --- a/coders/sun.c +++ b/coders/sun.c @@ -57,6 +57,7 @@ #include "MagickCore/list.h" #include "MagickCore/magick.h" #include "MagickCore/memory_.h" +#include "MagickCore/memory-private.h" #include "MagickCore/monitor.h" #include "MagickCore/monitor-private.h" #include "MagickCore/pixel-accessor.h" @@ -260,7 +261,6 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) size_t bytes_per_line, - data_length, extent, height, pixels_length; @@ -420,15 +420,15 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((sun_info.type != RT_ENCODED) && ((number_pixels*sun_info.depth) > (8UL*sun_info.length))) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); + if (HeapOverflowSanityCheck(sun_info.width,sun_info.depth) != MagickFalse) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); bytes_per_line=sun_info.width*sun_info.depth; - data_length=(size_t) MagickMax(sun_info.length,bytes_per_line* - sun_info.width)+7; - sun_data=(unsigned char *) AcquireQuantumMemory(data_length, + sun_data=(unsigned char *) AcquireQuantumMemory(sun_info.length, sizeof(*sun_data)); if (sun_data == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - count=(ssize_t) ReadBlob(image,data_length,sun_data); - if (count != (ssize_t) data_length) + count=(ssize_t) ReadBlob(image,sun_info.length,sun_data); + if (count != (ssize_t) sun_info.length) { sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); ThrowReaderException(CorruptImageError,"UnableToReadImageData"); @@ -448,7 +448,12 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); } bytes_per_line>>=4; - pixels_length=height*(MagickMax(image->columns,bytes_per_line)+1); + if (HeapOverflowSanityCheck(height,bytes_per_line) != MagickFalse) + { + sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); + ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); + } + pixels_length=height*bytes_per_line; sun_pixels=(unsigned char *) AcquireQuantumMemory(pixels_length, sizeof(*sun_pixels)); if (sun_pixels == (unsigned char *) NULL) @@ -458,16 +463,20 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) } ResetMagickMemory(sun_pixels,0,pixels_length*sizeof(*sun_pixels)); if (sun_info.type == RT_ENCODED) - (void) DecodeImage(sun_data,data_length,sun_pixels,pixels_length); + { + status=DecodeImage(sun_data,sun_info.length,sun_pixels,pixels_length); + if (status == MagickFalse) + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } else { - if (data_length > pixels_length) + if (sun_info.length > pixels_length) { sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); sun_pixels=(unsigned char *) RelinquishMagickMemory(sun_pixels); ThrowReaderException(ResourceLimitError,"ImproperImageHeader"); } - (void) CopyMagickMemory(sun_pixels,sun_data,data_length); + (void) CopyMagickMemory(sun_pixels,sun_data,sun_info.length); } sun_data=(unsigned char *) RelinquishMagickMemory(sun_data); /* -- 2.40.0