From ede93428c943928943b042a2b762c60bc80318da Mon Sep 17 00:00:00 2001 From: Dirk Lemstra Date: Fri, 13 Apr 2018 22:18:52 +0200 Subject: [PATCH] DecodeImage should return null when decoding fails (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5759). --- coders/pict.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/coders/pict.c b/coders/pict.c index d010e44d3..e648ca014 100644 --- a/coders/pict.c +++ b/coders/pict.c @@ -394,9 +394,11 @@ static unsigned char *ExpandBuffer(unsigned char *pixels, } static unsigned char *DecodeImage(Image *blob,Image *image, - size_t bytes_per_line,const unsigned int bits_per_pixel,size_t *extent, - ExceptionInfo *exception) + size_t bytes_per_line,const unsigned int bits_per_pixel,size_t *extent) { + MagickBooleanType + status; + MagickSizeType number_pixels; @@ -460,6 +462,7 @@ static unsigned char *DecodeImage(Image *blob,Image *image, return((unsigned char *) NULL); } (void) memset(scanline,0,2*row_bytes*sizeof(*scanline)); + status=MagickTrue; if (bytes_per_line < 8) { /* @@ -472,22 +475,20 @@ static unsigned char *DecodeImage(Image *blob,Image *image, count=ReadBlob(blob,(size_t) number_pixels,scanline); if (count != (ssize_t) number_pixels) { - (void) ThrowMagickException(exception,GetMagickModule(), - CorruptImageError,"UnableToUncompressImage","`%s'", - image->filename); + status=MagickFalse; break; } p=ExpandBuffer(scanline,&number_pixels,bits_per_pixel); if ((q+number_pixels) > (pixels+(*extent))) { - (void) ThrowMagickException(exception,GetMagickModule(), - CorruptImageError,"UnableToUncompressImage","`%s'", - image->filename); + status=MagickFalse; break; } (void) memcpy(q,p,(size_t) number_pixels); } scanline=(unsigned char *) RelinquishMagickMemory(scanline); + if (status == MagickFalse) + pixels=(unsigned char *) RelinquishMagickMemory(pixels); return(pixels); } /* @@ -502,15 +503,13 @@ static unsigned char *DecodeImage(Image *blob,Image *image, scanline_length=(size_t) ReadBlobByte(blob); if ((scanline_length >= row_bytes) || (scanline_length == 0)) { - //(void) ThrowMagickException(exception,GetMagickModule(), - // CorruptImageError,"UnableToUncompressImage","`%s'",image->filename); + status=MagickFalse; break; } count=ReadBlob(blob,scanline_length,scanline); if (count != (ssize_t) scanline_length) { - (void) ThrowMagickException(exception,GetMagickModule(), - CorruptImageError,"UnableToUncompressImage","`%s'",image->filename); + status=MagickFalse; break; } for (j=0; j < (ssize_t) scanline_length; ) @@ -539,6 +538,8 @@ static unsigned char *DecodeImage(Image *blob,Image *image, } } scanline=(unsigned char *) RelinquishMagickMemory(scanline); + if (status == MagickFalse) + pixels=(unsigned char *) RelinquishMagickMemory(pixels); return(pixels); } @@ -1231,12 +1232,12 @@ static Image *ReadPICTImage(const ImageInfo *image_info, if ((code != 0x9a) && (code != 0x9b) && (bytes_per_line & 0x8000) == 0) pixels=DecodeImage(image,tile_image,(size_t) bytes_per_line,1, - &extent,exception); + &extent); else pixels=DecodeImage(image,tile_image,(size_t) bytes_per_line, - (unsigned int) pixmap.bits_per_pixel,&extent,exception); + (unsigned int) pixmap.bits_per_pixel,&extent); if (pixels == (unsigned char *) NULL) - ThrowPICTException(ResourceLimitError,"MemoryAllocationFailed"); + ThrowPICTException(CorruptImageError,"UnableToUncompressImage"); /* Convert PICT tile image to pixel packets. */ -- 2.40.0