Skip to content
Permalink
Browse files Browse the repository at this point in the history
Suspend exception processing if there are too many exceptions
  • Loading branch information
Cristy committed May 29, 2016
1 parent 8a370f9 commit 0474237
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 48 deletions.
12 changes: 7 additions & 5 deletions coders/label.c
Expand Up @@ -136,7 +136,7 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
status=GetMultilineTypeMetrics(image,draw_info,&metrics);
if ((image->columns == 0) && (image->rows == 0))
{
image->columns=(size_t) (metrics.width+draw_info->stroke_width+0.5);
image->columns=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
image->rows=(size_t) floor(metrics.height+draw_info->stroke_width+0.5);
}
else
Expand Down Expand Up @@ -205,14 +205,16 @@ static Image *ReadLABELImage(const ImageInfo *image_info,
return((Image *) NULL);
}
if (image->columns == 0)
image->columns=(size_t) (metrics.width+draw_info->stroke_width+0.5);
image->columns=(size_t) floor(metrics.width+draw_info->stroke_width+0.5);
if (image->columns == 0)
image->columns=(size_t) (draw_info->pointsize+draw_info->stroke_width+0.5);
image->columns=(size_t) floor(draw_info->pointsize+draw_info->stroke_width+
0.5);
if (image->rows == 0)
image->rows=(size_t) (metrics.ascent-metrics.descent+
image->rows=(size_t) floor(metrics.ascent-metrics.descent+
draw_info->stroke_width+0.5);
if (image->rows == 0)
image->rows=(size_t) (draw_info->pointsize+draw_info->stroke_width+0.5);
image->rows=(size_t) floor(draw_info->pointsize+draw_info->stroke_width+
0.5);
status=SetImageExtent(image,image->columns,image->rows);
if (status == MagickFalse)
{
Expand Down
20 changes: 2 additions & 18 deletions coders/viff.c
Expand Up @@ -137,22 +137,6 @@ static MagickBooleanType IsVIFF(const unsigned char *magick,const size_t length)
% o exception: return any errors or warnings in this structure.
%
*/

static MagickBooleanType CheckMemoryOverflow(const size_t count,
const size_t quantum)
{
size_t
size;

size=count*quantum;
if ((count == 0) || (quantum != (size/count)))
{
errno=ENOMEM;
return(MagickTrue);
}
return(MagickFalse);
}

static Image *ReadVIFFImage(const ImageInfo *image_info,
ExceptionInfo *exception)
{
Expand Down Expand Up @@ -520,13 +504,13 @@ static Image *ReadVIFFImage(const ImageInfo *image_info,
}
if (viff_info.data_storage_type == VFF_TYP_BIT)
{
if (CheckMemoryOverflow((image->columns+7UL) >> 3UL,image->rows) != MagickFalse)
if (HeapOverflowSanityCheck((image->columns+7UL) >> 3UL,image->rows) != MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
max_packets=((image->columns+7UL) >> 3UL)*image->rows;
}
else
{
if (CheckMemoryOverflow(number_pixels,viff_info.number_data_bands) != MagickFalse)
if (HeapOverflowSanityCheck(number_pixels,viff_info.number_data_bands) != MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
max_packets=(size_t) (number_pixels*viff_info.number_data_bands);
}
Expand Down
26 changes: 21 additions & 5 deletions magick/exception.c
Expand Up @@ -52,6 +52,11 @@
#include "magick/string_.h"
#include "magick/utility.h"

/*
Global declarations.
*/
#define MaxExceptions 128

/*
Forward declarations.
*/
Expand Down Expand Up @@ -193,6 +198,9 @@ MagickExport void CatchException(ExceptionInfo *exception)
register const ExceptionInfo
*p;

ssize_t
i;

assert(exception != (ExceptionInfo *) NULL);
assert(exception->signature == MagickSignature);
if (exception->exceptions == (void *) NULL)
Expand All @@ -201,14 +209,22 @@ MagickExport void CatchException(ExceptionInfo *exception)
ResetLinkedListIterator((LinkedListInfo *) exception->exceptions);
p=(const ExceptionInfo *) GetNextValueInLinkedList((LinkedListInfo *)
exception->exceptions);
while (p != (const ExceptionInfo *) NULL)
for (i=0; p != (const ExceptionInfo *) NULL; i++)
{
if ((p->severity >= WarningException) && (p->severity < ErrorException))
MagickWarning(p->severity,p->reason,p->description);
if ((p->severity >= ErrorException) && (p->severity < FatalErrorException))
MagickError(p->severity,p->reason,p->description);
if (p->severity >= FatalErrorException)
MagickFatalError(p->severity,p->reason,p->description);
if (i < MaxExceptions)
{
if ((p->severity >= ErrorException) &&
(p->severity < FatalErrorException))
MagickError(p->severity,p->reason,p->description);
if ((p->severity >= WarningException) && (p->severity < ErrorException))
MagickWarning(p->severity,p->reason,p->description);
}
else
if (i == MaxExceptions)
MagickError(ResourceLimitError,"too many exceptions",
"exception processing suspended");
p=(const ExceptionInfo *) GetNextValueInLinkedList((LinkedListInfo *)
exception->exceptions);
}
Expand Down
3 changes: 3 additions & 0 deletions magick/memory-private.h
Expand Up @@ -41,6 +41,9 @@ extern "C" {
#define MagickAssumeAligned(address) (address)
#endif

MagickExport MagickBooleanType
HeapOverflowSanityCheck(const size_t,const size_t) magick_alloc_sizes(1,2);

#if defined(__cplusplus) || defined(c_plusplus)
}
#endif
Expand Down
63 changes: 43 additions & 20 deletions magick/memory.c
Expand Up @@ -234,22 +234,6 @@ static MagickBooleanType
% o quantum: the number of bytes in each quantum.
%
*/

static MagickBooleanType CheckMemoryOverflow(const size_t count,
const size_t quantum)
{
size_t
size;

size=count*quantum;
if ((count == 0) || (quantum != (size/count)))
{
errno=ENOMEM;
return(MagickTrue);
}
return(MagickFalse);
}

MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum)
{
#define AlignedExtent(size,alignment) \
Expand All @@ -263,7 +247,7 @@ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum)
void
*memory;

if (CheckMemoryOverflow(count,quantum) != MagickFalse)
if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
return((void *) NULL);
memory=NULL;
alignment=CACHE_LINE_SIZE;
Expand Down Expand Up @@ -544,7 +528,7 @@ MagickExport void *AcquireQuantumMemory(const size_t count,const size_t quantum)
size_t
extent;

if (CheckMemoryOverflow(count,quantum) != MagickFalse)
if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
return((void *) NULL);
extent=count*quantum;
return(AcquireMagickMemory(extent));
Expand Down Expand Up @@ -584,7 +568,7 @@ MagickExport MemoryInfo *AcquireVirtualMemory(const size_t count,
size_t
extent;

if (CheckMemoryOverflow(count,quantum) != MagickFalse)
if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
return((MemoryInfo *) NULL);
memory_info=(MemoryInfo *) MagickAssumeAligned(AcquireAlignedMemory(1,
sizeof(*memory_info)));
Expand Down Expand Up @@ -917,6 +901,45 @@ MagickExport void *GetVirtualMemoryBlob(const MemoryInfo *memory_info)
% %
% %
% %
+ H e a p O v e r f l o w S a n i t y C h e c k %
% %
% %
% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
% HeapOverflowSanityCheck() returns MagickTrue if the heap allocation request
% does not exceed the maximum limits of a size_t otherwise MagickFalse.
%
% The format of the HeapOverflowSanityCheck method is:
%
% MagickBooleanType HeapOverflowSanityCheck(const size_t count,
% const size_t quantum)
%
% A description of each parameter follows:
%
% o size: the size of the memory in bytes we require.
%
*/
MagickExport MagickBooleanType HeapOverflowSanityCheck(const size_t count,
const size_t quantum)
{
size_t
size;

size=count*quantum;
if ((count == 0) || (quantum != (size/count)))
{
errno=ENOMEM;
return(MagickTrue);
}
return(MagickFalse);
}

/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
% %
% %
% R e l i n q u i s h A l i g n e d M e m o r y %
% %
% %
Expand Down Expand Up @@ -1222,7 +1245,7 @@ MagickExport void *ResizeQuantumMemory(void *memory,const size_t count,
size_t
extent;

if (CheckMemoryOverflow(count,quantum) != MagickFalse)
if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
{
memory=RelinquishMagickMemory(memory);
return((void *) NULL);
Expand Down

0 comments on commit 0474237

Please sign in to comment.