Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug repo…
…rt from Donghai Zhu)
  • Loading branch information
Cristy committed Aug 23, 2016
1 parent 2097c23 commit 10b3823
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 23 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
Expand Up @@ -3,6 +3,8 @@
pwchen&rayzhong of tencent).
* Fix MSVG regression (reference
https://github.com/ImageMagick/ImageMagick/issues/252).
* Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report
from Donghai Zhu).

2016-08-14 6.9.5-7 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 6.9.5-7, GIT revision 10993:7d2fd25:20160814.
Expand Down
21 changes: 11 additions & 10 deletions coders/map.c
Expand Up @@ -401,22 +401,23 @@ static MagickBooleanType WriteMAPImage(const ImageInfo *image_info,Image *image)
Write colormap to file.
*/
q=colormap;
if (image->depth <= 8)
q=colormap;
if (image->colors <= 256)
for (i=0; i < (ssize_t) image->colors; i++)
{
*q++=(unsigned char) image->colormap[i].red;
*q++=(unsigned char) image->colormap[i].green;
*q++=(unsigned char) image->colormap[i].blue;
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].red);
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].green);
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].blue);
}
else
for (i=0; i < (ssize_t) image->colors; i++)
{
*q++=(unsigned char) ((size_t) image->colormap[i].red >> 8);
*q++=(unsigned char) image->colormap[i].red;
*q++=(unsigned char) ((size_t) image->colormap[i].green >> 8);
*q++=(unsigned char) image->colormap[i].green;
*q++=(unsigned char) ((size_t) image->colormap[i].blue >> 8);
*q++=(unsigned char) image->colormap[i].blue;
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) & 0xff);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) & 0xff);;
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) & 0xff);
}
(void) WriteBlob(image,packet_size*image->colors,colormap);
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand Down
3 changes: 2 additions & 1 deletion coders/pdb.c
Expand Up @@ -825,7 +825,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
buffer=(unsigned char *) AcquireQuantumMemory(512,sizeof(*buffer));
if (buffer == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
packet_size=(size_t) (image->depth > 8 ? 2: 1);
packet_size=(size_t) (image->depth > 8 ? 2 : 1);
scanline=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size*
sizeof(*scanline));
if (scanline == (unsigned char *) NULL)
Expand All @@ -838,6 +838,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
quantum_info=AcquireQuantumInfo(image_info,image);
if (quantum_info == (QuantumInfo *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
status=SetQuantumDepth(image,quantum_info,image->depth > 8 ? 16 : 8);
bits=8/(int) bits_per_pixel-1; /* start at most significant bits */
literal=0;
repeat=0;
Expand Down
22 changes: 11 additions & 11 deletions coders/sixel.c
Expand Up @@ -257,7 +257,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,

imsx = 2048;
imsy = 2048;
imbuf = (unsigned char *) AcquireQuantumMemory(imsx * imsy,1);
imbuf = (unsigned char *) AcquireQuantumMemory(imsx , imsy);

if (imbuf == NULL) {
return(MagickFalse);
Expand All @@ -284,7 +284,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
sixel_palet[n] = SIXEL_RGB(255, 255, 255);
}

(void) ResetMagickMemory(imbuf, background_color_index, imsx * imsy);
(void) ResetMagickMemory(imbuf, background_color_index, (size_t) imsx * imsy);

while (*p != '\0') {
if ((p[0] == '\033' && p[1] == 'P') || *p == 0x90) {
Expand Down Expand Up @@ -358,14 +358,14 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
if (imsx < attributed_ph || imsy < attributed_pv) {
dmsx = imsx > attributed_ph ? imsx : attributed_ph;
dmsy = imsy > attributed_pv ? imsy : attributed_pv;
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1);
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy);
if (dmbuf == (unsigned char *) NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
(void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy);
(void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy);
for (y = 0; y < imsy; ++y) {
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx);
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + (size_t) imsx * y, imsx);
}
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
imsx = dmsx;
Expand Down Expand Up @@ -432,14 +432,14 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,

dmsx = nx;
dmsy = ny;
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1);
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy);
if (dmbuf == (unsigned char *) NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
(void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy);
(void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy);
for (y = 0; y < imsy; ++y) {
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx);
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + (size_t) imsx * y, imsx);
}
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
imsx = dmsx;
Expand Down Expand Up @@ -482,7 +482,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
c <<= 1;
}
for (y = posision_y + i; y < posision_y + i + n; ++y) {
(void) ResetMagickMemory(imbuf + imsx * y + posision_x, color_index, repeat_count);
(void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count);
}
if (max_x < (posision_x + repeat_count - 1)) {
max_x = posision_x + repeat_count - 1;
Expand Down Expand Up @@ -515,7 +515,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
if (imsx > max_x || imsy > max_y) {
dmsx = max_x;
dmsy = max_y;
if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1)) == NULL) {
if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy)) == NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
Expand Down Expand Up @@ -1291,7 +1291,7 @@ static MagickBooleanType WriteSIXELImage(const ImageInfo *image_info,Image *imag
Define SIXEL pixels.
*/
output = sixel_output_create(image);
sixel_pixels =(unsigned char *) AcquireQuantumMemory(image->columns * image->rows,1);
sixel_pixels =(unsigned char *) AcquireQuantumMemory(image->columns , image->rows);
for (y=0; y < (ssize_t) image->rows; y++)
{
(void) GetVirtualPixels(image,0,y,image->columns,1,exception);
Expand Down
2 changes: 1 addition & 1 deletion coders/tiff.c
Expand Up @@ -2492,8 +2492,8 @@ static MagickBooleanType WriteGROUP4Image(const ImageInfo *image_info,
(void) SetImageType(huffman_image,BilevelType);
write_info=CloneImageInfo((ImageInfo *) NULL);
SetImageInfoFile(write_info,file);
(void) SetImageType(image,BilevelType);
(void) SetImageDepth(image,1);
(void) SetImageType(image,BilevelType);
write_info->compression=Group4Compression;
write_info->type=BilevelType;
(void) SetImageOption(write_info,"quantum:polarity","min-is-white");
Expand Down

0 comments on commit 10b3823

Please sign in to comment.