Skip to content
Permalink
Browse files

Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug repo…

…rt from Donghai Zhu)
  • Loading branch information...
Cristy
Cristy committed Aug 23, 2016
1 parent 2097c23 commit 10b3823a7619ed22d42764733eb052c4159bc8c1
Showing with 27 additions and 23 deletions.
  1. +2 −0 ChangeLog
  2. +11 −10 coders/map.c
  3. +2 −1 coders/pdb.c
  4. +11 −11 coders/sixel.c
  5. +1 −1 coders/tiff.c
@@ -3,6 +3,8 @@
pwchen&rayzhong of tencent).
* Fix MSVG regression (reference
https://github.com/ImageMagick/ImageMagick/issues/252).
* Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report
from Donghai Zhu).

2016-08-14 6.9.5-7 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 6.9.5-7, GIT revision 10993:7d2fd25:20160814.
@@ -401,22 +401,23 @@ static MagickBooleanType WriteMAPImage(const ImageInfo *image_info,Image *image)
Write colormap to file.
*/
q=colormap;
if (image->depth <= 8)
q=colormap;
if (image->colors <= 256)
for (i=0; i < (ssize_t) image->colors; i++)
{
*q++=(unsigned char) image->colormap[i].red;
*q++=(unsigned char) image->colormap[i].green;
*q++=(unsigned char) image->colormap[i].blue;
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].red);
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].green);
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].blue);
}
else
for (i=0; i < (ssize_t) image->colors; i++)
{
*q++=(unsigned char) ((size_t) image->colormap[i].red >> 8);
*q++=(unsigned char) image->colormap[i].red;
*q++=(unsigned char) ((size_t) image->colormap[i].green >> 8);
*q++=(unsigned char) image->colormap[i].green;
*q++=(unsigned char) ((size_t) image->colormap[i].blue >> 8);
*q++=(unsigned char) image->colormap[i].blue;
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) & 0xff);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) & 0xff);;
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) & 0xff);
}
(void) WriteBlob(image,packet_size*image->colors,colormap);
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
@@ -825,7 +825,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
buffer=(unsigned char *) AcquireQuantumMemory(512,sizeof(*buffer));
if (buffer == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
packet_size=(size_t) (image->depth > 8 ? 2: 1);
packet_size=(size_t) (image->depth > 8 ? 2 : 1);
scanline=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size*
sizeof(*scanline));
if (scanline == (unsigned char *) NULL)
@@ -838,6 +838,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image)
quantum_info=AcquireQuantumInfo(image_info,image);
if (quantum_info == (QuantumInfo *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
status=SetQuantumDepth(image,quantum_info,image->depth > 8 ? 16 : 8);
bits=8/(int) bits_per_pixel-1; /* start at most significant bits */
literal=0;
repeat=0;
@@ -257,7 +257,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,

imsx = 2048;
imsy = 2048;
imbuf = (unsigned char *) AcquireQuantumMemory(imsx * imsy,1);
imbuf = (unsigned char *) AcquireQuantumMemory(imsx , imsy);

if (imbuf == NULL) {
return(MagickFalse);
@@ -284,7 +284,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
sixel_palet[n] = SIXEL_RGB(255, 255, 255);
}

(void) ResetMagickMemory(imbuf, background_color_index, imsx * imsy);
(void) ResetMagickMemory(imbuf, background_color_index, (size_t) imsx * imsy);

while (*p != '\0') {
if ((p[0] == '\033' && p[1] == 'P') || *p == 0x90) {
@@ -358,14 +358,14 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
if (imsx < attributed_ph || imsy < attributed_pv) {
dmsx = imsx > attributed_ph ? imsx : attributed_ph;
dmsy = imsy > attributed_pv ? imsy : attributed_pv;
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1);
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy);
if (dmbuf == (unsigned char *) NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
(void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy);
(void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy);
for (y = 0; y < imsy; ++y) {
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx);
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + (size_t) imsx * y, imsx);
}
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
imsx = dmsx;
@@ -432,14 +432,14 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,

dmsx = nx;
dmsy = ny;
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1);
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy);
if (dmbuf == (unsigned char *) NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
(void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy);
(void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy);
for (y = 0; y < imsy; ++y) {
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx);
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + (size_t) imsx * y, imsx);
}
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
imsx = dmsx;
@@ -482,7 +482,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
c <<= 1;
}
for (y = posision_y + i; y < posision_y + i + n; ++y) {
(void) ResetMagickMemory(imbuf + imsx * y + posision_x, color_index, repeat_count);
(void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count);
}
if (max_x < (posision_x + repeat_count - 1)) {
max_x = posision_x + repeat_count - 1;
@@ -515,7 +515,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
if (imsx > max_x || imsy > max_y) {
dmsx = max_x;
dmsy = max_y;
if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1)) == NULL) {
if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy)) == NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
@@ -1291,7 +1291,7 @@ static MagickBooleanType WriteSIXELImage(const ImageInfo *image_info,Image *imag
Define SIXEL pixels.
*/
output = sixel_output_create(image);
sixel_pixels =(unsigned char *) AcquireQuantumMemory(image->columns * image->rows,1);
sixel_pixels =(unsigned char *) AcquireQuantumMemory(image->columns , image->rows);
for (y=0; y < (ssize_t) image->rows; y++)
{
(void) GetVirtualPixels(image,0,y,image->columns,1,exception);
@@ -2492,8 +2492,8 @@ static MagickBooleanType WriteGROUP4Image(const ImageInfo *image_info,
(void) SetImageType(huffman_image,BilevelType);
write_info=CloneImageInfo((ImageInfo *) NULL);
SetImageInfoFile(write_info,file);
(void) SetImageType(image,BilevelType);
(void) SetImageDepth(image,1);
(void) SetImageType(image,BilevelType);
write_info->compression=Group4Compression;
write_info->type=BilevelType;
(void) SetImageOption(write_info,"quantum:polarity","min-is-white");

0 comments on commit 10b3823

Please sign in to comment.
You can’t perform that action at this time.