Skip to content
Permalink
Browse files Browse the repository at this point in the history
RLE check for pixel offset less than 0 (heap overflow report from Cra…
…ig Young)
  • Loading branch information
Cristy committed Jun 5, 2016
1 parent f3132f9 commit 139d432
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 3 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
Expand Up @@ -4,6 +4,8 @@
2016-06-04 7.0.1-10 Cristy <quetzlzacatenango@image...>
* Deny indirect reads by policy, remove policy to permit, e.g.,
convert caption:@mytext.txt ...
* RLE check for pixel offset less than 0 (heap overflow report from Craig
Young).

2016-06-03 7.0.1-9 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.1-9, GIT revision 10847:339f803:20160602.
Expand Down
8 changes: 5 additions & 3 deletions coders/rle.c
Expand Up @@ -175,11 +175,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
number_planes,
number_planes_filled,
one,
offset,
pixel_info_length;

ssize_t
count,
offset,
y;

unsigned char
Expand Down Expand Up @@ -389,7 +389,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
if (offset+((size_t) operand*number_planes) > pixel_info_length)
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand Down Expand Up @@ -420,7 +421,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
if (offset+((size_t) operand*number_planes) > pixel_info_length)
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand Down

0 comments on commit 139d432

Please sign in to comment.