Skip to content

Commit

Permalink
Add additional checks to DCM reader to prevent data-driven faults (bu…
Browse files Browse the repository at this point in the history 
…g report from Hanno Böck
  • Loading branch information
Cristy committed May 30, 2016
1 parent 88acca6 commit 5511ef5
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 4 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29626). https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29626).
* Don't interpret -fx option arguments (reference * Don't interpret -fx option arguments (reference
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29774); https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29774);
* Add additional checks to DCM reader to prevent data-driven faults (bug
report from Hanno Böck).


2016-05-21 7.0.1-6 Cristy <quetzlzacatenango@image...> 2016-05-21 7.0.1-6 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.1-6, GIT revision 18241:d4f277c:20160521. * Release ImageMagick version 7.0.1-6, GIT revision 18241:d4f277c:20160521.
Expand Down
15 changes: 11 additions & 4 deletions coders/dcm.c
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -3216,6 +3216,8 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
/* /*
Photometric interpretation. Photometric interpretation.
*/ */
if (data == (unsigned char *) NULL)
break;
for (i=0; i < (ssize_t) MagickMin(length,MagickPathExtent-1); i++) for (i=0; i < (ssize_t) MagickMin(length,MagickPathExtent-1); i++)
photometric[i]=(char) data[i]; photometric[i]=(char) data[i];
photometric[i]='\0'; photometric[i]='\0';
Expand All @@ -3237,6 +3239,8 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
/* /*
Number of frames. Number of frames.
*/ */
if (data == (unsigned char *) NULL)
break;
number_scenes=StringToUnsignedLong((char *) data); number_scenes=StringToUnsignedLong((char *) data);
break; break;
} }
Expand Down Expand Up @@ -3674,7 +3678,7 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
if (scale == (Quantum *) NULL) if (scale == (Quantum *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
range=GetQuantumRange(depth); range=GetQuantumRange(depth);
for (i=0; i < (ssize_t) (GetQuantumRange(depth)+1); i++) for (i=0; i <= (ssize_t) GetQuantumRange(depth); i++)
scale[i]=ScaleAnyToQuantum((size_t) i,range); scale[i]=ScaleAnyToQuantum((size_t) i,range);
} }
if (image->compression == RLECompression) if (image->compression == RLECompression)
Expand Down Expand Up @@ -3965,9 +3969,12 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception)
pixel.blue&=mask; pixel.blue&=mask;
if (scale != (Quantum *) NULL) if (scale != (Quantum *) NULL)
{ {
pixel.red=scale[pixel.red]; if (pixel.red <= GetQuantumRange(depth))
pixel.green=scale[pixel.green]; pixel.red=scale[pixel.red];
pixel.blue=scale[pixel.blue]; if (pixel.green <= GetQuantumRange(depth))
pixel.green=scale[pixel.green];
if (pixel.blue <= GetQuantumRange(depth))
pixel.blue=scale[pixel.blue];
} }
} }
SetPixelRed(image,(Quantum) pixel.red,q); SetPixelRed(image,(Quantum) pixel.red,q);
Expand Down

0 comments on commit 5511ef5

Please sign in to comment.