Skip to content
Permalink
Browse files Browse the repository at this point in the history
RLE check for pixel offset less than 0 (heap overflow report from Cra…
…ig Young).
  • Loading branch information
Cristy committed Jun 5, 2016
1 parent a33e0c0 commit 73fb0aa
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 4 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
Expand Up @@ -4,6 +4,8 @@
2016-06-04 6.9.4-8 Cristy <quetzlzacatenango@image...>
* Deny indirect reads by policy, remove policy to permit, e.g.,
convert caption:@mytext.txt ...
* RLE check for pixel offset less than 0 (heap overflow report from Craig
Young).

2016-06-03 6.9.4-7 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 6.9.4-7, GIT revision 10847:339f803:20160602.
Expand Down
10 changes: 6 additions & 4 deletions coders/rle.c
Expand Up @@ -178,11 +178,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
number_planes,
number_planes_filled,
one,
offset,
pixel_info_length;

ssize_t
count,
offset,
y;

unsigned char
Expand Down Expand Up @@ -395,7 +395,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
if (offset+((size_t) operand*number_planes) > pixel_info_length)
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand Down Expand Up @@ -426,14 +427,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
operand++;
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
p=pixels+offset;
if (offset+((size_t) operand*number_planes) > pixel_info_length)
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
pixel_info=RelinquishVirtualMemory(pixel_info);
ThrowReaderException(CorruptImageError,"UnableToReadImageData");
}
p=pixels+offset;
for (i=0; i < (ssize_t) operand; i++)
{
if ((y < (ssize_t) image->rows) &&
Expand Down

0 comments on commit 73fb0aa

Please sign in to comment.