Skip to content

Commit afa878a

Browse files
author
Cristy
committed
https://github.com/ImageMagick/ImageMagick/issues/1269
1 parent 16916c8 commit afa878a

File tree

1 file changed

+27
-0
lines changed

1 file changed

+27
-0
lines changed

Diff for: coders/pict.c

+27
Original file line numberDiff line numberDiff line change
@@ -982,6 +982,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
982982
Clipping rectangle.
983983
*/
984984
length=ReadBlobMSBShort(image);
985+
if (length > GetBlobSize(image))
986+
ThrowPICTException(CorruptImageError,
987+
"InsufficientImageDataInFile");
985988
if (length != 0x000a)
986989
{
987990
for (i=0; i < (ssize_t) (length-2); i++)
@@ -1030,6 +1033,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
10301033
if (pattern != 1)
10311034
ThrowPICTException(CorruptImageError,"UnknownPatternType");
10321035
length=ReadBlobMSBShort(image);
1036+
if (length > GetBlobSize(image))
1037+
ThrowPICTException(CorruptImageError,
1038+
"InsufficientImageDataInFile");
10331039
if (ReadRectangle(image,&frame) == MagickFalse)
10341040
ThrowPICTException(CorruptImageError,"ImproperImageHeader");
10351041
if (ReadPixmap(image,&pixmap) == MagickFalse)
@@ -1041,6 +1047,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
10411047
(void) ReadBlobMSBLong(image);
10421048
flags=(ssize_t) ReadBlobMSBShort(image);
10431049
length=ReadBlobMSBShort(image);
1050+
if (length > GetBlobSize(image))
1051+
ThrowPICTException(CorruptImageError,
1052+
"InsufficientImageDataInFile");
10441053
for (i=0; i <= (ssize_t) length; i++)
10451054
(void) ReadBlobMSBLong(image);
10461055
width=(size_t) (frame.bottom-frame.top);
@@ -1101,6 +1110,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
11011110
Skip polygon or region.
11021111
*/
11031112
length=ReadBlobMSBShort(image);
1113+
if (length > GetBlobSize(image))
1114+
ThrowPICTException(CorruptImageError,
1115+
"InsufficientImageDataInFile");
11041116
for (i=0; i < (ssize_t) (length-2); i++)
11051117
if (ReadBlobByte(image) == EOF)
11061118
break;
@@ -1223,6 +1235,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
12231235
Skip region.
12241236
*/
12251237
length=ReadBlobMSBShort(image);
1238+
if (length > GetBlobSize(image))
1239+
ThrowPICTException(CorruptImageError,
1240+
"InsufficientImageDataInFile");
12261241
for (i=0; i < (ssize_t) (length-2); i++)
12271242
if (ReadBlobByte(image) == EOF)
12281243
break;
@@ -1345,6 +1360,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
13451360
*/
13461361
type=ReadBlobMSBShort(image);
13471362
length=ReadBlobMSBShort(image);
1363+
if (length > GetBlobSize(image))
1364+
ThrowPICTException(CorruptImageError,
1365+
"InsufficientImageDataInFile");
13481366
if (length == 0)
13491367
break;
13501368
(void) ReadBlobMSBLong(image);
@@ -1454,6 +1472,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
14541472
ThrowPICTException(FileOpenError,"UnableToCreateTemporaryFile");
14551473
}
14561474
length=ReadBlobMSBLong(image);
1475+
if (length > GetBlobSize(image))
1476+
ThrowPICTException(CorruptImageError,
1477+
"InsufficientImageDataInFile");
14571478
if (length > 154)
14581479
{
14591480
for (i=0; i < 6; i++)
@@ -1505,6 +1526,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
15051526
Skip reserved.
15061527
*/
15071528
length=ReadBlobMSBShort(image);
1529+
if (length > GetBlobSize(image))
1530+
ThrowPICTException(CorruptImageError,
1531+
"InsufficientImageDataInFile");
15081532
for (i=0; i < (ssize_t) length; i++)
15091533
if (ReadBlobByte(image) == EOF)
15101534
break;
@@ -1516,6 +1540,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
15161540
Skip reserved.
15171541
*/
15181542
length=(size_t) ((code >> 7) & 0xff);
1543+
if (length > GetBlobSize(image))
1544+
ThrowPICTException(CorruptImageError,
1545+
"InsufficientImageDataInFile");
15191546
for (i=0; i < (ssize_t) length; i++)
15201547
if (ReadBlobByte(image) == EOF)
15211548
break;

0 commit comments

Comments
 (0)