Skip to content

Commit

Permalink
https://github.com/ImageMagick/ImageMagick/issues/1269
Browse files Browse the repository at this point in the history
  • Loading branch information
Cristy committed Aug 27, 2018
1 parent 16916c8 commit afa878a
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions coders/pict.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -982,6 +982,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
Clipping rectangle.
*/
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
if (length != 0x000a)
{
for (i=0; i < (ssize_t) (length-2); i++)
Expand Down Expand Up @@ -1030,6 +1033,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
if (pattern != 1)
ThrowPICTException(CorruptImageError,"UnknownPatternType");
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
if (ReadRectangle(image,&frame) == MagickFalse)
ThrowPICTException(CorruptImageError,"ImproperImageHeader");
if (ReadPixmap(image,&pixmap) == MagickFalse)
Expand All @@ -1041,6 +1047,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
(void) ReadBlobMSBLong(image);
flags=(ssize_t) ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
for (i=0; i <= (ssize_t) length; i++)
(void) ReadBlobMSBLong(image);
width=(size_t) (frame.bottom-frame.top);
Expand Down Expand Up @@ -1101,6 +1110,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
Skip polygon or region.
*/
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
if (ReadBlobByte(image) == EOF)
break;
Expand Down Expand Up @@ -1223,6 +1235,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
Skip region.
*/
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
for (i=0; i < (ssize_t) (length-2); i++)
if (ReadBlobByte(image) == EOF)
break;
Expand Down Expand Up @@ -1345,6 +1360,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
*/
type=ReadBlobMSBShort(image);
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
if (length == 0)
break;
(void) ReadBlobMSBLong(image);
Expand Down Expand Up @@ -1454,6 +1472,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
ThrowPICTException(FileOpenError,"UnableToCreateTemporaryFile");
}
length=ReadBlobMSBLong(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
if (length > 154)
{
for (i=0; i < 6; i++)
Expand Down Expand Up @@ -1505,6 +1526,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
Skip reserved.
*/
length=ReadBlobMSBShort(image);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
if (ReadBlobByte(image) == EOF)
break;
Expand All @@ -1516,6 +1540,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
Skip reserved.
*/
length=(size_t) ((code >> 7) & 0xff);
if (length > GetBlobSize(image))
ThrowPICTException(CorruptImageError,
"InsufficientImageDataInFile");
for (i=0; i < (ssize_t) length; i++)
if (ReadBlobByte(image) == EOF)
break;
Expand Down

0 comments on commit afa878a

Please sign in to comment.