@@ -982,6 +982,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
982982 Clipping rectangle.
983983 */
984984 length = ReadBlobMSBShort (image );
985+ if (length > GetBlobSize (image ))
986+ ThrowPICTException (CorruptImageError ,
987+ "InsufficientImageDataInFile" );
985988 if (length != 0x000a )
986989 {
987990 for (i = 0 ; i < (ssize_t ) (length - 2 ); i ++ )
@@ -1030,6 +1033,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
10301033 if (pattern != 1 )
10311034 ThrowPICTException (CorruptImageError ,"UnknownPatternType" );
10321035 length = ReadBlobMSBShort (image );
1036+ if (length > GetBlobSize (image ))
1037+ ThrowPICTException (CorruptImageError ,
1038+ "InsufficientImageDataInFile" );
10331039 if (ReadRectangle (image ,& frame ) == MagickFalse )
10341040 ThrowPICTException (CorruptImageError ,"ImproperImageHeader" );
10351041 if (ReadPixmap (image ,& pixmap ) == MagickFalse )
@@ -1041,6 +1047,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
10411047 (void ) ReadBlobMSBLong (image );
10421048 flags = (ssize_t ) ReadBlobMSBShort (image );
10431049 length = ReadBlobMSBShort (image );
1050+ if (length > GetBlobSize (image ))
1051+ ThrowPICTException (CorruptImageError ,
1052+ "InsufficientImageDataInFile" );
10441053 for (i = 0 ; i <= (ssize_t ) length ; i ++ )
10451054 (void ) ReadBlobMSBLong (image );
10461055 width = (size_t ) (frame .bottom - frame .top );
@@ -1101,6 +1110,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
11011110 Skip polygon or region.
11021111 */
11031112 length = ReadBlobMSBShort (image );
1113+ if (length > GetBlobSize (image ))
1114+ ThrowPICTException (CorruptImageError ,
1115+ "InsufficientImageDataInFile" );
11041116 for (i = 0 ; i < (ssize_t ) (length - 2 ); i ++ )
11051117 if (ReadBlobByte (image ) == EOF )
11061118 break ;
@@ -1223,6 +1235,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
12231235 Skip region.
12241236 */
12251237 length = ReadBlobMSBShort (image );
1238+ if (length > GetBlobSize (image ))
1239+ ThrowPICTException (CorruptImageError ,
1240+ "InsufficientImageDataInFile" );
12261241 for (i = 0 ; i < (ssize_t ) (length - 2 ); i ++ )
12271242 if (ReadBlobByte (image ) == EOF )
12281243 break ;
@@ -1345,6 +1360,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
13451360 */
13461361 type = ReadBlobMSBShort (image );
13471362 length = ReadBlobMSBShort (image );
1363+ if (length > GetBlobSize (image ))
1364+ ThrowPICTException (CorruptImageError ,
1365+ "InsufficientImageDataInFile" );
13481366 if (length == 0 )
13491367 break ;
13501368 (void ) ReadBlobMSBLong (image );
@@ -1454,6 +1472,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
14541472 ThrowPICTException (FileOpenError ,"UnableToCreateTemporaryFile" );
14551473 }
14561474 length = ReadBlobMSBLong (image );
1475+ if (length > GetBlobSize (image ))
1476+ ThrowPICTException (CorruptImageError ,
1477+ "InsufficientImageDataInFile" );
14571478 if (length > 154 )
14581479 {
14591480 for (i = 0 ; i < 6 ; i ++ )
@@ -1505,6 +1526,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
15051526 Skip reserved.
15061527 */
15071528 length = ReadBlobMSBShort (image );
1529+ if (length > GetBlobSize (image ))
1530+ ThrowPICTException (CorruptImageError ,
1531+ "InsufficientImageDataInFile" );
15081532 for (i = 0 ; i < (ssize_t ) length ; i ++ )
15091533 if (ReadBlobByte (image ) == EOF )
15101534 break ;
@@ -1516,6 +1540,9 @@ static Image *ReadPICTImage(const ImageInfo *image_info,
15161540 Skip reserved.
15171541 */
15181542 length = (size_t ) ((code >> 7 ) & 0xff );
1543+ if (length > GetBlobSize (image ))
1544+ ThrowPICTException (CorruptImageError ,
1545+ "InsufficientImageDataInFile" );
15191546 for (i = 0 ; i < (ssize_t ) length ; i ++ )
15201547 if (ReadBlobByte (image ) == EOF )
15211548 break ;
0 commit comments