Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug repo…
…rt from Donghai Zhu)
  • Loading branch information
Cristy committed Aug 23, 2016
1 parent 6661998 commit eedd0c3
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 20 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
@@ -1,6 +1,8 @@
2016-08-15 7.0.2-10 Cristy <quetzlzacatenango@image...>
* Prevent buffer overflow in BMP & SGI coders (bug report from
pwchen&rayzhong of tencent).
* Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report
from Donghai Zhu).

2016-08-14 7.0.2-9 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.2-9, GIT revision 18707:2c02f09:20160814.
Expand Down
21 changes: 11 additions & 10 deletions coders/map.c
Expand Up @@ -396,22 +396,23 @@ static MagickBooleanType WriteMAPImage(const ImageInfo *image_info,Image *image,
Write colormap to file.
*/
q=colormap;
if (image->depth <= 8)
q=colormap;
if (image->colors <= 256)
for (i=0; i < (ssize_t) image->colors; i++)
{
*q++=(unsigned char) image->colormap[i].red;
*q++=(unsigned char) image->colormap[i].green;
*q++=(unsigned char) image->colormap[i].blue;
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].red);
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].green);
*q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].blue);
}
else
for (i=0; i < (ssize_t) image->colors; i++)
{
*q++=(unsigned char) ((size_t) image->colormap[i].red >> 8);
*q++=(unsigned char) image->colormap[i].red;
*q++=(unsigned char) ((size_t) image->colormap[i].green >> 8);
*q++=(unsigned char) image->colormap[i].green;
*q++=(unsigned char) ((size_t) image->colormap[i].blue >> 8);
*q++=(unsigned char) image->colormap[i].blue;
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) & 0xff);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) & 0xff);;
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) >> 8);
*q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) & 0xff);
}
(void) WriteBlob(image,packet_size*image->colors,colormap);
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand Down
3 changes: 2 additions & 1 deletion coders/pdb.c
Expand Up @@ -826,7 +826,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image,
buffer=(unsigned char *) AcquireQuantumMemory(512,sizeof(*buffer));
if (buffer == (unsigned char *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
packet_size=(size_t) (image->depth > 8 ? 2: 1);
packet_size=(size_t) (image->depth > 8 ? 2 : 1);
scanline=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size*
sizeof(*scanline));
if (scanline == (unsigned char *) NULL)
Expand All @@ -839,6 +839,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image,
quantum_info=AcquireQuantumInfo(image_info,image);
if (quantum_info == (QuantumInfo *) NULL)
ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
status=SetQuantumDepth(image,quantum_info,image->depth > 8 ? 16 : 8);
bits=8/(int) bits_per_pixel-1; /* start at most significant bits */
literal=0;
repeat=0;
Expand Down
16 changes: 8 additions & 8 deletions coders/sixel.c
Expand Up @@ -257,7 +257,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,

imsx = 2048;
imsy = 2048;
imbuf = (unsigned char *) AcquireQuantumMemory(imsx * imsy,1);
imbuf = (unsigned char *) AcquireQuantumMemory(imsx , imsy);

if (imbuf == NULL) {
return(MagickFalse);
Expand All @@ -284,7 +284,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
sixel_palet[n] = SIXEL_RGB(255, 255, 255);
}

(void) ResetMagickMemory(imbuf, background_color_index, imsx * imsy);
(void) ResetMagickMemory(imbuf, background_color_index, (size_t) imsx * imsy);

while (*p != '\0') {
if ((p[0] == '\033' && p[1] == 'P') || *p == 0x90) {
Expand Down Expand Up @@ -358,12 +358,12 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
if (imsx < attributed_ph || imsy < attributed_pv) {
dmsx = imsx > attributed_ph ? imsx : attributed_ph;
dmsy = imsy > attributed_pv ? imsy : attributed_pv;
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1);
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy);
if (dmbuf == (unsigned char *) NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
(void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy);
(void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy);
for (y = 0; y < imsy; ++y) {
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx);
}
Expand Down Expand Up @@ -432,12 +432,12 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,

dmsx = nx;
dmsy = ny;
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1);
dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy);
if (dmbuf == (unsigned char *) NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
(void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy);
(void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy);
for (y = 0; y < imsy; ++y) {
(void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx);
}
Expand Down Expand Up @@ -482,7 +482,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
c <<= 1;
}
for (y = posision_y + i; y < posision_y + i + n; ++y) {
(void) ResetMagickMemory(imbuf + imsx * y + posision_x, color_index, repeat_count);
(void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count);
}
if (max_x < (posision_x + repeat_count - 1)) {
max_x = posision_x + repeat_count - 1;
Expand Down Expand Up @@ -515,7 +515,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p,
if (imsx > max_x || imsy > max_y) {
dmsx = max_x;
dmsy = max_y;
if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1)) == NULL) {
if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy)) == NULL) {
imbuf = (unsigned char *) RelinquishMagickMemory(imbuf);
return (MagickFalse);
}
Expand Down
2 changes: 1 addition & 1 deletion coders/tiff.c
Expand Up @@ -2493,8 +2493,8 @@ static MagickBooleanType WriteGROUP4Image(const ImageInfo *image_info,
(void) SetImageType(huffman_image,BilevelType,exception);
write_info=CloneImageInfo((ImageInfo *) NULL);
SetImageInfoFile(write_info,file);
(void) SetImageType(image,BilevelType,exception);
(void) SetImageDepth(image,1,exception);
(void) SetImageType(image,BilevelType,exception);
write_info->compression=Group4Compression;
write_info->type=BilevelType;
(void) SetImageOption(write_info,"quantum:polarity","min-is-white");
Expand Down

0 comments on commit eedd0c3

Please sign in to comment.