Skip to content
Permalink
Browse files Browse the repository at this point in the history
There is a Division by Zero in function OptimizeLayerFrames (#2743)
in file MagickCore/layer.c. cur->ticks_per_seconds can be zero
with a crafted input argument *image. This is similar to
CVE-2019-13454.
  • Loading branch information
bonniegong committed Oct 19, 2020
1 parent 05cac32 commit ef59bd7
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions MagickCore/layer.c
Expand Up @@ -1352,11 +1352,13 @@ static Image *OptimizeLayerFrames(const Image *image,const LayerMethod method,
if ( disposals[i] == DelDispose ) {
size_t time = 0;
while ( disposals[i] == DelDispose ) {
time += curr->delay*1000/curr->ticks_per_second;
time +=(size_t) (curr->delay*1000*
PerceptibleReciprocal((double) curr->ticks_per_second));
curr=GetNextImageInList(curr);
i++;
}
time += curr->delay*1000/curr->ticks_per_second;
time += (size_t)(curr->delay*1000*
PerceptibleReciprocal((double) curr->ticks_per_second));
prev_image->ticks_per_second = 100L;
prev_image->delay = time*prev_image->ticks_per_second/1000;
}
Expand Down

0 comments on commit ef59bd7

Please sign in to comment.