Skip to content
Permalink
Browse files Browse the repository at this point in the history
Check for EOF conditions for RLE image format
  • Loading branch information
Cristy committed May 12, 2017
1 parent d4a7c38 commit f6240ee
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 26 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Expand Up @@ -11,6 +11,7 @@
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31862).
* Ensure backwards compatibility for the -combine option (reference
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31855).
* Check for EOF conditions for RLE image format.

2017-04-24 7.0.5-5 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.5-5, GIT revision 19915:12eec43:20170424.
Expand Down
89 changes: 63 additions & 26 deletions coders/rle.c
Expand Up @@ -132,6 +132,14 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
#define ByteDataOp 0x05
#define RunDataOp 0x06
#define EOFOp 0x07
#define ThrowRLEException(exception,message) \
{ \
if (colormap != (unsigned char *) NULL) \
colormap=(unsigned char *) RelinquishMagickMemory(colormap); \
if (pixel_info != (MemoryInfo *) NULL) \
pixel_info=RelinquishVirtualMemory(pixel_info); \
ThrowReaderException((exception),(message)); \
}

char
magick[12];
Expand Down Expand Up @@ -206,6 +214,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
/*
Determine if this a RLE file.
*/
colormap=(unsigned char *) NULL;
pixel_info=(MemoryInfo *) NULL;
count=ReadBlob(image,2,(unsigned char *) magick);
if ((count != 2) || (memcmp(magick,"\122\314",2) != 0))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
Expand All @@ -214,8 +224,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
/*
Read image header.
*/
image->page.x=ReadBlobLSBShort(image);
image->page.y=ReadBlobLSBShort(image);
image->page.x=(ssize_t) ReadBlobLSBShort(image);
image->page.y=(ssize_t) ReadBlobLSBShort(image);
image->columns=ReadBlobLSBShort(image);
image->rows=ReadBlobLSBShort(image);
flags=(MagickStatusType) ReadBlobByte(image);
Expand All @@ -226,6 +236,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
map_length=(unsigned char) ReadBlobByte(image);
if (map_length >= 22)
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (EOFBlob(image) != MagickFalse)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
one=1;
map_length=one << map_length;
if ((number_planes == 0) || (number_planes == 2) ||
Expand Down Expand Up @@ -253,12 +265,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
if ((number_planes & 0x01) == 0)
(void) ReadBlobByte(image);
if (EOFBlob(image) != MagickFalse)
{
ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
image->filename);
break;
}
colormap=(unsigned char *) NULL;
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
if (number_colormaps != 0)
{
/*
Expand All @@ -271,8 +278,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
p=colormap;
for (i=0; i < (ssize_t) number_colormaps; i++)
for (x=0; x < (ssize_t) map_length; x++)
{
*p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum(
ReadBlobLSBShort(image)));
if (EOFBlob(image) != MagickFalse)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
}
}
if ((flags & 0x08) != 0)
{
Expand Down Expand Up @@ -300,11 +311,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
}
}
if (EOFBlob(image) != MagickFalse)
{
ThrowFileException(exception,CorruptImageError,"UnexpectedEndOfFile",
image->filename);
break;
}
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
if (image->scene >= (image_info->scene+image_info->number_scenes-1))
break;
Expand Down Expand Up @@ -359,22 +366,32 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
x=0;
y=0;
opcode=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
do
{
switch (opcode & 0x3f)
{
case SkipLinesOp:
{
operand=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
if (opcode & 0x40)
operand=ReadBlobLSBSignedShort(image);
{
operand=ReadBlobLSBSignedShort(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
}
x=0;
y+=operand;
break;
}
case SetColorOp:
{
operand=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
plane=(unsigned char) operand;
if (plane == 255)
plane=(unsigned char) (number_planes-1);
Expand All @@ -384,21 +401,33 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
case SkipPixelsOp:
{
operand=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
if (opcode & 0x40)
operand=ReadBlobLSBSignedShort(image);
{
operand=ReadBlobLSBSignedShort(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
}
x+=operand;
break;
}
case ByteDataOp:
{
operand=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
if (opcode & 0x40)
operand=ReadBlobLSBSignedShort(image);
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
{
operand=ReadBlobLSBSignedShort(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
}
offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane);
operand++;
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
((offset+operand*number_planes) > (ssize_t) pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand All @@ -422,15 +451,21 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
case RunDataOp:
{
operand=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
if (opcode & 0x40)
operand=ReadBlobLSBSignedShort(image);
{
operand=ReadBlobLSBSignedShort(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
}
pixel=(unsigned char) ReadBlobByte(image);
(void) ReadBlobByte(image);
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
offset=(ssize_t) (((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane);
operand++;
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
((offset+operand*number_planes) > (ssize_t) pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
Expand All @@ -452,6 +487,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
break;
}
opcode=ReadBlobByte(image);
if (opcode == EOF)
ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
} while (((opcode & 0x3f) != EOFOp) && (opcode != EOF));
if (number_colormaps != 0)
{
Expand All @@ -467,7 +504,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
if (number_colormaps == 1)
for (i=0; i < (ssize_t) number_pixels; i++)
{
ValidateColormapValue(image,*p & mask,&index,exception);
ValidateColormapValue(image,(ssize_t) (*p & mask),&index,exception);
*p=colormap[(ssize_t) index];
p++;
}
Expand All @@ -476,7 +513,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
for (i=0; i < (ssize_t) number_pixels; i++)
for (x=0; x < (ssize_t) number_planes; x++)
{
ValidateColormapValue(image,(size_t) (x*map_length+
ValidateColormapValue(image,(ssize_t) (x*map_length+
(*p & mask)),&index,exception);
*p=colormap[(ssize_t) index];
p++;
Expand Down Expand Up @@ -570,7 +607,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
break;
for (x=0; x < (ssize_t) image->columns; x++)
{
SetPixelIndex(image,*p++,q);
SetPixelIndex(image,(Quantum) *p++,q);
q+=GetPixelChannels(image);
}
if (SyncAuthenticPixels(image,exception) == MagickFalse)
Expand Down

0 comments on commit f6240ee

Please sign in to comment.