Skip to content

Commit f720661

Browse files
author
Cristy
committed
https://github.com/ImageMagick/ImageMagick/issues/1554
1 parent 3183a88 commit f720661

File tree

1 file changed

+5
-3
lines changed

1 file changed

+5
-3
lines changed

Diff for: coders/mat.c

+5-3
Original file line numberDiff line numberDiff line change
@@ -641,6 +641,7 @@ static Image *ReadMATImageV4(const ImageInfo *image_info,Image *image,
641641
Object parser loop.
642642
*/
643643
ldblk=ReadBlobLSBLong(image);
644+
if(EOFBlob(image)) break;
644645
if ((ldblk > 9999) || (ldblk < 0))
645646
break;
646647
HDR.Type[3]=ldblk % 10; ldblk /= 10; /* T digit */
@@ -961,10 +962,10 @@ static Image *ReadMATImage(const ImageInfo *image_info,ExceptionInfo *exception)
961962
}
962963

963964
filepos = TellBlob(image);
964-
while(!EOFBlob(image)) /* object parser loop */
965+
while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */
965966
{
966967
Frames = 1;
967-
if (filepos != (unsigned int) filepos)
968+
if(filepos > GetBlobSize(image) || filepos < 0)
968969
break;
969970
if(SeekBlob(image,filepos,SEEK_SET) != filepos) break;
970971
/* printf("pos=%X\n",TellBlob(image)); */
@@ -973,7 +974,7 @@ static Image *ReadMATImage(const ImageInfo *image_info,ExceptionInfo *exception)
973974
if(EOFBlob(image)) break;
974975
MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image);
975976
if(EOFBlob(image)) break;
976-
if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) > GetBlobSize(image))
977+
if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image))
977978
goto MATLAB_KO;
978979
filepos += (MagickOffsetType) MATLAB_HDR.ObjectSize + 4 + 4;
979980

@@ -1276,6 +1277,7 @@ RestoreMSCWarning
12761277
{
12771278
if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
12781279
" MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1));
1280+
ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
12791281
goto ExitLoop;
12801282
}
12811283
if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL))

0 commit comments

Comments
 (0)