1032 length=ReadBlobMSBShort(image);
1033 if (ReadRectangle(image,&frame) == MagickFalse)
1034 ThrowPICTException(CorruptImageError,"ImproperImageHeader");
1035 if (ReadPixmap(image,&pixmap) == MagickFalse)
1036 ThrowPICTException(CorruptImageError,"ImproperImageHeader");
...
1043 length=ReadBlobMSBShort(image);
1044 for (i=0; i <= (ssize_t) length; i++)
1045 (void) ReadBlobMSBLong(image);
1046 width=(size_t) (frame.bottom-frame.top);
1047 height=(size_t) (frame.right-frame.left);
...
1098 case 0x77:
1099 {
1100 /*
1101 Skip polygon or region.
1102 */
1103 length=ReadBlobMSBShort(image);
1104 for (i=0; i < (ssize_t) (length-2); i++)
1105 if (ReadBlobByte(image) == EOF)
1106 break;
1107 break;
1108 }
...
1220 if ((code == 0x91) || (code == 0x99) || (code == 0x9b))
1221 {
1222 /*
1223 Skip region.
1224 */
1225 length=ReadBlobMSBShort(image);
1226 for (i=0; i < (ssize_t) (length-2); i++)
1227 if (ReadBlobByte(image) == EOF)
1228 break;
1229 }
(coders/pict.c)
In my opinion, we should check whether length is bigger than GetBlobSize(image) or not. If condition length > GetBlobSize(image) satisfies, we should throw exception like ThrowDCMException(CorruptImageError,"InsufficientImageDataInFile").
ImageMagick version: latest version
The text was updated successfully, but these errors were encountered:
Prerequisites
Description
There are two missing check for variable length.
(coders/dcm.c)
(coders/pict.c)
In my opinion, we should check whether
lengthis bigger thanGetBlobSize(image)or not. If conditionlength > GetBlobSize(image)satisfies, we should throw exception likeThrowDCMException(CorruptImageError,"InsufficientImageDataInFile").The text was updated successfully, but these errors were encountered: