Commit 139d4323 by Cristy

RLE check for pixel offset less than 0 (heap overflow report from Craig Young)

parent f3132f96
Showing with 7 additions and 3 deletions
......@@ -4,6 +4,8 @@
2016-06-04 7.0.1-10 Cristy <quetzlzacatenango@image...>
* Deny indirect reads by policy, remove policy to permit, e.g.,
convert caption:@mytext.txt ...
* RLE check for pixel offset less than 0 (heap overflow report from Craig
Young).
2016-06-03 7.0.1-9 Cristy <quetzlzacatenango@image...>
* Release ImageMagick version 7.0.1-9, GIT revision 10847:339f803:20160602.
......
......@@ -175,11 +175,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
number_planes,
number_planes_filled,
one,
offset,
pixel_info_length;
ssize_t
count,
offset,
y;
unsigned char
......@@ -389,7 +389,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
if (offset+((size_t) operand*number_planes) > pixel_info_length)
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
......@@ -420,7 +421,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
if (offset+((size_t) operand*number_planes) > pixel_info_length)
if ((offset < 0) ||
(offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment