Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
ImageMagick.4412
ImageMagick-CVE-2014-9843.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2014-9843.patch of Package ImageMagick.4412
Index: ImageMagick-6.8.8-1/coders/psd.c =================================================================== --- ImageMagick-6.8.8-1.orig/coders/psd.c 2016-06-16 13:41:34.251371530 +0200 +++ ImageMagick-6.8.8-1/coders/psd.c 2016-06-16 13:47:29.865179635 +0200 @@ -316,6 +316,16 @@ static ssize_t DecodePSDPixels(const siz const unsigned char *compact_pixels,const ssize_t depth, const size_t number_pixels,unsigned char *pixels) { +#define CheckNumberCompactPixels \ + if (packets == 0) \ + return(i); \ + packets-- + +#define CheckNumberPixels(count) \ + if (((ssize_t) i + count) > (ssize_t) number_pixels) \ + return(i); \ + i+=count + int pixel; @@ -332,21 +342,22 @@ static ssize_t DecodePSDPixels(const siz packets=(ssize_t) number_compact_pixels; for (i=0; (packets > 1) && (i < (ssize_t) number_pixels); ) { + CheckNumberCompactPixels; length=(*compact_pixels++); - packets--; if (length == 128) continue; if (length > 128) { length=256-length+1; + CheckNumberCompactPixels; pixel=(*compact_pixels++); - packets--; for (j=0; j < (ssize_t) length; j++) { switch (depth) { case 1: { + CheckNumberPixels(8); *pixels++=(pixel >> 7) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 6) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 5) & 0x01 ? 0U : 255U; @@ -355,29 +366,28 @@ static ssize_t DecodePSDPixels(const siz *pixels++=(pixel >> 2) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 1) & 0x01 ? 0U : 255U; *pixels++=(pixel >> 0) & 0x01 ? 0U : 255U; - i+=8; break; } case 4: { + CheckNumberPixels(2); *pixels++=(unsigned char) ((pixel >> 4) & 0xff); *pixels++=(unsigned char) ((pixel & 0x0f) & 0xff); - i+=2; break; } case 2: { + CheckNumberPixels(4); *pixels++=(unsigned char) ((pixel >> 6) & 0x03); *pixels++=(unsigned char) ((pixel >> 4) & 0x03); *pixels++=(unsigned char) ((pixel >> 2) & 0x03); *pixels++=(unsigned char) ((pixel & 0x03) & 0x03); - i+=4; break; } default: { + CheckNumberPixels(1); *pixels++=(unsigned char) pixel; - i++; break; } } @@ -391,6 +401,7 @@ static ssize_t DecodePSDPixels(const siz { case 1: { + CheckNumberPixels(8); *pixels++=(*compact_pixels >> 7) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 6) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 5) & 0x01 ? 0U : 255U; @@ -399,32 +410,32 @@ static ssize_t DecodePSDPixels(const siz *pixels++=(*compact_pixels >> 2) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 1) & 0x01 ? 0U : 255U; *pixels++=(*compact_pixels >> 0) & 0x01 ? 0U : 255U; - i+=8; break; } case 4: { + CheckNumberPixels(2); *pixels++=(*compact_pixels >> 4) & 0xff; *pixels++=(*compact_pixels & 0x0f) & 0xff; - i+=2; break; } case 2: { + CheckNumberPixels(4); *pixels++=(*compact_pixels >> 6) & 0x03; *pixels++=(*compact_pixels >> 4) & 0x03; *pixels++=(*compact_pixels >> 2) & 0x03; *pixels++=(*compact_pixels & 0x03) & 0x03; - i+=4; break; } default: { + CheckNumberPixels(1); *pixels++=(*compact_pixels); - i++; break; } } + CheckNumberCompactPixels; compact_pixels++; } } @@ -845,13 +856,6 @@ static MagickStatusType ReadPSDChannelRL if ((MagickOffsetType) length < offsets[y]) length=(size_t) offsets[y]; - if (length > row_size + 256) // arbitrary number - { - pixels=(unsigned char *) RelinquishMagickMemory(pixels); - ThrowBinaryException(CoderError,"InvalidLength", - image->filename); - } - compact_pixels=(unsigned char *) AcquireQuantumMemory(length, sizeof(*pixels)); if (compact_pixels == (unsigned char *) NULL)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor