Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
ImageMagick
ImageMagick-CVE-2014-9846.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2014-9846.patch of Package ImageMagick
Index: ImageMagick-6.8.9-8/coders/rle.c =================================================================== --- ImageMagick-6.8.9-8.orig/coders/rle.c 2014-05-25 01:25:53.000000000 +0200 +++ ImageMagick-6.8.9-8/coders/rle.c 2016-06-08 14:06:16.394915842 +0200 @@ -172,7 +172,9 @@ static Image *ReadRLEImage(const ImageIn map_length, number_colormaps, number_planes, - one; + one, + offset, + pixel_info_length; ssize_t count, @@ -301,8 +303,8 @@ static Image *ReadRLEImage(const ImageIn number_pixels=(MagickSizeType) image->columns*image->rows; if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes)) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - pixel_info=AcquireVirtualMemory(image->columns,image->rows*number_planes* - sizeof(*pixels)); + pixel_info_length=image->columns*image->rows*(number_planes > 4 ? number_planes : 4); + pixel_info=AcquireVirtualMemory(pixel_info_length,sizeof(*pixels)); if (pixel_info == (MemoryInfo *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); @@ -370,9 +372,17 @@ static Image *ReadRLEImage(const ImageIn operand=ReadBlobByte(image); if (opcode & 0x40) operand=(int) ReadBlobLSBShort(image); - p=pixels+((image->rows-y-1)*image->columns*number_planes)+ - x*number_planes+plane; + offset=((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane; operand++; + if (offset+((size_t) operand*number_planes) > pixel_info_length) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + pixel_info=RelinquishVirtualMemory(pixel_info); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } + p=pixels+offset; for (i=0; i < (ssize_t) operand; i++) { pixel=(unsigned char) ReadBlobByte(image); @@ -394,8 +404,16 @@ static Image *ReadRLEImage(const ImageIn pixel=(unsigned char) ReadBlobByte(image); (void) ReadBlobByte(image); operand++; - p=pixels+((image->rows-y-1)*image->columns*number_planes)+ - x*number_planes+plane; + offset=((image->rows-y-1)*image->columns*number_planes)+x* + number_planes+plane; + p=pixels+offset; + if (offset+((size_t) operand*number_planes) > pixel_info_length) + { + if (number_colormaps != 0) + colormap=(unsigned char *) RelinquishMagickMemory(colormap); + pixel_info=RelinquishVirtualMemory(pixel_info); + ThrowReaderException(CorruptImageError,"UnableToReadImageData"); + } for (i=0; i < (ssize_t) operand; i++) { if ((y < (ssize_t) image->rows) &&
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor