Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
ImageMagick.29424
ImageMagick-CVE-2016-10050.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2016-10050.patch of Package ImageMagick.29424
From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001 From: Cristy <urban-warrior@imagemagick.org> Date: Sun, 5 Jun 2016 14:19:46 -0400 Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report from Craig Young). --- ChangeLog | 2 ++ coders/rle.c | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/coders/rle.c b/coders/rle.c index c885b1f..09b99f6 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -178,11 +178,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_planes, number_planes_filled, one, - offset, pixel_info_length; ssize_t count, + offset, y; unsigned char @@ -395,7 +395,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; operand++; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); @@ -426,14 +427,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) operand++; offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; - p=pixels+offset; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); pixel_info=RelinquishVirtualMemory(pixel_info); ThrowReaderException(CorruptImageError,"UnableToReadImageData"); } + p=pixels+offset; for (i=0; i < (ssize_t) operand; i++) { if ((y < (ssize_t) image->rows) &&
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor