File ImageMagick-CVE-2019-15140.patch of Package ImageMagick

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-CVE-2019-15140.patch of Package ImageMagick

Index: ImageMagick-7.0.7-34/coders/mat.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/mat.c	2019-09-05 10:33:16.352041978 +0200
+++ ImageMagick-7.0.7-34/coders/mat.c	2019-09-05 10:35:19.252748742 +0200
@@ -640,6 +640,7 @@ static Image *ReadMATImageV4(const Image
      Object parser loop.
     */
     ldblk=ReadBlobLSBLong(image);
+    if(EOFBlob(image)) break;
     if ((ldblk > 9999) || (ldblk < 0))
       break;
     HDR.Type[3]=ldblk % 10; ldblk /= 10;  /* T digit */
@@ -955,9 +956,11 @@ MATLAB_KO:
     }
 
   filepos = TellBlob(image);
-  while(!EOFBlob(image)) /* object parser loop */
+  while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */
   {
     Frames = 1;
+    if(filepos > GetBlobSize(image) || filepos < 0)
+      break;
     if(SeekBlob(image,filepos,SEEK_SET) != filepos) break;
     /* printf("pos=%X\n",TellBlob(image)); */
 
@@ -965,7 +968,7 @@ MATLAB_KO:
     if(EOFBlob(image)) break;
     MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image);
     if(EOFBlob(image)) break;
-    if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) > GetBlobSize(image))
+    if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image))
       goto MATLAB_KO;
     filepos += MATLAB_HDR.ObjectSize + 4 + 4;
 
@@ -1266,6 +1269,7 @@ RestoreMSCWarning
           {
             if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
               "  MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1));
+            ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
             goto ExitLoop;
           }
         if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL))

Places

File ImageMagick-CVE-2019-15140.patch of Package ImageMagick

Places