File ImageMagick-CVE-2018-16644.patch of Package ImageMagick.8831

Index: ImageMagick-6.8.8-1/coders/pict.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pict.c	2018-09-10 14:27:47.235975919 +0200
+++ ImageMagick-6.8.8-1/coders/pict.c	2018-09-10 14:27:48.047980070 +0200
@@ -946,6 +946,9 @@ static Image *ReadPICTImage(const ImageI
               Clipping rectangle.
             */
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             if (length != 0x000a)
               {
                 for (i=0; i < (ssize_t) (length-2); i++)
@@ -987,6 +990,9 @@ static Image *ReadPICTImage(const ImageI
             if (pattern != 1)
               ThrowReaderException(CorruptImageError,"UnknownPatternType");
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             if (ReadRectangle(image,&frame) == MagickFalse)
               ThrowReaderException(CorruptImageError,"ImproperImageHeader");
             if (ReadPixmap(image,&pixmap) == MagickFalse)
@@ -998,6 +1004,9 @@ static Image *ReadPICTImage(const ImageI
             (void) ReadBlobMSBLong(image);
             flags=1L*ReadBlobMSBShort(image);
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             for (i=0; i <= (ssize_t) length; i++)
               (void) ReadBlobMSBLong(image);
             width=1UL*(frame.bottom-frame.top);
@@ -1049,6 +1058,9 @@ static Image *ReadPICTImage(const ImageI
               Skip polygon or region.
             */
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             for (i=0; i < (ssize_t) (length-2); i++)
               (void) ReadBlobByte(image);
             break;
@@ -1182,6 +1194,9 @@ static Image *ReadPICTImage(const ImageI
                   Skip region.
                 */
                 length=ReadBlobMSBShort(image);
+                if (length > GetBlobSize(image))
+                  ThrowPICTException(CorruptImageError,
+                    "InsufficientImageDataInFile");
                 for (i=0; i < (ssize_t) (length-2); i++)
                   (void) ReadBlobByte(image);
               }
@@ -1310,6 +1325,9 @@ static Image *ReadPICTImage(const ImageI
             */
             type=ReadBlobMSBShort(image);
             length=ReadBlobMSBShort(image);
+            if (length > GetBlobSize(image))
+              ThrowPICTException(CorruptImageError,
+                "InsufficientImageDataInFile");
             if (length == 0)
               break;
             (void) ReadBlobMSBLong(image);
@@ -1421,6 +1439,9 @@ static Image *ReadPICTImage(const ImageI
             return((Image *) NULL);
           }
         length=ReadBlobMSBLong(image);
+        if (length > GetBlobSize(image))
+          ThrowPICTException(CorruptImageError,
+            "InsufficientImageDataInFile");
         for (i=0; i < 6; i++)
           (void) ReadBlobMSBLong(image);
         if (ReadRectangle(image,&frame) == MagickFalse)
@@ -1464,6 +1485,9 @@ static Image *ReadPICTImage(const ImageI
           Skip reserved.
         */
         length=ReadBlobMSBShort(image);
+        if (length > GetBlobSize(image))
+          ThrowPICTException(CorruptImageError,
+            "InsufficientImageDataInFile");
         for (i=0; i < (ssize_t) length; i++)
           (void) ReadBlobByte(image);
         continue;
@@ -1474,6 +1498,9 @@ static Image *ReadPICTImage(const ImageI
           Skip reserved.
         */
         length=(size_t) ((code >> 7) & 0xff);
+        if (length > GetBlobSize(image))
+          ThrowPICTException(CorruptImageError,
+            "InsufficientImageDataInFile");
         for (i=0; i < (ssize_t) length; i++)
           (void) ReadBlobByte(image);
         continue;
Index: ImageMagick-6.8.8-1/coders/dcm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/dcm.c	2018-09-10 14:27:47.379976656 +0200
+++ ImageMagick-6.8.8-1/coders/dcm.c	2018-09-10 14:28:16.372124858 +0200
@@ -3599,6 +3599,8 @@ static Image *ReadDCMImage(const ImageIn
 
         tag=(ReadBlobLSBShort(image) << 16) | ReadBlobLSBShort(image);
         length=(size_t) ReadBlobLSBLong(image);
+        if (length > (size_t) GetBlobSize(image))
+          ThrowDCMException(CorruptImageError,"InsufficientImageDataInFile");
         if (tag == 0xFFFEE0DD)
           break; /* sequence delimiter tag */
         if (tag != 0xFFFEE000)
openSUSE Build Service is sponsored by