File ImageMagick-CVE-2014-9843.patch of Package ImageMagick.29977
Index: ImageMagick-6.8.8-1/coders/psd.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/psd.c 2016-06-16 13:41:34.251371530 +0200
+++ ImageMagick-6.8.8-1/coders/psd.c 2016-06-16 13:47:29.865179635 +0200
@@ -316,6 +316,16 @@ static ssize_t DecodePSDPixels(const siz
const unsigned char *compact_pixels,const ssize_t depth,
const size_t number_pixels,unsigned char *pixels)
{
+#define CheckNumberCompactPixels \
+ if (packets == 0) \
+ return(i); \
+ packets--
+
+#define CheckNumberPixels(count) \
+ if (((ssize_t) i + count) > (ssize_t) number_pixels) \
+ return(i); \
+ i+=count
+
int
pixel;
@@ -332,21 +342,22 @@ static ssize_t DecodePSDPixels(const siz
packets=(ssize_t) number_compact_pixels;
for (i=0; (packets > 1) && (i < (ssize_t) number_pixels); )
{
+ CheckNumberCompactPixels;
length=(*compact_pixels++);
- packets--;
if (length == 128)
continue;
if (length > 128)
{
length=256-length+1;
+ CheckNumberCompactPixels;
pixel=(*compact_pixels++);
- packets--;
for (j=0; j < (ssize_t) length; j++)
{
switch (depth)
{
case 1:
{
+ CheckNumberPixels(8);
*pixels++=(pixel >> 7) & 0x01 ? 0U : 255U;
*pixels++=(pixel >> 6) & 0x01 ? 0U : 255U;
*pixels++=(pixel >> 5) & 0x01 ? 0U : 255U;
@@ -355,29 +366,28 @@ static ssize_t DecodePSDPixels(const siz
*pixels++=(pixel >> 2) & 0x01 ? 0U : 255U;
*pixels++=(pixel >> 1) & 0x01 ? 0U : 255U;
*pixels++=(pixel >> 0) & 0x01 ? 0U : 255U;
- i+=8;
break;
}
case 4:
{
+ CheckNumberPixels(2);
*pixels++=(unsigned char) ((pixel >> 4) & 0xff);
*pixels++=(unsigned char) ((pixel & 0x0f) & 0xff);
- i+=2;
break;
}
case 2:
{
+ CheckNumberPixels(4);
*pixels++=(unsigned char) ((pixel >> 6) & 0x03);
*pixels++=(unsigned char) ((pixel >> 4) & 0x03);
*pixels++=(unsigned char) ((pixel >> 2) & 0x03);
*pixels++=(unsigned char) ((pixel & 0x03) & 0x03);
- i+=4;
break;
}
default:
{
+ CheckNumberPixels(1);
*pixels++=(unsigned char) pixel;
- i++;
break;
}
}
@@ -391,6 +401,7 @@ static ssize_t DecodePSDPixels(const siz
{
case 1:
{
+ CheckNumberPixels(8);
*pixels++=(*compact_pixels >> 7) & 0x01 ? 0U : 255U;
*pixels++=(*compact_pixels >> 6) & 0x01 ? 0U : 255U;
*pixels++=(*compact_pixels >> 5) & 0x01 ? 0U : 255U;
@@ -399,32 +410,32 @@ static ssize_t DecodePSDPixels(const siz
*pixels++=(*compact_pixels >> 2) & 0x01 ? 0U : 255U;
*pixels++=(*compact_pixels >> 1) & 0x01 ? 0U : 255U;
*pixels++=(*compact_pixels >> 0) & 0x01 ? 0U : 255U;
- i+=8;
break;
}
case 4:
{
+ CheckNumberPixels(2);
*pixels++=(*compact_pixels >> 4) & 0xff;
*pixels++=(*compact_pixels & 0x0f) & 0xff;
- i+=2;
break;
}
case 2:
{
+ CheckNumberPixels(4);
*pixels++=(*compact_pixels >> 6) & 0x03;
*pixels++=(*compact_pixels >> 4) & 0x03;
*pixels++=(*compact_pixels >> 2) & 0x03;
*pixels++=(*compact_pixels & 0x03) & 0x03;
- i+=4;
break;
}
default:
{
+ CheckNumberPixels(1);
*pixels++=(*compact_pixels);
- i++;
break;
}
}
+ CheckNumberCompactPixels;
compact_pixels++;
}
}
@@ -845,13 +856,6 @@ static MagickStatusType ReadPSDChannelRL
if ((MagickOffsetType) length < offsets[y])
length=(size_t) offsets[y];
- if (length > row_size + 256) // arbitrary number
- {
- pixels=(unsigned char *) RelinquishMagickMemory(pixels);
- ThrowBinaryException(CoderError,"InvalidLength",
- image->filename);
- }
-
compact_pixels=(unsigned char *) AcquireQuantumMemory(length,
sizeof(*pixels));
if (compact_pixels == (unsigned char *) NULL)
