Overview

File ImageMagick-CVE-2019-15140.patch of Package ImageMagick.23974

Index: ImageMagick-6.8.8-1/coders/mat.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/mat.c	2019-09-05 10:40:40.710635493 +0200
+++ ImageMagick-6.8.8-1/coders/mat.c	2019-09-05 10:44:39.532037231 +0200
@@ -956,9 +956,11 @@ MATLAB_KO:
     }
 
   filepos = TellBlob(image);
-  while(!EOFBlob(image)) /* object parser loop */
+  while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */
   {
     Frames = 1;
+    if(filepos > GetBlobSize(image) || filepos < 0)
+      break;
     (void) SeekBlob(image,filepos,SEEK_SET);
     /* printf("pos=%X\n",TellBlob(image)); */
 
@@ -966,7 +968,7 @@ MATLAB_KO:
     if(EOFBlob(image)) break;
     MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image);
     if(EOFBlob(image)) break;
-    if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) > GetBlobSize(image))
+    if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image))
       goto MATLAB_KO;
     filepos += MATLAB_HDR.ObjectSize + 4 + 4;
 
@@ -1233,6 +1235,7 @@ RestoreMSCWarning
   {
     if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
              "  MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1));
+    ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
     goto ExitLoop;
   }
         if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL))
openSUSE Build Service is sponsored by
Places