Overview

File ImageMagick-CVE-2016-8683.patch of Package ImageMagick.23974

Index: ImageMagick-6.8.9-8/coders/pcx.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/pcx.c	2016-10-18 14:55:38.757820367 +0200
+++ ImageMagick-6.8.9-8/coders/pcx.c	2016-10-18 14:57:04.087115909 +0200
@@ -279,6 +279,9 @@ static Image *ReadPCXImage(const ImageIn
     *pixels,
     *scanline;
 
+  off_t
+    file_size;
+
   /*
     Open image file.
   */
@@ -328,6 +331,7 @@ static Image *ReadPCXImage(const ImageIn
       if (offset < 0)
         ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     }
+  file_size=GetBlobSize(image);
   count=ReadBlob(image,1,&pcx_info.identifier);
   for (id=1; id < 1024; id++)
   {
@@ -395,6 +399,33 @@ static Image *ReadPCXImage(const ImageIn
     if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
       if (image->scene >= (image_info->scene+image_info->number_scenes-1))
         break;
+
+    /*
+      Check that filesize is reasonable given header
+    */
+    {
+      double
+        uncompressed_size;
+      
+      uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes);
+      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                            "Uncompressed size: %.0f", uncompressed_size);
+      if (pcx_info.encoding == 0)
+        {
+          /* Not compressed */
+          if (uncompressed_size > file_size)
+            ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"
+                                 );
+        }
+      else
+        {
+          /* RLE compressed */
+          if (uncompressed_size > file_size*254.0)
+            ThrowReaderException(CorruptImageError,"InsufficientImageDataInFile"
+                                 );
+        }
+    }
+
     /*
       Read image data.
     */
openSUSE Build Service is sponsored by
Places