Overview

File ImageMagick-CVE-2014-9846.patch of Package ImageMagick.15344

Index: ImageMagick-6.8.9-8/coders/rle.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/rle.c	2014-05-25 01:25:53.000000000 +0200
+++ ImageMagick-6.8.9-8/coders/rle.c	2016-06-08 14:06:16.394915842 +0200
@@ -172,7 +172,9 @@ static Image *ReadRLEImage(const ImageIn
     map_length,
     number_colormaps,
     number_planes,
-    one;
+    one,
+    offset,
+    pixel_info_length;
 
   ssize_t
     count,
@@ -301,8 +303,8 @@ static Image *ReadRLEImage(const ImageIn
     number_pixels=(MagickSizeType) image->columns*image->rows;
     if ((number_pixels*number_planes) != (size_t) (number_pixels*number_planes))
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-    pixel_info=AcquireVirtualMemory(image->columns,image->rows*number_planes*
-      sizeof(*pixels));
+    pixel_info_length=image->columns*image->rows*(number_planes > 4 ? number_planes : 4);
+    pixel_info=AcquireVirtualMemory(pixel_info_length,sizeof(*pixels));
     if (pixel_info == (MemoryInfo *) NULL)
       ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
@@ -370,9 +372,17 @@ static Image *ReadRLEImage(const ImageIn
           operand=ReadBlobByte(image);
           if (opcode & 0x40)
             operand=(int) ReadBlobLSBShort(image);
-          p=pixels+((image->rows-y-1)*image->columns*number_planes)+
-            x*number_planes+plane;
+          offset=((image->rows-y-1)*image->columns*number_planes)+x*
+            number_planes+plane;
           operand++;
+          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+            {
+              if (number_colormaps != 0)
+                colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+              pixel_info=RelinquishVirtualMemory(pixel_info);
+              ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+            }
+          p=pixels+offset;
           for (i=0; i < (ssize_t) operand; i++)
           {
             pixel=(unsigned char) ReadBlobByte(image);
@@ -394,8 +404,16 @@ static Image *ReadRLEImage(const ImageIn
           pixel=(unsigned char) ReadBlobByte(image);
           (void) ReadBlobByte(image);
           operand++;
-          p=pixels+((image->rows-y-1)*image->columns*number_planes)+
-            x*number_planes+plane;
+          offset=((image->rows-y-1)*image->columns*number_planes)+x*
+            number_planes+plane;
+          p=pixels+offset;
+          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+            {
+              if (number_colormaps != 0)
+                colormap=(unsigned char *) RelinquishMagickMemory(colormap);
+              pixel_info=RelinquishVirtualMemory(pixel_info);
+              ThrowReaderException(CorruptImageError,"UnableToReadImageData");
+            }
           for (i=0; i < (ssize_t) operand; i++)
           {
             if ((y < (ssize_t) image->rows) &&
openSUSE Build Service is sponsored by
Places