File ImageMagick-CVE-2016-10065.patch of Package ImageMagick.15344
From 76ac0460463c7f4eab8e58a5dd5cbb2bb012ccd3 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 14 Feb 2016 10:40:23 -0500
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/129
---
coders/viff.c | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/coders/viff.c b/coders/viff.c
index b1c2153..f2e1094 100644
--- a/coders/viff.c
+++ b/coders/viff.c
@@ -137,6 +137,22 @@ static MagickBooleanType IsVIFF(const unsigned char *magick,const size_t length)
% o exception: return any errors or warnings in this structure.
%
*/
+
+static MagickBooleanType CheckMemoryOverflow(const size_t count,
+ const size_t quantum)
+{
+ size_t
+ size;
+
+ size=count*quantum;
+ if ((count == 0) || (quantum != (size/count)))
+ {
+ errno=ENOMEM;
+ return(MagickTrue);
+ }
+ return(MagickFalse);
+}
+
static Image *ReadVIFFImage(const ImageInfo *image_info,
ExceptionInfo *exception)
{
@@ -503,9 +519,17 @@ static Image *ReadVIFFImage(const ImageInfo *image_info,
default: bytes_per_pixel=1; break;
}
if (viff_info.data_storage_type == VFF_TYP_BIT)
- max_packets=((image->columns+7UL) >> 3UL)*image->rows;
+ {
+ if (CheckMemoryOverflow((image->columns+7UL) >> 3UL,image->rows) != MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ max_packets=((image->columns+7UL) >> 3UL)*image->rows;
+ }
else
- max_packets=(size_t) (number_pixels*viff_info.number_data_bands);
+ {
+ if (CheckMemoryOverflow(number_pixels,viff_info.number_data_bands) != MagickFalse)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ max_packets=(size_t) (number_pixels*viff_info.number_data_bands);
+ }
pixels=(unsigned char *) AcquireQuantumMemory(MagickMax(number_pixels,
max_packets),bytes_per_pixel*sizeof(*pixels));
if (pixels == (unsigned char *) NULL)