File ImageMagick-CVE-2016-10049.patch of Package ImageMagick.16891
From 3e9165285eda6e1bb71172031d3048b51bb443a4 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Tue, 17 May 2016 15:05:03 -0400
Subject: [PATCH]
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29710
---
coders/rle.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
Index: ImageMagick-6.8.8-1/coders/rle.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/rle.c 2017-01-17 10:11:05.422914972 +0100
+++ ImageMagick-6.8.8-1/coders/rle.c 2017-01-17 10:41:17.096846142 +0100
@@ -62,6 +62,12 @@
#include "magick/string_.h"
#include "magick/module.h"
+static inline size_t MagickMax(const size_t x,const size_t y)
+{
+ if (x > y)
+ return(x);
+ return(y);
+}
/*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% %
@@ -306,11 +312,11 @@ static Image *ReadRLEImage(const ImageIn
number_planes_filled=(number_planes % 2 == 0) ? number_planes : number_planes+1;
if ((number_pixels*number_planes_filled) != (size_t) (number_pixels*number_planes_filled))
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- pixel_info_length=image->columns*image->rows*number_planes_filled;
- if (image->rows > (image->rows*number_planes_filled*sizeof(*pixels)))
+ pixel_info_length=image->columns*image->rows*MagickMax(number_planes_filled,4);
+ if (image->rows > (image->rows*MagickMax(number_planes_filled,4)*sizeof(*pixels)))
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
pixel_info=AcquireVirtualMemory(image->columns,image->rows*
- number_planes_filled*sizeof(*pixels));
+ MagickMax(number_planes_filled,4)*sizeof(*pixels));
if (pixel_info == (MemoryInfo *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info);
