File ImageMagick-CVE-2016-10050.patch of Package ImageMagick.19143
From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 5 Jun 2016 14:19:46 -0400
Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report
from Craig Young).
---
ChangeLog | 2 ++
coders/rle.c | 10 ++++++----
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/coders/rle.c b/coders/rle.c
index c885b1f..09b99f6 100644
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -178,11 +178,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
number_planes,
number_planes_filled,
one,
- offset,
pixel_info_length;
ssize_t
count,
+ offset,
y;
unsigned char
@@ -395,7 +395,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
operand++;
- if (offset+((size_t) operand*number_planes) > pixel_info_length)
+ if ((offset < 0) ||
+ (offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
@@ -426,14 +427,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
operand++;
offset=((image->rows-y-1)*image->columns*number_planes)+x*
number_planes+plane;
- p=pixels+offset;
- if (offset+((size_t) operand*number_planes) > pixel_info_length)
+ if ((offset < 0) ||
+ (offset+((size_t) operand*number_planes) > pixel_info_length))
{
if (number_colormaps != 0)
colormap=(unsigned char *) RelinquishMagickMemory(colormap);
pixel_info=RelinquishVirtualMemory(pixel_info);
ThrowReaderException(CorruptImageError,"UnableToReadImageData");
}
+ p=pixels+offset;
for (i=0; i < (ssize_t) operand; i++)
{
if ((y < (ssize_t) image->rows) &&
