File ImageMagick-CVE-2017-14042.patch of Package ImageMagick.19143
Index: ImageMagick-6.8.8-1/coders/pnm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/pnm.c 2017-12-13 14:25:46.190970191 +0100
+++ ImageMagick-6.8.8-1/coders/pnm.c 2017-12-13 14:40:00.339091156 +0100
@@ -149,87 +149,90 @@ static inline ssize_t ConstrainPixel(Ima
return(offset);
}
-static void PNMComment(Image *image)
-{
+static int PNMComment(Image *image)
+{
int
c;
-
+
char
*comment;
-
+
register char
*p;
-
+
size_t
extent;
-
+
/*
Read comment.
*/
comment=AcquireString(GetImageProperty(image,"comment"));
- extent=MaxTextExtent;
p=comment+strlen(comment);
- for (c='#'; (c != EOF) && (c != (int) '\n'); p++)
- {
+ extent=strlen(comment)+MaxTextExtent;
+ for (c='#'; (c != EOF) && (c != (int) '\n') && (c != (int) '\r'); p++)
+ {
if ((size_t) (p-comment+1) >= extent)
- {
+ {
extent<<=1;
- comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent,
- sizeof(*comment));
+ comment=(char *) ResizeQuantumMemory(comment,extent+MaxTextExtent,
+ sizeof(*comment));
if (comment == (char *) NULL)
break;
p=comment+strlen(comment);
}
c=ReadBlobByte(image);
if (c != EOF)
- {
+ {
*p=(char) c;
*(p+1)='\0';
}
}
if (comment == (char *) NULL)
- return;
+ return(c);
(void) SetImageProperty(image,"comment",comment);
comment=DestroyString(comment);
+ return(c);
}
static unsigned int PNMInteger(Image *image,const unsigned int base)
-{
+{
int
c;
-
+
unsigned int
value;
-
+
/*
Skip any leading whitespace.
*/
do
- {
+ {
c=ReadBlobByte(image);
if (c == EOF)
return(0);
if (c == (int) '#')
- PNMComment(image);
- } while (isdigit(c) == MagickFalse);
+ c=PNMComment(image);
+ } while ((c == ' ') || (c == '\t') || (c == '\n') || (c == '\r'));
if (base == 2)
return((unsigned int) (c-(int) '0'));
/*
Evaluate number.
*/
value=0;
- do
- {
- if (value > (unsigned int) (INT_MAX/10))
- break;
- value*=10;
- if (value > (INT_MAX-c))
- break;
- value+=c-(int) '0';
+ while (isdigit(c) != 0)
+ {
+ if (value <= (unsigned int) (INT_MAX/10))
+ {
+ value*=10;
+ if (value <= (unsigned int) (INT_MAX-(c-(int) '0')))
+ value+=c-(int) '0';
+ }
c=ReadBlobByte(image);
if (c == EOF)
- return(value);
- } while (isdigit(c) != MagickFalse);
+ return(0);
+ }
+ if (c == (int) '#')
+ c=PNMComment(image);
return(value);
}
@@ -345,7 +348,7 @@ static Image *ReadPNMImage(const ImageIn
/*
Comment.
*/
- PNMComment(image);
+ (void) PNMComment(image);
c=ReadBlobByte(image);
while (isspace((int) ((unsigned char) c)) != 0)
c=ReadBlobByte(image);
