Overview

File ImageMagick-CVE-2017-9144.patch of Package ImageMagick.19143

Index: ImageMagick-6.8.8-1/coders/rle.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/rle.c	2017-05-31 10:07:55.564947172 +0200
+++ ImageMagick-6.8.8-1/coders/rle.c	2017-05-31 10:41:13.947605528 +0200
@@ -138,6 +138,15 @@ static Image *ReadRLEImage(const ImageIn
 #define ByteDataOp  0x05
 #define RunDataOp  0x06
 #define EOFOp  0x07
+#define ThrowRLEException(exception,message) \
+{ \
+  if (colormap != (unsigned char *) NULL) \
+    colormap=(unsigned char *) RelinquishMagickMemory(colormap); \
+  if (pixel_info != (MemoryInfo *) NULL) \
+    pixel_info=RelinquishVirtualMemory(pixel_info); \
+  ThrowReaderException((exception),(message)); \
+}
+
 
   char
     magick[12];
@@ -215,6 +224,8 @@ static Image *ReadRLEImage(const ImageIn
   /*
     Determine if this a RLE file.
   */
+  colormap=(unsigned char *) NULL;
+  pixel_info=(MemoryInfo *) NULL;
   count=ReadBlob(image,2,(unsigned char *) magick);
   if ((count == 0) || (memcmp(magick,"\122\314",2) != 0))
     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
@@ -235,6 +246,8 @@ static Image *ReadRLEImage(const ImageIn
     map_length=(unsigned char) ReadBlobByte(image);
     if (map_length >= 22)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+    if (EOFBlob(image) != MagickFalse)
+      ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
     one=1;
     map_length=one << map_length;
     if ((number_planes == 0) || (number_planes == 2) || (bits_per_pixel != 8) ||
@@ -258,6 +271,8 @@ static Image *ReadRLEImage(const ImageIn
         for (i=0; i < (ssize_t) number_planes; i++)
           *p++=(unsigned char) ReadBlobByte(image);
       }
+    if (EOFBlob(image) != MagickFalse)
+      ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
     if ((number_planes & 0x01) == 0)
       (void) ReadBlobByte(image);
     colormap=(unsigned char *) NULL;
@@ -273,8 +288,12 @@ static Image *ReadRLEImage(const ImageIn
         p=colormap;
         for (i=0; i < (ssize_t) number_colormaps; i++)
           for (x=0; x < (ssize_t) map_length; x++)
+          {
             *p++=(unsigned char) ScaleQuantumToChar(ScaleShortToQuantum(
               ReadBlobLSBShort(image)));
+            if (EOFBlob(image) != MagickFalse)
+              ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
+          }
       }
     if ((flags & 0x08) != 0)
       {
@@ -301,6 +320,8 @@ static Image *ReadRLEImage(const ImageIn
               (void) ReadBlobByte(image);
           }
       }
+    if (EOFBlob(image) != MagickFalse)
+      ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
     if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0))
       if (image->scene >= (image_info->scene+image_info->number_scenes-1))
         break;
@@ -351,6 +372,8 @@ static Image *ReadRLEImage(const ImageIn
     x=0;
     y=0;
     opcode=ReadBlobByte(image);
+    if (opcode == EOF)
+      ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
     do
     {
       switch (opcode & 0x3f)
@@ -358,8 +381,14 @@ static Image *ReadRLEImage(const ImageIn
         case SkipLinesOp:
         {
           operand=ReadBlobByte(image);
+          if (operand == EOF)
+            ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
           if (opcode & 0x40)
+          {
             operand=(int) ReadBlobLSBShort(image);
+            if (operand == EOF)
+              ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
+          }
           x=0;
           y+=operand;
           break;
@@ -367,6 +396,8 @@ static Image *ReadRLEImage(const ImageIn
         case SetColorOp:
         {
           operand=ReadBlobByte(image);
+          if (operand == EOF)
+            ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
           plane=(unsigned char) operand;
           if (plane == 255)
             plane=(unsigned char) (number_planes-1);
@@ -376,16 +407,28 @@ static Image *ReadRLEImage(const ImageIn
         case SkipPixelsOp:
         {
           operand=ReadBlobByte(image);
+          if (operand == EOF)
+            ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
           if (opcode & 0x40)
+          {
             operand=(int) ReadBlobLSBShort(image);
+            if (operand == EOF)
+              ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
+          }
           x+=operand;
           break;
         }
         case ByteDataOp:
         {
           operand=ReadBlobByte(image);
+          if (operand == EOF)
+            ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
           if (opcode & 0x40)
+          {
             operand=(int) ReadBlobLSBShort(image);
+            if (operand == EOF)
+              ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
+          }
           offset=((image->rows-y-1)*image->columns*number_planes)+x*
             number_planes+plane;
           operand++;
@@ -414,8 +457,14 @@ static Image *ReadRLEImage(const ImageIn
         case RunDataOp:
         {
           operand=ReadBlobByte(image);
+          if (operand == EOF)
+            ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
           if (opcode & 0x40)
+          {
             operand=(int) ReadBlobLSBShort(image);
+            if (operand == EOF)
+              ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
+          }
           pixel=(unsigned char) ReadBlobByte(image);
           (void) ReadBlobByte(image);
           operand++;
@@ -444,6 +493,8 @@ static Image *ReadRLEImage(const ImageIn
           break;
       }
       opcode=ReadBlobByte(image);
+      if (opcode == EOF)
+        ThrowRLEException(CorruptImageError,"UnexpectedEndOfFile");
     } while (((opcode & 0x3f) != EOFOp) && (opcode != EOF));
     if (number_colormaps != 0)
       {
openSUSE Build Service is sponsored by
Places