File ImageMagick-6.2.3-CVE-2007-4988.patch of Package ImageMagick

Overview Repositories Revisions Requests Users Attributes Meta

File ImageMagick-6.2.3-CVE-2007-4988.patch of Package ImageMagick

diff -r b474881af7c5 coders/dib.c
--- a/coders/dib.c	Fri Sep 28 02:40:55 2007 -0800
+++ b/coders/dib.c	Fri Sep 28 02:45:58 2007 -0800
@@ -442,6 +442,14 @@ static MagickBooleanType IsDIB(const uns
 %
 %
 */
+
+static inline long MagickAbsoluteValue(const long x)
+{
+  if (x < 0)
+    return(-x);
+  return(x);
+}
+
 static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception)
 {
   DIBInfo
@@ -532,7 +540,7 @@ static Image *ReadDIBImage(const ImageIn
       dib_info.blue_mask=ReadBlobLSBShort(image);
     }
   image->matte=dib_info.bits_per_pixel == 32 ? MagickTrue : MagickFalse;
-  image->columns=dib_info.width;
+  image->columns=(unsigned long) MagickAbsoluteValue(dib_info.width);
   image->rows=AbsoluteValue(dib_info.height);
   image->depth=8;
   if ((dib_info.number_colors != 0) || (dib_info.bits_per_pixel < 16))
@@ -569,9 +577,12 @@ static Image *ReadDIBImage(const ImageIn
       /*
         Read DIB raster colormap.
       */
+      if ((4*image->colors) < image->colors)
+        ThrowReaderException(CorruptImageError,"ImproperImageHeader");
       if (AllocateImageColormap(image,image->colors) == MagickFalse)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-      dib_colormap=(unsigned char *) AcquireMagickMemory(4*image->colors);
+      dib_colormap=(unsigned char *) AcquireMagickMemory(4*image->colors*
+        sizeof(*dib_colormap));
       if (dib_colormap == (unsigned char *) NULL)
         ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
       packet_size=4;

Places

File ImageMagick-6.2.3-CVE-2007-4988.patch of Package ImageMagick

Places