Overview

File ImageMagick-6.2.5-overflow-CVE-2006-3743.patch of Package ImageMagick

--- coders/xcf.c
+++ coders/xcf.c
@@ -269,7 +269,7 @@
 %
 %
 */
-static char *ReadBlobStringWithLongSize(Image *image,char *string)
+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
 {
   int
     c;
@@ -285,7 +285,7 @@
   if (image->debug != MagickFalse)
     (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
   length = ReadBlobMSBLong(image);
-  for (i=0; i < (long) length; i++)
+  for (i=0; i < (long) Min(length, max); i++)
   {
     c=ReadBlobByte(image);
     if (c == EOF)
@@ -694,7 +694,7 @@
   outLayer->width = ReadBlobMSBLong(image);
   outLayer->height = ReadBlobMSBLong(image);
   outLayer->type = ReadBlobMSBLong(image);
-  (void) ReadBlobStringWithLongSize(image, outLayer->name);
+  (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
 
   /* allocate the image for this layer */
   outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
@@ -1101,7 +1101,7 @@
         /*float  factor = (float) */ (void) ReadBlobMSBLong(image);
         /* unsigned long digits =  */ (void) ReadBlobMSBLong(image);
         for (i=0; i<5; i++)
-         (void) ReadBlobStringWithLongSize(image, unit_string);
+         (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
       }
      break;
openSUSE Build Service is sponsored by
Places