Overview

File ImageMagick-6.2.5-overflow-CVE-2006-3744.patch of Package ImageMagick

--- coders/sun.c
+++ coders/sun.c
@@ -134,10 +134,10 @@
 %
 */
 static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
-  const size_t length,unsigned char *pixels)
+  const size_t length,unsigned char *pixels,size_t maxpixels)
 {
   register const unsigned char
-    *p;
+    *p, *l;
 
   register unsigned char
     *q;
@@ -153,7 +153,8 @@
   assert(pixels != (unsigned char *) NULL);
   p=compressed_pixels;
   q=pixels;
-  while ((size_t) (p-compressed_pixels) < length)
+  l=q+maxpixels;
+  while ((size_t) (p-compressed_pixels) < length && q < l)
   {
     byte=(*p++);
     if (byte != 128U)
@@ -166,7 +167,7 @@
         count=(ssize_t) (*p++);
         if (count > 0)
           byte=(*p++);
-        while (count >= 0)
+        while (count >= 0 && q < l)
         {
           *q++=byte;
           count--;
@@ -378,6 +379,8 @@
         CloseBlob(image);
         return(GetFirstImageInList(image));
       }
+    if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
+        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
     sun_data=(unsigned char *)
       AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
     if (sun_data == (unsigned char *) NULL)
@@ -395,11 +398,28 @@
           Read run-length encoded raster pixels.
         */
         height=sun_info.height;
-        bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
+
+        /* calculate bytes per line, verifying no overflow occurs */
+        bytes_per_line=sun_info.width*sun_info.depth;
+        if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+        if ((ULONG_MAX - bytes_per_line) < 15)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+        bytes_per_line += 15;
+        bytes_per_line <<= 1;
+        if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+        bytes_per_line >>= 4;
+        if ((bytes_per_line * height) / height != bytes_per_line)
+            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
         sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
         if (sun_pixels == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
+        (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
         sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
       }
     /*
openSUSE Build Service is sponsored by
Places