Overview

File GraphicsMagick-CVE-2014-9846.patch of Package GraphicsMagick.7782

Index: GraphicsMagick-1.3.25/coders/rle.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/rle.c	2016-09-05 21:20:23.000000000 +0200
+++ GraphicsMagick-1.3.25/coders/rle.c	2016-11-29 14:13:38.371494953 +0100
@@ -255,7 +255,9 @@ static Image *ReadRLEImage(const ImageIn
   unsigned int
     number_colormaps,
     number_pixels,
-    number_planes;
+    number_planes,
+    offset,
+    rle_pixels_length;
 
   magick_off_t
     file_size;
@@ -420,6 +422,7 @@ static Image *ReadRLEImage(const ImageIn
     if ((image->columns != 0) &&
         (image->rows != number_pixels/image->columns))
       number_pixels=0;
+    rle_pixels_length=number_pixels*Max(number_planes,4);
     rle_pixels=MagickAllocateArray(unsigned char *,number_pixels,
                                    Max(number_planes,4));
     if (rle_pixels == (unsigned char *) NULL)
@@ -512,9 +515,17 @@ static Image *ReadRLEImage(const ImageIn
               if (EOFBlob(image))
                 ThrowRLEReaderException(CorruptImageError,UnexpectedEndOfFile,image);
             }
-          p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
+          offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
           operand++;
+          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+            {
+              if (number_colormaps != 0)
+                MagickFreeMemory(colormap);
+              MagickFreeMemory(rle_pixels);
+              ThrowReaderException(CorruptImageError,UnableToReadImageData,image);
+            }
+          p=rle_pixels+offset;
           for (i=0; i < (unsigned int) operand; i++)
           {
             pixel=ReadBlobByte(image);
@@ -547,8 +558,16 @@ static Image *ReadRLEImage(const ImageIn
             ThrowRLEReaderException(CorruptImageError,UnexpectedEndOfFile,image);
           (void) ReadBlobByte(image);
           operand++;
-          p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
+          offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
+          p=rle_pixels+offset;
+          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+            {
+              if (number_colormaps != 0)
+                MagickFreeMemory(colormap);
+              MagickFreeMemory(rle_pixels);
+              ThrowReaderException(CorruptImageError,UnableToReadImageData,image);
+            }
           for (i=0; i < (unsigned int) operand; i++)
           {
             if ((p >= rle_pixels) && (p < rle_pixels+rle_bytes))
openSUSE Build Service is sponsored by
Places