Overview

File GraphicsMagick-CVE-2016-8684.patch of Package GraphicsMagick.7782

Index: GraphicsMagick-1.3.21/coders/sgi.c
===================================================================
--- GraphicsMagick-1.3.21.orig/coders/sgi.c	2016-10-18 13:28:55.410728730 +0200
+++ GraphicsMagick-1.3.21/coders/sgi.c	2016-10-18 13:28:55.470729640 +0200
@@ -286,6 +286,9 @@ static Image *ReadSGIImage(const ImageIn
 
   size_t count;
 
+  magick_off_t
+    file_size;
+
   /*
     Open image file.
   */
@@ -301,6 +304,7 @@ static Image *ReadSGIImage(const ImageIn
     Read SGI raster header.
   */
   iris_info.magic=ReadBlobMSBShort(image);
+  file_size=GetBlobSize(image);
   do
     {
       /*
@@ -477,6 +481,33 @@ static Image *ReadSGIImage(const ImageIn
         ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
 
       /*
+        Check that filesize is reasonable given header
+      */
+      {
+        double
+          uncompressed_size;
+
+        uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
+                           image->columns*image->rows*iris_info.bytes_per_pixel);
+        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                              "Uncompressed size: %.0f", uncompressed_size);
+        if (iris_info.storage != 0x01)
+          {
+            /* Not compressed */
+            if (uncompressed_size > file_size)
+              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+          }
+        else
+          {
+            /* RLE compressed */
+            if (uncompressed_size > file_size*254.0)
+              ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+          }
+      }
+
+      /*
 	Allocate SGI pixels.
       */
       bytes_per_pixel=iris_info.bytes_per_pixel;
openSUSE Build Service is sponsored by
Places