Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
GraphicsMagick.8039
GraphicsMagick-CVE-2014-9846.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File GraphicsMagick-CVE-2014-9846.patch of Package GraphicsMagick.8039
Index: GraphicsMagick-1.3.25/coders/rle.c =================================================================== --- GraphicsMagick-1.3.25.orig/coders/rle.c 2016-09-05 21:20:23.000000000 +0200 +++ GraphicsMagick-1.3.25/coders/rle.c 2016-11-29 14:13:38.371494953 +0100 @@ -255,7 +255,9 @@ static Image *ReadRLEImage(const ImageIn unsigned int number_colormaps, number_pixels, - number_planes; + number_planes, + offset, + rle_pixels_length; magick_off_t file_size; @@ -420,6 +422,7 @@ static Image *ReadRLEImage(const ImageIn if ((image->columns != 0) && (image->rows != number_pixels/image->columns)) number_pixels=0; + rle_pixels_length=number_pixels*Max(number_planes,4); rle_pixels=MagickAllocateArray(unsigned char *,number_pixels, Max(number_planes,4)); if (rle_pixels == (unsigned char *) NULL) @@ -512,9 +515,17 @@ static Image *ReadRLEImage(const ImageIn if (EOFBlob(image)) ThrowRLEReaderException(CorruptImageError,UnexpectedEndOfFile,image); } - p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ + offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ x*number_planes+plane; operand++; + if (offset+((size_t) operand*number_planes) > rle_pixels_length) + { + if (number_colormaps != 0) + MagickFreeMemory(colormap); + MagickFreeMemory(rle_pixels); + ThrowReaderException(CorruptImageError,UnableToReadImageData,image); + } + p=rle_pixels+offset; for (i=0; i < (unsigned int) operand; i++) { pixel=ReadBlobByte(image); @@ -547,8 +558,16 @@ static Image *ReadRLEImage(const ImageIn ThrowRLEReaderException(CorruptImageError,UnexpectedEndOfFile,image); (void) ReadBlobByte(image); operand++; - p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ + offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ x*number_planes+plane; + p=rle_pixels+offset; + if (offset+((size_t) operand*number_planes) > rle_pixels_length) + { + if (number_colormaps != 0) + MagickFreeMemory(colormap); + MagickFreeMemory(rle_pixels); + ThrowReaderException(CorruptImageError,UnableToReadImageData,image); + } for (i=0; i < (unsigned int) operand; i++) { if ((p >= rle_pixels) && (p < rle_pixels+rle_bytes))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor