File GraphicsMagick-CVE-2016-10050.patch of Package GraphicsMagick.8039

Overview Repositories Revisions Requests Users Attributes Meta

File GraphicsMagick-CVE-2016-10050.patch of Package GraphicsMagick.8039

From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 5 Jun 2016 14:19:46 -0400
Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report
 from Craig Young).

---
 ChangeLog    |  2 ++
 coders/rle.c | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

Index: GraphicsMagick-1.3.25/coders/rle.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/rle.c	2017-01-17 15:19:24.263377335 +0100
+++ GraphicsMagick-1.3.25/coders/rle.c	2017-01-17 15:21:46.845690457 +0100
@@ -243,6 +243,9 @@ static Image *ReadRLEImage(const ImageIn
     count,
     rle_bytes;
 
+  ssize_t
+    offset;
+
   unsigned int
     map_length;
 
@@ -257,7 +260,6 @@ static Image *ReadRLEImage(const ImageIn
     number_pixels,
     number_planes,
     number_planes_filled,
-    offset,
     rle_pixels_length;
 
   magick_off_t
@@ -524,7 +526,7 @@ static Image *ReadRLEImage(const ImageIn
           offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
           operand++;
-          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+          if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length)
             {
               if (number_colormaps != 0)
                 MagickFreeMemory(colormap);
@@ -566,14 +568,14 @@ static Image *ReadRLEImage(const ImageIn
           operand++;
           offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
-          p=rle_pixels+offset;
-          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+          if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length)
             {
               if (number_colormaps != 0)
                 MagickFreeMemory(colormap);
               MagickFreeMemory(rle_pixels);
               ThrowReaderException(CorruptImageError,UnableToReadImageData,image);
             }
+          p=rle_pixels+offset;
           for (i=0; i < (unsigned int) operand; i++)
           {
             if ((p >= rle_pixels) && (p < rle_pixels+rle_bytes))

Places

File GraphicsMagick-CVE-2016-10050.patch of Package GraphicsMagick.8039

Places