Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
GraphicsMagick.8039
GraphicsMagick-CVE-2016-10050.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File GraphicsMagick-CVE-2016-10050.patch of Package GraphicsMagick.8039
From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001 From: Cristy <urban-warrior@imagemagick.org> Date: Sun, 5 Jun 2016 14:19:46 -0400 Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report from Craig Young). --- ChangeLog | 2 ++ coders/rle.c | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) Index: GraphicsMagick-1.3.25/coders/rle.c =================================================================== --- GraphicsMagick-1.3.25.orig/coders/rle.c 2017-01-17 15:19:24.263377335 +0100 +++ GraphicsMagick-1.3.25/coders/rle.c 2017-01-17 15:21:46.845690457 +0100 @@ -243,6 +243,9 @@ static Image *ReadRLEImage(const ImageIn count, rle_bytes; + ssize_t + offset; + unsigned int map_length; @@ -257,7 +260,6 @@ static Image *ReadRLEImage(const ImageIn number_pixels, number_planes, number_planes_filled, - offset, rle_pixels_length; magick_off_t @@ -524,7 +526,7 @@ static Image *ReadRLEImage(const ImageIn offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ x*number_planes+plane; operand++; - if (offset+((size_t) operand*number_planes) > rle_pixels_length) + if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length) { if (number_colormaps != 0) MagickFreeMemory(colormap); @@ -566,14 +568,14 @@ static Image *ReadRLEImage(const ImageIn operand++; offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+ x*number_planes+plane; - p=rle_pixels+offset; - if (offset+((size_t) operand*number_planes) > rle_pixels_length) + if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length) { if (number_colormaps != 0) MagickFreeMemory(colormap); MagickFreeMemory(rle_pixels); ThrowReaderException(CorruptImageError,UnableToReadImageData,image); } + p=rle_pixels+offset; for (i=0; i < (unsigned int) operand; i++) { if ((p >= rle_pixels) && (p < rle_pixels+rle_bytes))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor