Overview

File GraphicsMagick-CVE-2014-9846.patch of Package GraphicsMagick.6323

Index: GraphicsMagick-1.3.21/coders/rle.c
===================================================================
--- GraphicsMagick-1.3.21.orig/coders/rle.c	2015-02-28 21:51:58.000000000 +0100
+++ GraphicsMagick-1.3.21/coders/rle.c	2016-08-04 21:53:00.989031732 +0200
@@ -198,7 +198,9 @@ static Image *ReadRLEImage(const ImageIn
     map_length,
     number_colormaps,
     number_pixels,
-    number_planes;
+    number_planes,
+    offset,
+    rle_pixels_length;
 
   /*
     Open image file.
@@ -315,6 +317,7 @@ static Image *ReadRLEImage(const ImageIn
     if ((image->columns != 0) &&
         (image->rows != number_pixels/image->columns))
       number_pixels=0;
+    rle_pixels_length=number_pixels*Max(number_planes,4);
     rle_pixels=MagickAllocateArray(unsigned char *,number_pixels,
                                    Max(number_planes,4));
     if (rle_pixels == (unsigned char *) NULL)
@@ -386,9 +389,18 @@ static Image *ReadRLEImage(const ImageIn
           operand=ReadBlobByte(image);
           if (opcode & 0x40)
             operand=ReadBlobLSBShort(image);
-          p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
+          offset=((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
           operand++;
+          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+            {
+              if (number_colormaps != 0)
+                MagickFreeMemory(colormap);
+              MagickFreeMemory(rle_pixels);
+              ThrowReaderException(CorruptImageError,UnableToReadImageData,image);
+            }
+          p=rle_pixels+offset;
+
           for (i=0; i < (long) operand; i++)
           {
             pixel=ReadBlobByte(image);
@@ -409,8 +421,16 @@ static Image *ReadRLEImage(const ImageIn
           pixel=ReadBlobByte(image);
           (void) ReadBlobByte(image);
           operand++;
-          p=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
+          offset=((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
+          p=rle_pixels+offset;
+          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+            {
+              if (number_colormaps != 0)
+                MagickFreeMemory(colormap);
+              MagickFreeMemory(rle_pixels);
+              ThrowReaderException(CorruptImageError,UnableToReadImageData,image);
+            }
           for (i=0; i < (long) operand; i++)
           {
             if ((y < (long) image->rows) && ((x+i) < (long) image->columns))
openSUSE Build Service is sponsored by
Places