File GraphicsMagick-CVE-2016-7448.patch of Package GraphicsMagick.6323
Index: GraphicsMagick-1.3.21/coders/rle.c
===================================================================
--- GraphicsMagick-1.3.21.orig/coders/rle.c 2016-10-04 15:43:00.076678422 +0200
+++ GraphicsMagick-1.3.21/coders/rle.c 2016-10-04 15:44:10.937949619 +0200
@@ -203,6 +203,9 @@ static Image *ReadRLEImage(const ImageIn
offset,
rle_pixels_length;
+ magick_off_t
+ file_size;
+
/*
Open image file.
*/
@@ -220,6 +223,7 @@ static Image *ReadRLEImage(const ImageIn
count=ReadBlob(image,2,(char *) magick);
if ((count == 0) || (memcmp(magick,"\122\314",2) != 0))
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ file_size=GetBlobSize(image);
do
{
/*
@@ -258,6 +262,22 @@ static Image *ReadRLEImage(const ImageIn
}
if ((number_planes & 0x01) == 0)
(void) ReadBlobByte(image);
+ if (image->matte)
+ number_planes++;
+
+ /*
+ Rationalize pixels with file size
+ */
+ if ((file_size == 0) ||
+ ((((double) image->columns*image->rows*number_planes*
+ bits_per_pixel/8)/file_size) > 254.0))
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+
+ if ((double) number_colormaps*map_length > file_size)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+
colormap=(unsigned char *) NULL;
colormap_entries=0;
if (number_colormaps != 0)
@@ -273,7 +293,12 @@ static Image *ReadRLEImage(const ImageIn
p=colormap;
for (i=0; i < (long) number_colormaps; i++)
for (x=0; x < (long) map_length; x++)
- *p++=ScaleShortToQuantum(ReadBlobLSBShort(image));
+ {
+ if (EOFBlob(image))
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,
+ image);
+ *p++=ScaleShortToQuantum(ReadBlobLSBShort(image));
+ }
colormap_entries=number_colormaps*map_length;
}
if (flags & 0x08)
@@ -312,8 +337,6 @@ static Image *ReadRLEImage(const ImageIn
/*
Allocate RLE pixels.
*/
- if (image->matte)
- number_planes++;
number_pixels=image->columns*image->rows;
if ((image->columns != 0) &&
(image->rows != number_pixels/image->columns))
