File GraphicsMagick-CVE-2016-10050.patch of Package GraphicsMagick.7893
From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 5 Jun 2016 14:19:46 -0400
Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report
from Craig Young).
---
ChangeLog | 2 ++
coders/rle.c | 10 ++++++----
2 files changed, 8 insertions(+), 4 deletions(-)
Index: GraphicsMagick-1.3.25/coders/rle.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/rle.c 2017-01-17 15:19:24.263377335 +0100
+++ GraphicsMagick-1.3.25/coders/rle.c 2017-01-17 15:21:46.845690457 +0100
@@ -243,6 +243,9 @@ static Image *ReadRLEImage(const ImageIn
count,
rle_bytes;
+ ssize_t
+ offset;
+
unsigned int
map_length;
@@ -257,7 +260,6 @@ static Image *ReadRLEImage(const ImageIn
number_pixels,
number_planes,
number_planes_filled,
- offset,
rle_pixels_length;
magick_off_t
@@ -524,7 +526,7 @@ static Image *ReadRLEImage(const ImageIn
offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
x*number_planes+plane;
operand++;
- if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+ if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length)
{
if (number_colormaps != 0)
MagickFreeMemory(colormap);
@@ -566,14 +568,14 @@ static Image *ReadRLEImage(const ImageIn
operand++;
offset=rle_pixels+((image->rows-y-1)*image->columns*number_planes)+
x*number_planes+plane;
- p=rle_pixels+offset;
- if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+ if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length)
{
if (number_colormaps != 0)
MagickFreeMemory(colormap);
MagickFreeMemory(rle_pixels);
ThrowReaderException(CorruptImageError,UnableToReadImageData,image);
}
+ p=rle_pixels+offset;
for (i=0; i < (unsigned int) operand; i++)
{
if ((p >= rle_pixels) && (p < rle_pixels+rle_bytes))
