From c54baf1009cb6cc0de8c39aa09b5b5b27f294854 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sun, 5 Jun 2016 14:19:46 -0400 Subject: [PATCH] RLE check for pixel offset less than 0 Heap overflow report from Craig Young (cherry picked from commit 73fb0aac5b958521e1511e179ecc0ad49f70ebaf) origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/73fb0aac5b958521e1511e179ecc0ad49f70ebaf bug-debian: https://bugs.debian.org/833744 --- coders/rle.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/coders/rle.c b/coders/rle.c index d22f1e3ca..02b275172 100644 --- a/coders/rle.c +++ b/coders/rle.c @@ -186,11 +186,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_planes, number_planes_filled, one, - offset, pixel_info_length; ssize_t count, + offset, y; unsigned char @@ -399,7 +399,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; operand++; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); @@ -430,14 +431,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) operand++; offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; - p=pixels+offset; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); pixel_info=RelinquishVirtualMemory(pixel_info); ThrowReaderException(CorruptImageError,"UnableToReadImageData"); } + p=pixels+offset; for (i=0; i < (ssize_t) operand; i++) { if ((y < (ssize_t) image->rows) &&