From b47345f67d0d56afedd88b060d52b43d50a1ee31 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sat, 24 Jun 2017 08:24:01 -0400 Subject: [PATCH] Memory exhaustion in ReadEPTImage in ept.c When identify EPT file , imagemagick will allocate memory to store the data. There is a security checking in the function SetImageExtent, but it is not used in the allocation function, so IM can not control the memory usage bug: https://github.com/ImageMagick/ImageMagick/issues/524 bug-debian: https://bugs.debian.org/867821 origin: https://github.com/ImageMagick/ImageMagick/commit/eee1829d5908019721972baece1e3a157a897d24 --- coders/ept.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/coders/ept.c b/coders/ept.c index 5c28c47d6..b2d5a5cb2 100644 --- a/coders/ept.c +++ b/coders/ept.c @@ -197,10 +197,14 @@ static Image *ReadEPTImage(const ImageInfo *image_info,ExceptionInfo *exception) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); ept_info.postscript_offset=(MagickOffsetType) ReadBlobLSBLong(image); ept_info.postscript_length=ReadBlobLSBLong(image); + if (ept_info.postscript_length > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); (void) ReadBlobLSBLong(image); (void) ReadBlobLSBLong(image); ept_info.tiff_offset=(MagickOffsetType) ReadBlobLSBLong(image); ept_info.tiff_length=ReadBlobLSBLong(image); + if (ept_info.tiff_length > GetBlobSize(image)) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); (void) ReadBlobLSBShort(image); ept_info.postscript=(unsigned char *) AcquireQuantumMemory( ept_info.postscript_length+1,sizeof(*ept_info.postscript));