Attachment #94935 for bug #144854

View | Details | Raw Unified | Return to bug 144854
Collapse All | Expand All




%
*/
static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
  const size_t length,unsigned char *pixels,size_t maxpixels)
{
  register const unsigned char
    *p, *l;

  register unsigned char
    *q;

  assert(pixels != (unsigned char *) NULL);
  p=compressed_pixels;
  q=pixels;
  l=q+maxpixels;
  while ((size_t) (p-compressed_pixels) < length && q < l)
  {
    byte=(*p++);
    if (byte != 128U)

        count=(ssize_t) (*p++);
        if (count > 0)
          byte=(*p++);
        while (count >= 0 && q < l)
        {
          *q++=byte;
          count--;

        CloseBlob(image);
        return(GetFirstImageInList(image));
      }
    if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) != sun_info.length || !sun_info.length)
        ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
    sun_data=(unsigned char *)
      AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
    if (sun_data == (unsigned char *) NULL)

          Read run-length encoded raster pixels.
        */
        height=sun_info.height;

        /* calculate bytes per line, verifying no overflow occurs */
        bytes_per_line=sun_info.width*sun_info.depth;
        if (!height || !sun_info.width || !sun_info.depth || bytes_per_line / sun_info.depth != sun_info.width)
            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");

        if ((ULONG_MAX - bytes_per_line) < 15)
            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");

        bytes_per_line += 15;
        bytes_per_line <<= 1;
        if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");

        bytes_per_line >>= 4;
        if ((bytes_per_line * height) / height != bytes_per_line)
            ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");

        sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);
        if (sun_pixels == (unsigned char *) NULL)
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
        (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
        sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
      }
    /*




%
%
*/
static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
{
  int
    c;

  if (image->debug != MagickFalse)
    (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
  length = ReadBlobMSBLong(image);
  for (i=0; i < (long) Min(length, max); i++)
  {
    c=ReadBlobByte(image);
    if (c == EOF)

  outLayer->width = ReadBlobMSBLong(image);
  outLayer->height = ReadBlobMSBLong(image);
  outLayer->type = ReadBlobMSBLong(image);
  (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);

  /* allocate the image for this layer */
  outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,

  if (outLayer->image == (Image *) NULL)
    return MagickFalse;


  /* read the layer properties! */
  foundPropEnd = 0;
  while ( foundPropEnd  == MagickFalse ) {

        /*float  factor = (float) */ (void) ReadBlobMSBLong(image);
        /* unsigned long digits =  */ (void) ReadBlobMSBLong(image);
        for (i=0; i<5; i++)
         (void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
      }
     break;


Return to bug 144854

Lines 134-143 Link Here

(-)ImageMagick-6.2.8/coders/sun.c (-6 / +26 lines)
134	%	134	%
135	*/	135	*/
136	static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,	136	static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
137	const size_t length,unsigned char *pixels)	137	const size_t length,unsigned char *pixels,size_t maxpixels)
138	{	138	{
139	register const unsigned char	139	register const unsigned char
140	*p;	140	p, l;
141		141
142	register unsigned char	142	register unsigned char
143	*q;	143	*q;
Lines 153-159 Link Here
153	assert(pixels != (unsigned char *) NULL);	153	assert(pixels != (unsigned char *) NULL);
154	p=compressed_pixels;	154	p=compressed_pixels;
155	q=pixels;	155	q=pixels;
156	while ((size_t) (p-compressed_pixels) < length)	156	l=q+maxpixels;
		157	while ((size_t) (p-compressed_pixels) < length && q < l)
157	{	158	{
158	byte=(*p++);	159	byte=(*p++);
159	if (byte != 128U)	160	if (byte != 128U)
Lines 166-172 Link Here
166	count=(ssize_t) (*p++);	167	count=(ssize_t) (*p++);
167	if (count > 0)	168	if (count > 0)
168	byte=(*p++);	169	byte=(*p++);
169	while (count >= 0)	170	while (count >= 0 && q < l)
170	{	171	{
171	*q++=byte;	172	*q++=byte;
172	count--;	173	count--;
Lines 378-383 Link Here
378	CloseBlob(image);	379	CloseBlob(image);
379	return(GetFirstImageInList(image));	380	return(GetFirstImageInList(image));
380	}	381	}
		382	if ((sun_info.length * sizeof(sun_data)) / sizeof(sun_data) != sun_info.length \|\| !sun_info.length)
		383	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
381	sun_data=(unsigned char *)	384	sun_data=(unsigned char *)
382	AcquireMagickMemory((size_t) sun_info.lengthsizeof(sun_data));	385	AcquireMagickMemory((size_t) sun_info.lengthsizeof(sun_data));
383	if (sun_data == (unsigned char *) NULL)	386	if (sun_data == (unsigned char *) NULL)
Lines 395-405 Link Here
395	Read run-length encoded raster pixels.	398	Read run-length encoded raster pixels.
396	*/	399	*/
397	height=sun_info.height;	400	height=sun_info.height;
398	bytes_per_line=2(sun_info.widthsun_info.depth+15)/16;	401
		402	/* calculate bytes per line, verifying no overflow occurs */
		403	bytes_per_line=sun_info.width*sun_info.depth;
		404	if (!height \|\| !sun_info.width \|\| !sun_info.depth \|\| bytes_per_line / sun_info.depth != sun_info.width)
		405	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
		406
		407	if ((ULONG_MAX - bytes_per_line) < 15)
		408	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
		409
		410	bytes_per_line += 15;
		411	bytes_per_line <<= 1;
		412	if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
		413	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
		414
		415	bytes_per_line >>= 4;
		416	if ((bytes_per_line * height) / height != bytes_per_line)
		417	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
		418
399	sun_pixels=(unsigned char ) AcquireMagickMemory(bytes_per_lineheight);	419	sun_pixels=(unsigned char ) AcquireMagickMemory(bytes_per_lineheight);
400	if (sun_pixels == (unsigned char *) NULL)	420	if (sun_pixels == (unsigned char *) NULL)
401	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");	421	ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
402	(void) DecodeImage(sun_data,sun_info.length,sun_pixels);	422	(void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line * height);
403	sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);	423	sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
404	}	424	}
405	/*	425	/*

Lines 269-275 Link Here

(-)ImageMagick-6.2.8/coders/xcf.c (-5 / +4 lines)
269	%	269	%
270	%	270	%
271	*/	271	*/
272	static char ReadBlobStringWithLongSize(Image image,char *string)	272	static char ReadBlobStringWithLongSize(Image image,char *string,size_t max)
273	{	273	{
274	int	274	int
275	c;	275	c;
Lines 285-291 Link Here
285	if (image->debug != MagickFalse)	285	if (image->debug != MagickFalse)
286	(void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);	286	(void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
287	length = ReadBlobMSBLong(image);	287	length = ReadBlobMSBLong(image);
288	for (i=0; i < (long) length; i++)	288	for (i=0; i < (long) Min(length, max); i++)
289	{	289	{
290	c=ReadBlobByte(image);	290	c=ReadBlobByte(image);
291	if (c == EOF)	291	if (c == EOF)
Lines 694-700 Link Here
694	outLayer->width = ReadBlobMSBLong(image);	694	outLayer->width = ReadBlobMSBLong(image);
695	outLayer->height = ReadBlobMSBLong(image);	695	outLayer->height = ReadBlobMSBLong(image);
696	outLayer->type = ReadBlobMSBLong(image);	696	outLayer->type = ReadBlobMSBLong(image);
697	(void) ReadBlobStringWithLongSize(image, outLayer->name);	697	(void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
698		698
699	/* allocate the image for this layer */	699	/* allocate the image for this layer */
700	outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,	700	outLayer->image=CloneImage(image,outLayer->width, outLayer->height,MagickTrue,
Lines 702-708 Link Here
702	if (outLayer->image == (Image *) NULL)	702	if (outLayer->image == (Image *) NULL)
703	return MagickFalse;	703	return MagickFalse;
704		704
705
706	/* read the layer properties! */	705	/* read the layer properties! */
707	foundPropEnd = 0;	706	foundPropEnd = 0;
708	while ( foundPropEnd == MagickFalse ) {	707	while ( foundPropEnd == MagickFalse ) {
Lines 1102-1108 Link Here
1102	/float factor = (float) / (void) ReadBlobMSBLong(image);	1101	/float factor = (float) / (void) ReadBlobMSBLong(image);
1103	/* unsigned long digits = */ (void) ReadBlobMSBLong(image);	1102	/* unsigned long digits = */ (void) ReadBlobMSBLong(image);
1104	for (i=0; i<5; i++)	1103	for (i=0; i<5; i++)
1105	(void) ReadBlobStringWithLongSize(image, unit_string);	1104	(void) ReadBlobStringWithLongSize(image, unit_string, sizeof(unit_string));
1106	}	1105	}
1107	break;	1106	break;
1108		1107