Bug#345595: libmagick: array index overflow in DisplayImageCommand

Sun, 01 Jan 2006 20:18:15 -0800 

Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch

In libMagick, DisplayImageCommand first allocates an image index array 
with a size based on argc and then expands arguments containing glob 
patterns which may result an increase of argc. However, the image index 
array is not increased in any case.

The image index array should be allocated after the expansion of 
arguments.

-- System Information:
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)

--- imagemagick-6.0.6.2.orig/magick/display.c	2006-01-02 03:38:04.000000000 +0200
+++ imagemagick-6.0.6.2/magick/display.c	2006-01-02 03:38:04.000000000 +0200
@@ -1822,18 +1822,12 @@
   image_number=0;
   last_image=0;
   last_scene=0;
-  image_marker=(unsigned long *)
-    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
-  for (i=0; i <= argc; i++)
-    image_marker[i]=(unsigned long) argc;
+  image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   resource_database=(XrmDatabase) NULL;
   (void) ResetMagickMemory(&resource_info,0,sizeof(resource_info));
   server_name=(char *) NULL;
   state=0;
-  if (image_marker == (unsigned long *) NULL)
-    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
-      strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1842,6 +1836,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+  image_marker=(unsigned long *)
+    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+  for (i=0; i <= argc; i++)
+    image_marker[i]=(unsigned long) argc;
+  if (image_marker == (unsigned long *) NULL)
+    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+      strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--- ImageMagick-6.2.4.orig/magick/display.c	2005-09-10 06:43:05.000000000 +0300
+++ ImageMagick-6.2.4/magick/display.c	2005-09-10 06:43:05.000000000 +0300
@@ -1841,10 +1841,7 @@
   image_number=0;
   last_image=0;
   last_scene=0;
-  image_marker=(unsigned long *)
-    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
-  for (i=0; i <= argc; i++)
-    image_marker[i]=(unsigned long) argc;
+  image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   pend=MagickFalse;
   resource_database=(XrmDatabase) NULL;
@@ -1852,9 +1849,6 @@
   server_name=(char *) NULL;
   state=0;
   status=MagickTrue;
-  if (image_marker == (unsigned long *) NULL)
-    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
-      strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1863,6 +1857,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+  image_marker=(unsigned long *)
+    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+  for (i=0; i <= argc; i++)
+    image_marker[i]=(unsigned long) argc;
+  if (image_marker == (unsigned long *) NULL)
+    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+      strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

Reply via email to