tag 414047 + patch
thanks
On Mon, Mar 05, 2007 at 09:08:41AM +0200, Sami Liedes wrote:
> Here's another .cur that segfaults the ICON coder in imagemagick (both
> old and new) and graphicsmagick even with #413032-icon_segfault_fix
> applied.
NULL pointer dereference due to a simple typo in an if-clause. As a
result, images with 16 bits per pixel are treated as (unindexed)
DirectClass storage format, rather than indexed colours in PseudoClass
format. I've also taken one sanity check from ImageMagick's SVN HEAD
that prevents bogus allocations of huge amounts of memory with large
values of bits_per_pixel. Combined with the fix from #413032, this
leads to the attached combined patch.
Daniel.
--- a/coders/icon.c Sat Mar 10 00:51:55 2007 +0100
+++ b/coders/icon.c Sat Mar 10 00:55:47 2007 +0100
@@ -196,12 +196,15 @@ static Image *ReadIconImage(const ImageI
/*
Verify Icon identifier.
*/
- (void) SeekBlob(image,icon_file.directory[i].offset,SEEK_SET);
+ if (SeekBlob(image,icon_file.directory[i].offset,SEEK_SET) == -1)
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
icon_info.size=ReadBlobLSBLong(image);
icon_info.width=ReadBlobLSBLong(image);
icon_info.height=ReadBlobLSBLong(image);
icon_info.planes=ReadBlobLSBShort(image);
icon_info.bits_per_pixel=ReadBlobLSBShort(image);
+ if (icon_info.bits_per_pixel > 32)
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
icon_info.compression=ReadBlobLSBLong(image);
icon_info.image_size=ReadBlobLSBLong(image);
icon_info.x_pixels=ReadBlobLSBLong(image);
@@ -212,7 +215,7 @@ static Image *ReadIconImage(const ImageI
image->columns=icon_info.width;
image->rows=icon_info.height;
image->depth=8;
- if ((icon_info.number_colors != 0) || (icon_info.bits_per_pixel < 16))
+ if ((icon_info.number_colors != 0) || (icon_info.bits_per_pixel <= 16))
{
image->storage_class=PseudoClass;
image->colors=icon_info.number_colors;
