tag 413032 + patch
thanks
On Mon, Mar 05, 2007 at 09:13:34AM +0200, Sami Liedes wrote:
> Another SEGV in PCX coder in new imagemagick and graphicsmagick even
> with #413034-pcx_* applied.
Another crash, but no severe security problem. Patch attached.
Daniel.
--- a/coders/pcx.c Sat Mar 10 00:55:54 2007 +0100
+++ b/coders/pcx.c Sat Mar 10 21:46:30 2007 +0100
@@ -277,7 +277,9 @@ static Image *ReadPCXImage(const ImageIn
}
}
if (page_table != (ExtendedSignedIntegralType *) NULL)
- (void) SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET);
+ if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
+ == -1)
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
count=ReadBlob(image,1,(char *) &pcx_info.identifier);
for (id=1; id < 1024; id++)
{
@@ -314,7 +316,11 @@ static Image *ReadPCXImage(const ImageIn
if ((pcx_info.bits_per_pixel != 8) || (pcx_info.planes == 1))
if ((pcx_info.version == 3) || (pcx_info.version == 5) ||
((pcx_info.bits_per_pixel*pcx_info.planes) == 1))
- image->colors=1 << (pcx_info.bits_per_pixel*pcx_info.planes);
+ {
+ image->colors=1 << (pcx_info.bits_per_pixel*pcx_info.planes);
+ if (image->colors > 256)
+ image->colors = 256;
+ }
if (!AllocateImageColormap(image,image->colors))
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
if ((pcx_info.bits_per_pixel >= 8) && (pcx_info.planes != 1))
@@ -594,7 +600,9 @@ static Image *ReadPCXImage(const ImageIn
break;
if (page_table[id] == 0)
break;
- (void) SeekBlob(image,(ExtendedSignedIntegralType)
page_table[id],SEEK_SET);
+ if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[id],SEEK_SET)
+ == -1)
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
count=ReadBlob(image,1,(char *) &pcx_info.identifier);
if ((count != 0) && (pcx_info.identifier == 0x0a))
{
