← Back to branch summary

~ubuntu-branches/ubuntu/gutsy/imagemagick/gutsy-updates

« back to all changes in this revision

Viewing changes to coders/xcf.c

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2008-11-25 10:27:23 UTC
  • Revision ID: james.westby@ubuntu.com-20081125102723-puuz8m2ykg0vei21
Tags: 7:6.2.4.5.dfsg1-2ubuntu1.1
* SECURITY UPDATE: denial of service and possible code execution via
  out-of-bounds heap write in the XCF coder
  - coders/xcf.c: add a couple of extra image sanity checks (patch taken
    from Red Hat - ImageMagick-6.2.8.0-4.el5_1.1.src.rpm)
  - CVE-2008-1096

Show diffs side-by-side

added added

removed removed

Lines of Context:
coders/xcf.c
309
309
    sizeof(*xcfdata));
310
310
  graydata = (unsigned char *)xcfdata;  /* used by gray and indexed */
311
311
  nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
 
312
  if (nmemb_read_successfully > (ssize_t) (tile_image->columns*tile_image->rows))
 
313
    ThrowBinaryException(CorruptImageError,"NotEnoughPixelData",image->filename);
312
314
 
313
315
  q=SetImagePixels(tile_image,0,0,tile_image->columns,tile_image->rows);
314
316
 
555
557
                      /* 1.5 is probably more
556
558
                         than we need to allow */
557
559
 
 
560
      if (offset2-offset >  (MagickOffsetType) (TILE_WIDTH * TILE_WIDTH * 4* 1.5))
 
561
        ThrowBinaryException(CorruptImageError,"CorruptImage",image->filename);
 
562
 
558
563
      /* seek to the tile offset */
559
564
      (void) SeekBlob(image, offset, SEEK_SET);
560
565