1 |
|
2 |
# HG changeset patch |
3 |
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org> |
4 |
# Date 1473544092 18000 |
5 |
# Node ID c53725cb5449ac885536a6a98dc911d8b21a3c54 |
6 |
# Parent 0a0dfa81906d1317895de9374ef5132710c3831c |
7 |
SGI: Check that filesize is reasonable given header. |
8 |
|
9 |
diff -r 0a0dfa81906d -r c53725cb5449 ChangeLog |
10 |
--- a/ChangeLog Sat Sep 10 15:21:05 2016 -0500 |
11 |
+++ b/ChangeLog Sat Sep 10 16:48:12 2016 -0500 |
12 |
@@ -1,3 +1,10 @@ |
13 |
+2016-09-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> |
14 |
+ |
15 |
+ * coders/sgi.c (ReadSGIImage): Check that filesize is reasonable |
16 |
+ given header. Fixes excessive memory allocation followed by |
17 |
+ eventual file truncation error for corrupt file. Problem was |
18 |
+ reported via email by Agostino Sarubbo on 2016-09-09. |
19 |
+ |
20 |
2016-10-01 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> |
21 |
|
22 |
* coders/meta.c (parse8BIM): Fix unsigned underflow leading to |
23 |
diff -r 0a0dfa81906d -r c53725cb5449 coders/sct.c |
24 |
--- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500 |
25 |
+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500 |
26 |
@@ -1,5 +1,5 @@ |
27 |
/* |
28 |
-% Copyright (C) 2003-2015 GraphicsMagick Group |
29 |
+% Copyright (C) 2003-2016 GraphicsMagick Group |
30 |
% Copyright (C) 2002 ImageMagick Studio |
31 |
% Copyright 1991-1999 E. I. du Pont de Nemours and Company |
32 |
% |
33 |
diff -r 0a0dfa81906d -r c53725cb5449 coders/sgi.c |
34 |
--- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500 |
35 |
+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500 |
36 |
@@ -299,6 +299,9 @@ |
37 |
size_t |
38 |
bytes_per_pixel; |
39 |
|
40 |
+ magick_off_t |
41 |
+ file_size; |
42 |
+ |
43 |
/* |
44 |
Open image file. |
45 |
*/ |
46 |
@@ -314,6 +317,7 @@ |
47 |
Read SGI raster header. |
48 |
*/ |
49 |
iris_info.magic=ReadBlobMSBShort(image); |
50 |
+ file_size=GetBlobSize(image); |
51 |
do |
52 |
{ |
53 |
/* |
54 |
@@ -342,7 +346,8 @@ |
55 |
(void) LogMagickEvent(CoderEvent,GetMagickModule(), |
56 |
" Header: Storage=%u, BPC=%u, Dimension=%u, " |
57 |
"XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, " |
58 |
- "PixMax=%u, image_name=\"%.79s\", color_map=%u", |
59 |
+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, " |
60 |
+ "file_size=%" MAGICK_OFF_F "d", |
61 |
(unsigned int) iris_info.storage, |
62 |
(unsigned int) iris_info.bytes_per_pixel, |
63 |
(unsigned int) iris_info.dimension, |
64 |
@@ -352,7 +357,8 @@ |
65 |
iris_info.pix_min, |
66 |
iris_info.pix_max, |
67 |
iris_info.image_name, |
68 |
- iris_info.color_map); |
69 |
+ iris_info.color_map, |
70 |
+ file_size); |
71 |
|
72 |
/* |
73 |
Validate image header and set image attributes. |
74 |
@@ -492,6 +498,33 @@ |
75 |
ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image); |
76 |
|
77 |
/* |
78 |
+ Check that filesize is reasonable given header |
79 |
+ */ |
80 |
+ { |
81 |
+ double |
82 |
+ uncompressed_size; |
83 |
+ |
84 |
+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)* |
85 |
+ image->columns*image->rows*iris_info.bytes_per_pixel); |
86 |
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(), |
87 |
+ "Uncompressed size: %.0f", uncompressed_size); |
88 |
+ if (iris_info.storage != 0x01) |
89 |
+ { |
90 |
+ /* Not compressed */ |
91 |
+ if (uncompressed_size > file_size) |
92 |
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, |
93 |
+ image); |
94 |
+ } |
95 |
+ else |
96 |
+ { |
97 |
+ /* RLE compressed */ |
98 |
+ if (uncompressed_size > file_size*254.0) |
99 |
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile, |
100 |
+ image); |
101 |
+ } |
102 |
+ } |
103 |
+ |
104 |
+ /* |
105 |
Allocate SGI pixels. |
106 |
*/ |
107 |
bytes_per_pixel=iris_info.bytes_per_pixel; |
108 |
diff -r 0a0dfa81906d -r c53725cb5449 www/Changelog.html |
109 |
--- a/www/Changelog.html Sat Sep 10 15:21:05 2016 -0500 |
110 |
+++ b/www/Changelog.html Sat Sep 10 16:48:12 2016 -0500 |
111 |
@@ -38,3 +38,12 @@ |
112 |
+<p>2016-09-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> |
113 |
+<blockquote> |
114 |
+<ul class="simple"> |
115 |
+<li>coders/sgi.c (ReadSGIImage): Check that filesize is reasonable |
116 |
+given header. Fixes excessive memory allocation followed by |
117 |
+eventual file truncation error for corrupt file. Problem was |
118 |
+reported via email by Agostino Sarubbo on 2016-09-09.</li> |
119 |
+</ul> |
120 |
+</blockquote> |
121 |
<p>2016-10-01 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p> |
122 |
<blockquote> |
123 |
<ul class="simple"> |