diff options
| author | Cristy <mikayla-grace@urban-warrior.org> | 2019-04-27 08:32:23 -0400 |
|---|---|---|
| committer | Huizi Yang <yanghuiz@google.com> | 2019-10-08 14:05:09 -0700 |
| commit | f7599bbb009971405b318b4501a888b9a3f7a107 (patch) | |
| tree | b0c5bf4b86370be57f5f55bf7a89fa3bcc151275 | |
| parent | 5691a8ecaba367d04b2c2a13ec1e9e05f4f17b7c (diff) | |
| download | ImageMagick-oreo-mr1-security-release.tar.gz | |
https://github.com/ImageMagick/ImageMagick/issues/1554android-security-8.1.0_r93android-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74android-8.1.0_r73android-8.1.0_r72android-8.1.0_r71security-oc-mr1-releaseoreo-mr1-security-release
Backport of upstream f7206618d27c2e69d977abf40e3035a33e5f6be0
Bug: 140328986
Change-Id: Iaa9773b2efe658948d45f20282f7ed47d8331178
Merged-In: I84d6258cd854be68c752b62964fd746fc6b38fc3
(cherry picked from commit 57879bb058a6c431111e48fa985518ed28efb169)
| -rw-r--r-- | coders/mat.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/coders/mat.c b/coders/mat.c index 515fc5829..be7abaf0c 100644 --- a/coders/mat.c +++ b/coders/mat.c @@ -628,6 +628,7 @@ static Image *ReadMATImageV4(const ImageInfo *image_info,Image *image, (void) SeekBlob(image,0,SEEK_SET); ldblk=ReadBlobLSBLong(image); + if(EOFBlob(image)) return((Image *) NULL); if ((ldblk > 9999) || (ldblk < 0)) return((Image *) NULL); HDR.Type[3]=ldblk % 10; ldblk /= 10; /* T digit */ @@ -887,16 +888,20 @@ static Image *ReadMATImage(const ImageInfo *image_info,ExceptionInfo *exception) MATLAB_KO: ThrowReaderException(CorruptImageError,"ImproperImageHeader"); filepos = TellBlob(image); - while(!EOFBlob(image)) /* object parser loop */ + while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */ { Frames = 1; (void) SeekBlob(image,filepos,SEEK_SET); + if(filepos > GetBlobSize(image) || filepos < 0) + break; /* printf("pos=%X\n",TellBlob(image)); */ MATLAB_HDR.DataType = ReadBlobXXXLong(image); if(EOFBlob(image)) break; MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image); if(EOFBlob(image)) break; + if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image)) + goto MATLAB_KO; filepos += MATLAB_HDR.ObjectSize + 4 + 4; image2 = image; @@ -1105,6 +1110,7 @@ RestoreMSCWarning { if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), " MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1)); + ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); goto ExitLoop; } if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL)) |