XBM: Fix DOS issues.
authorBob Friesenhahn <bfriesen@GraphicsMagick.org>
Sat, 26 Aug 2017 15:26:15 -0500
changeset 15135 233a720bfd5e
parent 15134 b037d79b6ccd
child 15136 ddc5dd4137f4
XBM: Fix DOS issues.
ChangeLog
coders/xbm.c
www/Changelog.html
--- a/ChangeLog	Sat Aug 26 14:14:13 2017 -0500
+++ b/ChangeLog	Sat Aug 26 15:26:15 2017 -0500
@@ -1,5 +1,10 @@
 2017-08-26  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
+	* coders/xbm.c (ReadXBMImage): Fix two denial of service (DOS)
+	issues in ReadXBMImage() which result in the reader not
+	returning. Problem was reported via email on Wed Aug 23 2017 by
+	Xiaohei and Wangchu from Alibaba Security Team.
+
 	* coders/jnx.c (ReadJNXImage): Fix denial of service (DOS) issue
 	in ReadJNXImage() whereby large amounts of CPU and memory
 	resources may be consumed although the file itself does not
--- a/coders/xbm.c	Sat Aug 26 14:14:13 2017 -0500
+++ b/coders/xbm.c	Sat Aug 26 15:26:15 2017 -0500
@@ -1,5 +1,5 @@
 /*
-% Copyright (C) 2003 -2012 GraphicsMagick Group
+% Copyright (C) 2003-2017 GraphicsMagick Group
 % Copyright (C) 2002 ImageMagick Studio
 % Copyright 1991-1999 E. I. du Pont de Nemours and Company
 %
@@ -121,13 +121,15 @@
 
 static int XBMInteger(Image *image,short int *hex_digits)
 {
+  unsigned int
+    flag;
+
   int
     c,
-    flag,
     value;
 
   value=0;
-  flag=0;
+  flag=0U;
   for ( ; ; )
   {
     c=ReadBlobByte(image);
@@ -158,18 +160,14 @@
   Image
     *image;
 
-  int
-    bit;
-
-  long
-    y;
-
   register IndexPacket
     *indexes;
 
-  register long
+  register size_t
+    bytes_per_line,
     i,
-    x;
+    x,
+    y;
 
   register PixelPacket
     *q;
@@ -177,22 +175,24 @@
   register unsigned char
     *p;
 
-  short int
-    hex_digits[256];
-
   unsigned char
     *data;
 
   unsigned int
-    status;
-
-  unsigned long
+    bit,
     byte,
-    bytes_per_line,
     padding,
-    value,
     version;
 
+  int
+    value;
+
+  short int
+    hex_digits[256];
+
+  MagickPassFail
+    status;
+
   /*
     Open image file.
   */
@@ -207,6 +207,8 @@
   /*
     Read X bitmap header.
   */
+  (void) memset(buffer,0,sizeof(buffer));
+  name[0]='\0';
   while (ReadBlobString(image,buffer) != (char *) NULL)
     if (sscanf(buffer,"#define %s %lu",name,&image->columns) == 2)
       if ((strlen(name) >= 6) &&
@@ -278,6 +280,8 @@
   /*
     Initialize hex values.
   */
+  for (i = 0; i < sizeof(hex_digits)/sizeof(hex_digits[0]); i++)
+    hex_digits[i]=(-1);
   hex_digits['0']=0;
   hex_digits['1']=1;
   hex_digits['2']=2;
@@ -311,40 +315,50 @@
   */
   p=data;
   if (version == 10)
-    for (i=0; i < (long) (bytes_per_line*image->rows); (i+=2))
+    for (i=0; i < (bytes_per_line*image->rows); (i+=2))
     {
       value=XBMInteger(image,hex_digits);
+      if (value < 0)
+        {
+          MagickFreeMemory(data);
+          ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+        }
       *p++=(unsigned char) value;
       if (!padding || ((i+2) % bytes_per_line))
         *p++=(unsigned char) (value >> 8);
     }
   else
-    for (i=0; i < (long) (bytes_per_line*image->rows); i++)
+    for (i=0; i < (bytes_per_line*image->rows); i++)
     {
       value=XBMInteger(image,hex_digits);
+      if (value < 0)
+        {
+          MagickFreeMemory(data);
+          ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+        }
       *p++=(unsigned char) value;
     }
   /*
     Convert X bitmap image to pixel packets.
   */
   p=data;
-  for (y=0; y < (long) image->rows; y++)
+  for (y=0; y < image->rows; y++)
   {
     q=SetImagePixels(image,0,y,image->columns,1);
     if (q == (PixelPacket *) NULL)
       break;
     indexes=AccessMutableIndexes(image);
-    bit=0;
-    byte=0;
-    for (x=0; x < (long) image->columns; x++)
+    bit=0U;
+    byte=0U;
+    for (x=0; x < image->columns; x++)
     {
-      if (bit == 0)
+      if (bit == 0U)
         byte=(*p++);
       indexes[x]=byte & 0x01 ? 0x01 : 0x00;
       bit++;
-      byte>>=1;
-      if (bit == 8)
-        bit=0;
+      byte>>=1U;
+      if (bit == 8U)
+        bit=0U;
     }
     if (!SyncImagePixels(image))
       break;
--- a/www/Changelog.html	Sat Aug 26 14:14:13 2017 -0500
+++ b/www/Changelog.html	Sat Aug 26 15:26:15 2017 -0500
@@ -38,6 +38,10 @@
 <p>2017-08-26  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 <blockquote>
 <ul class="simple">
+<li>coders/xbm.c (ReadXBMImage): Fix two denial of service (DOS)
+issues in ReadXBMImage() which result in the reader not
+returning. Problem was reported via email on Wed Aug 23 2017 by
+Xiaohei and Wangchu from Alibaba Security Team.</li>
 <li>coders/jnx.c (ReadJNXImage): Fix denial of service (DOS) issue
 in ReadJNXImage() whereby large amounts of CPU and memory
 resources may be consumed although the file itself does not