PNM: For binary formats, verify sufficient backing file data before memory request.
--- a/ChangeLog Sun Aug 20 17:31:35 2017 -0500
+++ b/ChangeLog Sun Aug 20 17:36:56 2017 -0500
@@ -1,3 +1,11 @@
+2017-08-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * coders/pnm.c (ReadPNMImage): Verify that sufficient file data
+ exists to support what the file header requires before allocating
+ memory for it. Fixes problem reported by Agostino Sarubbo via
+ email on Wed, 12 Jul 2017 and reported yet again via SourceForge
+ bug #441 "memory allocation failure in MagickRealloc".
+
2017-08-20 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c: Fix SourceForge bug #433 "memory leak in
--- a/coders/pnm.c Sun Aug 20 17:31:35 2017 -0500
+++ b/coders/pnm.c Sun Aug 20 17:36:56 2017 -0500
@@ -569,7 +569,7 @@
(void) LogMagickEvent(CoderEvent,GetMagickModule(),"Colors: %u",
image->colors);
}
- number_pixels=image->columns*image->rows;
+ number_pixels=MagickArraySize(image->columns,image->rows);
if (number_pixels == 0)
ThrowReaderException(CorruptImageError,NegativeOrZeroImageSize,image);
if (image->storage_class == PseudoClass)
@@ -858,14 +858,14 @@
if (1 == bits_per_sample)
{
/* PBM */
- bytes_per_row=((image->columns+7) >> 3);
+ bytes_per_row=((image->columns+7U) >> 3);
import_options.grayscale_miniswhite=MagickTrue;
quantum_type=GrayQuantum;
}
else
{
/* PGM & XV_332 */
- bytes_per_row=((bits_per_sample+7)/8)*image->columns;
+ bytes_per_row=MagickArraySize(((bits_per_sample+7U)/8U),image->columns);
if (XV_332_Format == format)
{
quantum_type=IndexQuantum;
@@ -878,7 +878,8 @@
}
else
{
- bytes_per_row=(((bits_per_sample+7)/8)*samples_per_pixel)*image->columns;
+ bytes_per_row=MagickArraySize((((bits_per_sample+7)/8)*samples_per_pixel),
+ image->columns);
if (3 == samples_per_pixel)
{
/* PPM */
@@ -915,6 +916,28 @@
is_monochrome=MagickFalse;
}
}
+
+ /* Validate file size before allocating memory */
+ if (BlobIsSeekable(image))
+ {
+ const magick_off_t file_size = GetBlobSize(image);
+ const magick_off_t current_offset = TellBlob(image);
+ if ((file_size > 0) &&
+ (current_offset > 0) &&
+ (file_size > current_offset))
+ {
+ const magick_off_t remaining = file_size-current_offset;
+ const magick_off_t needed = (magick_off_t) image->rows *
+ (magick_off_t) bytes_per_row;
+ if ((remaining < (magick_off_t) bytes_per_row) ||
+ (remaining < needed))
+ {
+ ThrowException(exception,CorruptImageError,UnexpectedEndOfFile,
+ image->filename);
+ break;
+ }
+ }
+ }
scanline_set=AllocateThreadViewDataArray(image,exception,bytes_per_row,1);
if (scanline_set == (ThreadViewDataSet *) NULL)
--- a/www/Changelog.html Sun Aug 20 17:31:35 2017 -0500
+++ b/www/Changelog.html Sun Aug 20 17:36:56 2017 -0500
@@ -35,6 +35,16 @@
<div class="document">
+<p>2017-08-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+<blockquote>
+<ul class="simple">
+<li>coders/pnm.c (ReadPNMImage): Verify that sufficient file data
+exists to support what the file header requires before allocating
+memory for it. Fixes problem reported by Agostino Sarubbo via
+email on Wed, 12 Jul 2017 and reported yet again via SourceForge
+bug #441 "memory allocation failure in MagickRealloc".</li>
+</ul>
+</blockquote>
<p>2017-08-20 Fojtik Jaroslav <<a class="reference external" href="mailto:JaFojtik%40seznam.cz">JaFojtik<span>@</span>seznam<span>.</span>cz</a>></p>
<blockquote>
<ul class="simple">