SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
--- a/ChangeLog Sun Aug 20 12:21:03 2017 +0200
+++ b/ChangeLog Sun Aug 20 14:29:48 2017 -0500
@@ -1,3 +1,11 @@
+2017-08-20 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+
+ * coders/sun.c (ReadSUNImage): Fix failure to allocate memory due
+ to inadequate file data to support claimed image width and height.
+ First notified by email from Agostino Sarubbo on 14 Jul 2017 and
+ then again as SourceForge bug #442 "memory allocation failure in
+ magickmalloc".
+
2017-08-16 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
* coders/svg.c (GetStyleTokens): Fix SourceForge bugs 434 "heap
--- a/VisualMagick/installer/inc/version.isx Sun Aug 20 12:21:03 2017 +0200
+++ b/VisualMagick/installer/inc/version.isx Sun Aug 20 14:29:48 2017 -0500
@@ -10,5 +10,5 @@
#define public MagickPackageName "GraphicsMagick"
#define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020170816"
-#define public MagickPackageReleaseDate "snapshot-20170816"
+#define public MagickPackageVersionAddendum ".020170820"
+#define public MagickPackageReleaseDate "snapshot-20170820"
--- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200
+++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500
@@ -498,6 +498,12 @@
if (sun_info.depth < 8)
image->depth=sun_info.depth;
+ if (image_info->ping)
+ {
+ CloseBlob(image);
+ return(image);
+ }
+
/*
Compute bytes per line and bytes per image for an unencoded
image.
@@ -522,15 +528,37 @@
if (bytes_per_image > sun_info.length)
ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
- if (image_info->ping)
- {
- CloseBlob(image);
- return(image);
- }
if (sun_info.type == RT_ENCODED)
sun_data_length=(size_t) sun_info.length;
else
sun_data_length=bytes_per_image;
+
+ /*
+ Verify that data length claimed by header is supported by file size
+ */
+ if (sun_info.type == RT_ENCODED)
+ {
+ if (sun_data_length < bytes_per_image/255U)
+ {
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ }
+ if (BlobIsSeekable(image))
+ {
+ const magick_off_t file_size = GetBlobSize(image);
+ const magick_off_t current_offset = TellBlob(image);
+ if ((file_size > 0) &&
+ (current_offset > 0) &&
+ (file_size > current_offset))
+ {
+ const magick_off_t remaining = file_size-current_offset;
+ if (remaining < (magick_off_t) sun_data_length)
+ {
+ ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+ }
+ }
+ }
+
sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
if (sun_data == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
--- a/magick/version.h Sun Aug 20 12:21:03 2017 +0200
+++ b/magick/version.h Sun Aug 20 14:29:48 2017 -0500
@@ -38,8 +38,8 @@
#define MagickLibVersion 0x191600
#define MagickLibVersionText "1.4"
#define MagickLibVersionNumber 19,16,0
-#define MagickChangeDate "20170816"
-#define MagickReleaseDate "snapshot-20170816"
+#define MagickChangeDate "20170820"
+#define MagickReleaseDate "snapshot-20170820"
/*
The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
--- a/www/Changelog.html Sun Aug 20 12:21:03 2017 +0200
+++ b/www/Changelog.html Sun Aug 20 14:29:48 2017 -0500
@@ -35,6 +35,16 @@
<div class="document">
+<p>2017-08-20 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
+<blockquote>
+<ul class="simple">
+<li>coders/sun.c (ReadSUNImage): Fix failure to allocate memory due
+to inadequate file data to support claimed image width and height.
+First notified by email from Agostino Sarubbo on 14 Jul 2017 and
+then again as SourceForge bug #442 "memory allocation failure in
+magickmalloc".</li>
+</ul>
+</blockquote>
<p>2017-08-16 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">