SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
authorBob Friesenhahn <bfriesen@GraphicsMagick.org>
Sun, 20 Aug 2017 14:29:48 -0500
changeset 15124 493da54370aa
parent 15123 f87246749079
child 15126 45e03ed34488
SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions.
ChangeLog
VisualMagick/installer/inc/version.isx
coders/sun.c
magick/version.h
www/Changelog.html
--- a/ChangeLog	Sun Aug 20 12:21:03 2017 +0200
+++ b/ChangeLog	Sun Aug 20 14:29:48 2017 -0500
@@ -1,3 +1,11 @@
+2017-08-20  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+
+	* coders/sun.c (ReadSUNImage): Fix failure to allocate memory due
+	to inadequate file data to support claimed image width and height.
+	First notified by email from Agostino Sarubbo on 14 Jul 2017 and
+	then again as SourceForge bug #442 "memory allocation failure in
+	magickmalloc".
+
 2017-08-16  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
 	* coders/svg.c (GetStyleTokens): Fix SourceForge bugs 434 "heap
--- a/VisualMagick/installer/inc/version.isx	Sun Aug 20 12:21:03 2017 +0200
+++ b/VisualMagick/installer/inc/version.isx	Sun Aug 20 14:29:48 2017 -0500
@@ -10,5 +10,5 @@
 
 #define public MagickPackageName "GraphicsMagick"
 #define public MagickPackageVersion "1.4"
-#define public MagickPackageVersionAddendum ".020170816"
-#define public MagickPackageReleaseDate "snapshot-20170816"
+#define public MagickPackageVersionAddendum ".020170820"
+#define public MagickPackageReleaseDate "snapshot-20170820"
--- a/coders/sun.c	Sun Aug 20 12:21:03 2017 +0200
+++ b/coders/sun.c	Sun Aug 20 14:29:48 2017 -0500
@@ -498,6 +498,12 @@
     if (sun_info.depth < 8)
       image->depth=sun_info.depth;
 
+    if (image_info->ping)
+      {
+        CloseBlob(image);
+        return(image);
+      }
+
     /*
       Compute bytes per line and bytes per image for an unencoded
       image.
@@ -522,15 +528,37 @@
       if (bytes_per_image > sun_info.length)
         ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
 
-    if (image_info->ping)
-      {
-        CloseBlob(image);
-        return(image);
-      }
     if (sun_info.type == RT_ENCODED)
       sun_data_length=(size_t) sun_info.length;
     else
       sun_data_length=bytes_per_image;
+
+    /*
+      Verify that data length claimed by header is supported by file size
+    */
+    if (sun_info.type == RT_ENCODED)
+      {
+        if (sun_data_length < bytes_per_image/255U)
+          {
+            ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+          }
+      }
+    if (BlobIsSeekable(image))
+      {
+        const magick_off_t file_size = GetBlobSize(image);
+        const magick_off_t current_offset = TellBlob(image);
+        if ((file_size > 0) &&
+            (current_offset > 0) &&
+            (file_size > current_offset))
+        {
+          const magick_off_t remaining = file_size-current_offset;
+          if (remaining < (magick_off_t) sun_data_length)
+            {
+              ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image);
+            }
+        }
+      }
+
     sun_data=MagickAllocateMemory(unsigned char *,sun_data_length);
     if (sun_data == (unsigned char *) NULL)
       ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
--- a/magick/version.h	Sun Aug 20 12:21:03 2017 +0200
+++ b/magick/version.h	Sun Aug 20 14:29:48 2017 -0500
@@ -38,8 +38,8 @@
 #define MagickLibVersion  0x191600
 #define MagickLibVersionText  "1.4"
 #define MagickLibVersionNumber 19,16,0
-#define MagickChangeDate   "20170816"
-#define MagickReleaseDate  "snapshot-20170816"
+#define MagickChangeDate   "20170820"
+#define MagickReleaseDate  "snapshot-20170820"
 	
 /*
   The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
--- a/www/Changelog.html	Sun Aug 20 12:21:03 2017 +0200
+++ b/www/Changelog.html	Sun Aug 20 14:29:48 2017 -0500
@@ -35,6 +35,16 @@
 <div class="document">
 
 
+<p>2017-08-20  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+<ul class="simple">
+<li>coders/sun.c (ReadSUNImage): Fix failure to allocate memory due
+to inadequate file data to support claimed image width and height.
+First notified by email from Agostino Sarubbo on 14 Jul 2017 and
+then again as SourceForge bug #442 &quot;memory allocation failure in
+magickmalloc&quot;.</li>
+</ul>
+</blockquote>
 <p>2017-08-16  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 <blockquote>
 <ul class="simple">