PCX: Check that filesize is reasonable given header.
authorBob Friesenhahn <bfriesen@GraphicsMagick.org>
Sat, 10 Sep 2016 17:01:18 -0500
changeset 14920 b9edafd479b9
parent 14919 c53725cb5449
child 14921 25264a58bc42
PCX: Check that filesize is reasonable given header.
ChangeLog
coders/pcx.c
www/Changelog.html
--- a/ChangeLog	Sat Sep 10 16:48:12 2016 -0500
+++ b/ChangeLog	Sat Sep 10 17:01:18 2016 -0500
@@ -1,5 +1,10 @@
 2016-09-10  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
+	* coders/pcx.c (ReadPCXImage): Check that filesize is reasonable
+	given header.  Fixes excessive memory allocation followed by
+	eventual file truncation error for corrupt file.  Problem was
+	reported via email by Agostino Sarubbo on 2016-09-10.
+
 	* coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
 	given header.  Fixes excessive memory allocation followed by
 	eventual file truncation error for corrupt file.  Problem was
--- a/coders/pcx.c	Sat Sep 10 16:48:12 2016 -0500
+++ b/coders/pcx.c	Sat Sep 10 17:01:18 2016 -0500
@@ -1,5 +1,5 @@
 /*
-% Copyright (C) 2003 - 2015 GraphicsMagick Group
+% Copyright (C) 2003 - 2016 GraphicsMagick Group
 % Copyright (C) 2002 ImageMagick Studio
 % Copyright 1991-1999 E. I. du Pont de Nemours and Company
 %
@@ -251,6 +251,9 @@
   size_t
     pcx_packets;
 
+  magick_off_t
+    file_size;
+
   /*
     Open image file.
   */
@@ -292,6 +295,7 @@
     if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
         == -1)
       ThrowPCXReaderException(CorruptImageError,ImproperImageHeader,image);
+  file_size=GetBlobSize(image);
   count=ReadBlob(image,1,(char *) &pcx_info.identifier);
   for (id=1; id < 1024; id++)
   {
@@ -455,6 +459,34 @@
     if (CheckImagePixelLimits(image, exception) != MagickPass)
       ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
 
+
+    /*
+      Check that filesize is reasonable given header
+    */
+    {
+      double
+        uncompressed_size;
+      
+      uncompressed_size=((double) image->rows*pcx_info.bytes_per_line*pcx_info.planes);
+      (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                            "Uncompressed size: %.0f", uncompressed_size);
+      if (pcx_info.encoding == 0)
+        {
+          /* Not compressed */
+          if (uncompressed_size > file_size)
+            ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                   image);
+        }
+      else
+        {
+          /* RLE compressed */
+          if (uncompressed_size > file_size*254.0)
+            ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+                                 image);
+        }
+    }
+
+
     /*
       Read image data.
     */
--- a/www/Changelog.html	Sat Sep 10 16:48:12 2016 -0500
+++ b/www/Changelog.html	Sat Sep 10 17:01:18 2016 -0500
@@ -38,6 +38,10 @@
 <p>2016-09-10  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 <blockquote>
 <ul class="simple">
+<li>coders/pcx.c (ReadPCXImage): Check that filesize is reasonable
+given header.  Fixes excessive memory allocation followed by
+eventual file truncation error for corrupt file.  Problem was
+reported via email by Agostino Sarubbo on 2016-09-10.</li>
 <li>coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
 given header.  Fixes excessive memory allocation followed by
 eventual file truncation error for corrupt file.  Problem was