SGI: Check that filesize is reasonable given header.
--- a/ChangeLog Sat Sep 10 15:21:05 2016 -0500
+++ b/ChangeLog Sat Sep 10 16:48:12 2016 -0500
@@ -1,5 +1,10 @@
2016-09-10 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
+ * coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
+ given header. Fixes excessive memory allocation followed by
+ eventual file truncation error for corrupt file. Problem was
+ reported via email by Agostino Sarubbo on 2016-09-09.
+
* coders/sct.c (ReadSCTImage): Fix stack-buffer read overflow
while reading SCT header. Problem was reported via email by
Agostino Sarubbo on 2016-09-09.
--- a/coders/sct.c Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sct.c Sat Sep 10 16:48:12 2016 -0500
@@ -1,5 +1,5 @@
/*
-% Copyright (C) 2003-2015 GraphicsMagick Group
+% Copyright (C) 2003-2016 GraphicsMagick Group
% Copyright (C) 2002 ImageMagick Studio
% Copyright 1991-1999 E. I. du Pont de Nemours and Company
%
--- a/coders/sgi.c Sat Sep 10 15:21:05 2016 -0500
+++ b/coders/sgi.c Sat Sep 10 16:48:12 2016 -0500
@@ -299,6 +299,9 @@
size_t
bytes_per_pixel;
+ magick_off_t
+ file_size;
+
/*
Open image file.
*/
@@ -314,6 +317,7 @@
Read SGI raster header.
*/
iris_info.magic=ReadBlobMSBShort(image);
+ file_size=GetBlobSize(image);
do
{
/*
@@ -342,7 +346,8 @@
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" Header: Storage=%u, BPC=%u, Dimension=%u, "
"XSize=%u, YSize=%u, ZSize=%u, PixMin=%u, "
- "PixMax=%u, image_name=\"%.79s\", color_map=%u",
+ "PixMax=%u, image_name=\"%.79s\", color_map=%u, "
+ "file_size=%" MAGICK_OFF_F "d",
(unsigned int) iris_info.storage,
(unsigned int) iris_info.bytes_per_pixel,
(unsigned int) iris_info.dimension,
@@ -352,7 +357,8 @@
iris_info.pix_min,
iris_info.pix_max,
iris_info.image_name,
- iris_info.color_map);
+ iris_info.color_map,
+ file_size);
/*
Validate image header and set image attributes.
@@ -492,6 +498,33 @@
ThrowReaderException(ResourceLimitError,ImagePixelLimitExceeded,image);
/*
+ Check that filesize is reasonable given header
+ */
+ {
+ double
+ uncompressed_size;
+
+ uncompressed_size=((double) (iris_info.dimension == 3 ? iris_info.zsize : 1)*
+ image->columns*image->rows*iris_info.bytes_per_pixel);
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Uncompressed size: %.0f", uncompressed_size);
+ if (iris_info.storage != 0x01)
+ {
+ /* Not compressed */
+ if (uncompressed_size > file_size)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ else
+ {
+ /* RLE compressed */
+ if (uncompressed_size > file_size*254.0)
+ ThrowReaderException(CorruptImageError,InsufficientImageDataInFile,
+ image);
+ }
+ }
+
+ /*
Allocate SGI pixels.
*/
bytes_per_pixel=iris_info.bytes_per_pixel;
--- a/www/Changelog.html Sat Sep 10 15:21:05 2016 -0500
+++ b/www/Changelog.html Sat Sep 10 16:48:12 2016 -0500
@@ -38,6 +38,10 @@
<p>2016-09-10 Bob Friesenhahn <<a class="reference external" href="mailto:bfriesen%40simple.dallas.tx.us">bfriesen<span>@</span>simple<span>.</span>dallas<span>.</span>tx<span>.</span>us</a>></p>
<blockquote>
<ul class="simple">
+<li>coders/sgi.c (ReadSGIImage): Check that filesize is reasonable
+given header. Fixes excessive memory allocation followed by
+eventual file truncation error for corrupt file. Problem was
+reported via email by Agostino Sarubbo on 2016-09-09.</li>
<li>coders/sct.c (ReadSCTImage): Fix stack-buffer read overflow
while reading SCT header. Problem was reported via email by
Agostino Sarubbo on 2016-09-09.</li>