Reject MNG with too-large dimensions (over 65535)
authorGlenn Randers-Pehrson <glennrp+bmo@gmail.com>
Wed, 26 Jul 2017 22:40:01 -0400
changeset 15103 cd699a44f188
parent 15102 be898b7c97bd
child 15104 f912236624df
Reject MNG with too-large dimensions (over 65535)
ChangeLog
coders/png.c
--- a/ChangeLog	Wed Jul 26 19:47:56 2017 -0500
+++ b/ChangeLog	Wed Jul 26 22:40:01 2017 -0400
@@ -14,6 +14,8 @@
 	* coders/png.c: Fixed writer bug due to missing brackets; a Log
 	statement should have been inside the "i" loop but instead was
 	using i++ left over from the loop.  Bug report by L. Catro.
+	* coders/png.c: Reject a MNG with dimensions greater than 65k
+	by 65k.
 
 2017-07-22  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
--- a/coders/png.c	Wed Jul 26 19:47:56 2017 -0500
+++ b/coders/png.c	Wed Jul 26 22:40:01 2017 -0400
@@ -4084,11 +4084,17 @@
                   mng_info->image=image;
                 }
 
-              if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
-                                                     > 65535L))
-                (void) ThrowException(&image->exception,ImageError,
-                                      WidthOrHeightExceedsLimit,
-                                      image->filename);
+              if ((mng_info->mng_width > 65535L) ||
+                  (mng_info->mng_height > 65535L))
+                {
+                  (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                      "  MNG width or height is too large: %lu, %lu",
+                      mng_info->mng_width,mng_info->mng_height);
+                  MagickFreeMemory(chunk);
+                  ThrowReaderException(CorruptImageError,
+                     ImproperImageHeader,image);
+                }
+
               FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
                            mng_info->mng_height);
               mng_info->frame.left=0;