--- a/ChangeLog Wed Jul 26 19:47:56 2017 -0500
+++ b/ChangeLog Wed Jul 26 22:40:01 2017 -0400
@@ -14,6 +14,8 @@
* coders/png.c: Fixed writer bug due to missing brackets; a Log
statement should have been inside the "i" loop but instead was
using i++ left over from the loop. Bug report by L. Catro.
+ * coders/png.c: Reject a MNG with dimensions greater than 65k
+ by 65k.
2017-07-22 Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
--- a/coders/png.c Wed Jul 26 19:47:56 2017 -0500
+++ b/coders/png.c Wed Jul 26 22:40:01 2017 -0400
@@ -4084,11 +4084,17 @@
mng_info->image=image;
}
- if ((mng_info->mng_width > 65535L) || (mng_info->mng_height
- > 65535L))
- (void) ThrowException(&image->exception,ImageError,
- WidthOrHeightExceedsLimit,
- image->filename);
+ if ((mng_info->mng_width > 65535L) ||
+ (mng_info->mng_height > 65535L))
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " MNG width or height is too large: %lu, %lu",
+ mng_info->mng_width,mng_info->mng_height);
+ MagickFreeMemory(chunk);
+ ThrowReaderException(CorruptImageError,
+ ImproperImageHeader,image);
+ }
+
FormatString(page_geometry,"%lux%lu+0+0",mng_info->mng_width,
mng_info->mng_height);
mng_info->frame.left=0;