* coders/mat.c Check whether reported object size overflows file size.
--- a/ChangeLog Sat Jul 01 23:50:01 2017 +0200
+++ b/ChangeLog Sun Jul 02 10:46:37 2017 +0200
@@ -1,3 +1,8 @@
+2016-07-02 Fojtik Jaroslav <JaFojtik@seznam.cz>
+
+ * coders/mat.c Check whether reported object size overflows file size.
+
+
2016-07-01 Fojtik Jaroslav <JaFojtik@seznam.cz>
* coders/mat.c Safety check for forged and or corrupted data.
--- a/coders/mat.c Sat Jul 01 23:50:01 2017 +0200
+++ b/coders/mat.c Sun Jul 02 10:46:37 2017 +0200
@@ -807,8 +807,19 @@
MATLAB_HDR.DataType = ReadBlobXXXLong(image);
if(EOFBlob(image)) break;
MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image);
- if(EOFBlob(image)) break;
- filepos += MATLAB_HDR.ObjectSize + 4 + 4;
+ if(EOFBlob(image)) break;
+
+ if(BlobIsSeekable(image))
+ {
+ if(MATLAB_HDR.ObjectSize+filepos > GetBlobSize(image)) /* Safety check for forged and or corrupted data. */
+ {
+ if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
+ " MAT Object with size %u overflows file with size %u.", MATLAB_HDR.ObjectSize, (unsigned)(GetBlobSize(image)));
+ goto MATLAB_KO;
+ }
+ }
+
+ filepos += MATLAB_HDR.ObjectSize + 4 + 4; /* Position of a next object, when exists. */
image2 = image;
#if defined(HasZLIB)