* coders/mat.c Check whether reported object size overflows file size.
authorfojtik
Sun, 02 Jul 2017 10:46:37 +0200
changeset 15042 e5761e3a2012
parent 15041 610107622601
child 15043 f10b9bb3ca62
* coders/mat.c Check whether reported object size overflows file size.
ChangeLog
coders/mat.c
--- a/ChangeLog	Sat Jul 01 23:50:01 2017 +0200
+++ b/ChangeLog	Sun Jul 02 10:46:37 2017 +0200
@@ -1,3 +1,8 @@
+2016-07-02  Fojtik Jaroslav  <JaFojtik@seznam.cz>
+
+	* coders/mat.c Check whether reported object size overflows file size.
+
+
 2016-07-01  Fojtik Jaroslav  <JaFojtik@seznam.cz>
 
 	* coders/mat.c Safety check for forged and or corrupted data.
--- a/coders/mat.c	Sat Jul 01 23:50:01 2017 +0200
+++ b/coders/mat.c	Sun Jul 02 10:46:37 2017 +0200
@@ -807,8 +807,19 @@
     MATLAB_HDR.DataType = ReadBlobXXXLong(image);
     if(EOFBlob(image)) break;
     MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image);
-    if(EOFBlob(image)) break;
-    filepos += MATLAB_HDR.ObjectSize + 4 + 4;
+    if(EOFBlob(image)) break;    
+
+    if(BlobIsSeekable(image))
+    {      
+      if(MATLAB_HDR.ObjectSize+filepos > GetBlobSize(image))   /* Safety check for forged and or corrupted data. */
+      {
+        if(logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
+             "  MAT Object with size %u overflows file with size %u.", MATLAB_HDR.ObjectSize, (unsigned)(GetBlobSize(image)));
+        goto MATLAB_KO;
+      }
+    }
+
+    filepos += MATLAB_HDR.ObjectSize + 4 + 4;	/* Position of a next object, when exists. */
 
     image2 = image;
 #if defined(HasZLIB)