tag 413037 + patch
thanks
Missing boundary checks allow a read from memory to exceed array
boundaries. DoS, but no severe security implications as far as I can
see. The attached patch is similar in spirit to a patch by imagemagick
upstream, and fixes the segfault with the supplied testcase.
Daniel.
--- a/coders/pnm.c Fri Mar 02 22:37:14 2007 +0100
+++ b/coders/pnm.c Fri Mar 02 22:51:58 2007 +0100
@@ -203,6 +203,20 @@ static unsigned int PNMInteger(Image *im
while (isdigit(c));
return(value);
}
+
+#define ValidateScalingIndex(image, index, max) \
+ do { \
+ if (index < 0 || index > max) \
+ ThrowReaderException(CorruptImageError,CorruptImage, \
+ image); \
+ } while (0)
+
+#define ValidateScalingPixel(image, pixel, max) \
+ do { \
+ ValidateScalingIndex(image, pixel.red, max); \
+ ValidateScalingIndex(image, pixel.green, max); \
+ ValidateScalingIndex(image, pixel.blue, max); \
+ } while (0)
static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo
*exception)
{
@@ -387,6 +401,7 @@ static Image *ReadPNMImage(const ImageIn
for (x=0; x < (long) image->columns; x++)
{
intensity=PNMInteger(image,10);
+ ValidateScalingIndex(image, intensity, max_value);
if (scale != (unsigned long *) NULL)
intensity=scale[intensity];
index=intensity;
@@ -418,6 +433,7 @@ static Image *ReadPNMImage(const ImageIn
pixel.red=PNMInteger(image,10);
pixel.green=PNMInteger(image,10);
pixel.blue=PNMInteger(image,10);
+ ValidateScalingPixel(image, pixel, max_value);
if (scale != (unsigned long *) NULL)
{
pixel.red=scale[pixel.red];
@@ -562,6 +578,7 @@ static Image *ReadPNMImage(const ImageIn
pixel.red=(*p++);
pixel.green=(*p++);
pixel.blue=(*p++);
+ ValidateScalingPixel(image, pixel, max_value);
if (scale != (unsigned long *) NULL)
{
pixel.red=scale[pixel.red];
@@ -582,6 +599,7 @@ static Image *ReadPNMImage(const ImageIn
p+=2;
pixel.blue=(*p << 8) | *(p+1);
p+=2;
+ ValidateScalingPixel(image, pixel, max_value);
if (scale != (unsigned long *) NULL)
{
pixel.red=scale[pixel.red];
