diff options
| author | Cristy <mikayla-grace@urban-warrior.org> | 2019-04-27 08:32:23 -0400 |
|---|---|---|
| committer | Huizi Yang <yanghuiz@google.com> | 2019-10-08 14:05:40 -0700 |
| commit | eaef4d3bd7f366ee4b0bec8dc9bc4e4746f894e6 (patch) | |
| tree | b0c5bf4b86370be57f5f55bf7a89fa3bcc151275 | |
| parent | 6d5e443d5f090be54f0f1623171bf83102c0e688 (diff) | |
| download | ImageMagick-security-oc-release.tar.gz | |
https://github.com/ImageMagick/ImageMagick/issues/1554android-security-8.0.0_r54android-security-8.0.0_r53android-security-8.0.0_r52android-8.0.0_r51android-8.0.0_r50android-8.0.0_r49android-8.0.0_r48android-8.0.0_r47android-8.0.0_r46android-8.0.0_r45android-8.0.0_r44android-8.0.0_r43android-8.0.0_r42android-8.0.0_r41security-oc-releaseoreo-security-release
Backport of upstream f7206618d27c2e69d977abf40e3035a33e5f6be0
Bug: 140328986
Change-Id: Iaa9773b2efe658948d45f20282f7ed47d8331178
Merged-In: I84d6258cd854be68c752b62964fd746fc6b38fc3
(cherry picked from commit 57879bb058a6c431111e48fa985518ed28efb169)
| -rw-r--r-- | coders/mat.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/coders/mat.c b/coders/mat.c index 515fc5829..be7abaf0c 100644 --- a/coders/mat.c +++ b/coders/mat.c @@ -628,6 +628,7 @@ static Image *ReadMATImageV4(const ImageInfo *image_info,Image *image, (void) SeekBlob(image,0,SEEK_SET); ldblk=ReadBlobLSBLong(image); + if(EOFBlob(image)) return((Image *) NULL); if ((ldblk > 9999) || (ldblk < 0)) return((Image *) NULL); HDR.Type[3]=ldblk % 10; ldblk /= 10; /* T digit */ @@ -887,16 +888,20 @@ static Image *ReadMATImage(const ImageInfo *image_info,ExceptionInfo *exception) MATLAB_KO: ThrowReaderException(CorruptImageError,"ImproperImageHeader"); filepos = TellBlob(image); - while(!EOFBlob(image)) /* object parser loop */ + while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */ { Frames = 1; (void) SeekBlob(image,filepos,SEEK_SET); + if(filepos > GetBlobSize(image) || filepos < 0) + break; /* printf("pos=%X\n",TellBlob(image)); */ MATLAB_HDR.DataType = ReadBlobXXXLong(image); if(EOFBlob(image)) break; MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image); if(EOFBlob(image)) break; + if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image)) + goto MATLAB_KO; filepos += MATLAB_HDR.ObjectSize + 4 + 4; image2 = image; @@ -1105,6 +1110,7 @@ RestoreMSCWarning { if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(), " MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1)); + ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile"); goto ExitLoop; } if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL)) |