http://hg.code.sf.net/p/graphicsmagick/code/raw-rev/493da54370aa http://openwall.com/lists/oss-security/2017/09/06/4 some changes were made to make the patch apply # HG changeset patch # User Bob Friesenhahn # Date 1503257388 18000 # Node ID 493da54370aa42cb430c52a69eb75db0001a5589 # Parent f8724674907902b7bc37c04f252fe30fbdd88e6f SUN: Verify that file header data length, and file length are sufficient for claimed image dimensions. diff -r f87246749079 -r 493da54370aa coders/sun.c --- a/coders/sun.c Sun Aug 20 12:21:03 2017 +0200 +++ b/coders/sun.c Sun Aug 20 14:29:48 2017 -0500 @@ -498,6 +498,12 @@ if (sun_info.depth < 8) image->depth=sun_info.depth; + if (image_info->ping) + { + CloseBlob(image); + return(image); + } + /* Compute bytes per line and bytes per image for an unencoded image. @@ -522,15 +528,37 @@ if (bytes_per_image > sun_info.length) ThrowReaderException(CorruptImageError,ImproperImageHeader,image); - if (image_info->ping) - { - CloseBlob(image); - return(image); - } if (sun_info.type == RT_ENCODED) sun_data_length=(size_t) sun_info.length; else sun_data_length=bytes_per_image; + + /* + Verify that data length claimed by header is supported by file size + */ + if (sun_info.type == RT_ENCODED) + { + if (sun_data_length < bytes_per_image/255U) + { + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); + } + } + if (BlobIsSeekable(image)) + { + const magick_off_t file_size = GetBlobSize(image); + const magick_off_t current_offset = TellBlob(image); + if ((file_size > 0) && + (current_offset > 0) && + (file_size > current_offset)) + { + const magick_off_t remaining = file_size-current_offset; + if (remaining < (magick_off_t) sun_data_length) + { + ThrowReaderException(CorruptImageError,UnexpectedEndOfFile,image); + } + } + } + sun_data=MagickAllocateMemory(unsigned char *,sun_data_length); if (sun_data == (unsigned char *) NULL) ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);