summaryrefslogtreecommitdiff
path: root/coders/mpc.c
diff options
context:
space:
mode:
authorbackto.kim <backto.kim@samsung.com>2021-12-06 13:15:35 +0900
committerbackto.kim <backto.kim@samsung.com>2021-12-06 13:20:13 +0900
commitcdc6b7097f011782b30d005f812fb288fd367f34 (patch)
tree8d30d3c93ddcb33e00dd45281620c278598f18e1 /coders/mpc.c
parent332002e6f4d7ce48ea4eeb55b59d84c64ad79f0b (diff)
downloadGraphicsMagick-cdc6b7097f011782b30d005f812fb288fd367f34.tar.gz
GraphicsMagick-cdc6b7097f011782b30d005f812fb288fd367f34.tar.bz2
GraphicsMagick-cdc6b7097f011782b30d005f812fb288fd367f34.zip
Imported Upstream version 1.3.36upstream/1.3.36
Change-Id: I0a995e609889f9b2d75340bcda6a6294ac41803a
Diffstat (limited to 'coders/mpc.c')
-rw-r--r--coders/mpc.c93
1 files changed, 66 insertions, 27 deletions
diff --git a/coders/mpc.c b/coders/mpc.c
index e486b90..2b770eb 100644
--- a/coders/mpc.c
+++ b/coders/mpc.c
@@ -128,21 +128,24 @@ static MagickBool IsMPC(const unsigned char *magick,const size_t length)
#define ThrowMPCReaderException(code_,reason_,image_) \
do { \
- MagickFreeMemory(comment); \
- MagickFreeMemory(values); \
+ MagickFreeResourceLimitedMemory(comment); \
+ MagickFreeResourceLimitedMemory(values); \
if (number_of_profiles > 0) \
{ \
unsigned int _index; \
for (_index=0; _index < number_of_profiles; _index++) \
{ \
MagickFreeMemory(profiles[_index].name); \
- MagickFreeMemory(profiles[_index].info); \
+ MagickFreeResourceLimitedMemory(profiles[_index].info); \
} \
- MagickFreeMemory(profiles); \
+ MagickFreeResourceLimitedMemory(profiles); \
number_of_profiles=0; \
} \
ThrowReaderException(code_,reason_,image_); \
} while (0);
+
+#define ReadMPCMaxKeyWordCount 256 /* Arbitrary limit on number of keywords in MPC frame */
+
static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
char
@@ -259,7 +262,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
Read comment-- any text between { }.
*/
comment_length=MaxTextExtent;
- comment=MagickAllocateMemory(char *,comment_length);
+ comment=MagickAllocateResourceLimitedMemory(char *,comment_length);
if (comment == (char *) NULL)
ThrowMPCReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
@@ -271,11 +274,18 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
break;
if ((size_t) (p-comment+1) >= comment_length)
{
+ char
+ *new_comment;
+
*p='\0';
comment_length<<=1;
- MagickReallocMemory(char *,comment,comment_length);
- if (comment == (char *) NULL)
- break;
+ new_comment=MagickReallocateResourceLimitedMemory(char *,comment,comment_length);
+ if (new_comment == (char *) NULL)
+ {
+ MagickFreeResourceLimitedMemory(comment);
+ break;
+ }
+ comment=new_comment;
p=comment+strlen(comment);
}
*p=c;
@@ -286,7 +296,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
*p='\0';
(void) SetImageAttribute(image,"comment",comment);
comment_count++;
- MagickFreeMemory(comment);
+ MagickFreeResourceLimitedMemory(comment);
c=ReadBlobByte(image);
}
else
@@ -332,7 +342,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
spaces and/or new-lines must be surrounded by braces.
*/
values_length=MaxTextExtent;
- values=MagickAllocateMemory(char *,values_length);
+ values=MagickAllocateResourceLimitedMemory(char *,values_length);
if (values == (char *) NULL)
ThrowMPCReaderException(ResourceLimitError,MemoryAllocationFailed,image);
values[0]='\0';
@@ -347,11 +357,18 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
if ((size_t) (p-values+1) >= values_length)
{
+ char
+ *new_values;
+
*p='\0';
values_length<<=1;
- MagickReallocMemory(char *,values,values_length);
- if (values == (char *) NULL)
- break;
+ new_values=MagickReallocateResourceLimitedMemory(char *,values,values_length);
+ if (new_values == (char *) NULL)
+ {
+ MagickFreeResourceLimitedMemory(values);
+ break;
+ }
+ values=new_values;
p=values+strlen(values);
}
if (values == (char *) NULL)
@@ -376,6 +393,16 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,image);
}
/*
+ Arbitrarily limit the number of header keywords to avoid DOS attempts.
+ */
+ if (keyword_count > ReadMPCMaxKeyWordCount)
+ {
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ "Excessive key word count %u"
+ " (Denial of service attempt?)",keyword_count);
+ ThrowMPCReaderException(CorruptImageError,ImproperImageHeader,image);
+ }
+ /*
Assign a value to the specified keyword.
*/
switch (*keyword)
@@ -628,13 +655,25 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
}
if (LocaleNCompare(keyword,"profile-",8) == 0)
{
+ ProfileInfo
+ *new_profiles;
+
i=(long) number_of_profiles;
- MagickReallocMemory(ProfileInfo *,profiles,MagickArraySize((size_t) i+1,sizeof(ProfileInfo)));
- if (profiles == (ProfileInfo *) NULL)
+
+ new_profiles=MagickReallocateResourceLimitedArray(ProfileInfo *,profiles,
+ (size_t) i+1,sizeof(ProfileInfo));
+ if (new_profiles == (ProfileInfo *) NULL)
{
- MagickFreeMemory(values);
+ for (i=0; i < number_of_profiles; i++)
+ {
+ MagickFreeMemory(profiles[i].name);
+ MagickFreeResourceLimitedMemory(profiles[i].info);
+ }
+ MagickFreeResourceLimitedMemory(profiles);
+ MagickFreeResourceLimitedMemory(values);
ThrowMPCReaderException(ResourceLimitError,MemoryAllocationFailed,image);
}
+ profiles=new_profiles;
profiles[i].name=AllocateString(keyword+8);
profiles[i].length=MagickAtoL(values);
profiles[i].info=(unsigned char *) NULL;
@@ -748,7 +787,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
break;
}
}
- MagickFreeMemory(values);
+ MagickFreeResourceLimitedMemory(values);
}
else
{
@@ -831,15 +870,15 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
(magick_off_t) profiles[i].length) ||
(profiles[i].length < 15*1024*1024)))
{
- profiles[i].info=MagickAllocateMemory(unsigned char *,profiles[i].length);
+ profiles[i].info=MagickAllocateResourceLimitedMemory(unsigned char *,profiles[i].length);
if (profiles[i].info == (unsigned char *) NULL)
- ThrowMPCReaderException(CorruptImageError,UnableToReadGenericProfile,
+ ThrowMPCReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
if (ReadBlob(image,profiles[i].length,profiles[i].info)
!= profiles[i].length)
ThrowMPCReaderException(CorruptImageError,
- UnexpectedEndOfFile,
- image);
+ UnexpectedEndOfFile,
+ image);
(void) SetImageProfile(image,profiles[i].name,profiles[i].info,profiles[i].length);
}
else
@@ -852,9 +891,9 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
}
}
MagickFreeMemory(profiles[i].name);
- MagickFreeMemory(profiles[i].info);
+ MagickFreeResourceLimitedMemory(profiles[i].info);
}
- MagickFreeMemory(profiles);
+ MagickFreeResourceLimitedMemory(profiles);
number_of_profiles=0;
}
@@ -886,7 +925,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
Read image colormap from file.
*/
packet_size=image->depth > 8 ? 6 : 3;
- colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors);
+ colormap=MagickAllocateResourceLimitedArray(unsigned char *,packet_size,image->colors);
if (colormap == (unsigned char *) NULL)
ThrowMPCReaderException(ResourceLimitError,MemoryAllocationFailed,
image);
@@ -909,7 +948,7 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
image->colormap[i].blue=(*p++ << 8);
image->colormap[i].blue|=(*p++);
}
- MagickFreeMemory(colormap);
+ MagickFreeResourceLimitedMemory(colormap);
}
}
if (EOFBlob(image))
@@ -1391,7 +1430,7 @@ static MagickPassFail WriteMPCImage(const ImageInfo *image_info,Image *image)
Allocate colormap.
*/
packet_size=image->depth > 8 ? 6 : 3;
- colormap=MagickAllocateArray(unsigned char *,packet_size,image->colors);
+ colormap=MagickAllocateResourceLimitedArray(unsigned char *,packet_size,image->colors);
if (colormap == (unsigned char *) NULL)
return(MagickFail);
/*
@@ -1419,7 +1458,7 @@ static MagickPassFail WriteMPCImage(const ImageInfo *image_info,Image *image)
#endif /* QuantumDepth > 8 */
(void) WriteBlob(image, (size_t) packet_size*image->colors,colormap);
- MagickFreeMemory(colormap);
+ MagickFreeResourceLimitedMemory(colormap);
}
/*
Initialize persistent pixel cache.
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 14:56:24 +0000