Commit 0e142329 authored by Paul Eggert's avatar Paul Eggert
Browse files

Minor ImageMagick safety fixes.

* image.c (imagemagick_compute_animated_image):
Remove useless assignment to local.  Avoid problems if dest_width is 0.
(imagemagick_load_image): Use int for pixel counts that can't
exceed INT_MAX.  Avoid problem if PixelGetNextIteratorRow returns
a row width greater than the image width (or greater than LONG_MAX!).
parent 2c578850
2014-07-07 Paul Eggert <eggert@cs.ucla.edu>
Minor ImageMagick safety fixes.
* image.c (imagemagick_compute_animated_image):
Remove useless assignment to local. Avoid problems if dest_width is 0.
(imagemagick_load_image): Use int for pixel counts that can't
exceed INT_MAX. Avoid problem if PixelGetNextIteratorRow returns
a row width greater than the image width (or greater than LONG_MAX!).
2014-07-04 K. Handa <handa@gnu.org> 2014-07-04 K. Handa <handa@gnu.org>
* coding.c (MIN_CHARBUF_SIZE): Delete it. * coding.c (MIN_CHARBUF_SIZE): Delete it.
......
...@@ -8059,7 +8059,6 @@ imagemagick_compute_animated_image (MagickWand *super_wand, int ino) ...@@ -8059,7 +8059,6 @@ imagemagick_compute_animated_image (MagickWand *super_wand, int ino)
else else
composite_wand = cache->wand; composite_wand = cache->wand;
dest_width = MagickGetImageWidth (composite_wand);
dest_height = MagickGetImageHeight (composite_wand); dest_height = MagickGetImageHeight (composite_wand);
for (i = max (1, cache->index + 1); i <= ino; i++) for (i = max (1, cache->index + 1); i <= ino; i++)
...@@ -8128,13 +8127,12 @@ imagemagick_compute_animated_image (MagickWand *super_wand, int ino) ...@@ -8128,13 +8127,12 @@ imagemagick_compute_animated_image (MagickWand *super_wand, int ino)
{ {
/* Sanity check. This shouldn't happen, but apparently /* Sanity check. This shouldn't happen, but apparently
also does in some pictures. */ also does in some pictures. */
if (x + source_left > dest_width - 1) if (x + source_left >= dest_width)
break; break;
/* Normally we only copy over non-transparent pixels, /* Normally we only copy over non-transparent pixels,
but if the disposal method is "Background", then we but if the disposal method is "Background", then we
copy over all pixels. */ copy over all pixels. */
if (dispose == BackgroundDispose || if (dispose == BackgroundDispose || PixelGetAlpha (source[x]))
PixelGetAlpha (source[x]))
{ {
PixelGetMagickColor (source[x], &pixel); PixelGetMagickColor (source[x], &pixel);
PixelSetMagickColor (dest[x + source_left], &pixel); PixelSetMagickColor (dest[x + source_left], &pixel);
...@@ -8174,7 +8172,8 @@ imagemagick_load_image (struct frame *f, struct image *img, ...@@ -8174,7 +8172,8 @@ imagemagick_load_image (struct frame *f, struct image *img,
unsigned char *contents, unsigned int size, unsigned char *contents, unsigned int size,
char *filename) char *filename)
{ {
size_t width, height; int width, height;
size_t image_width, image_height;
MagickBooleanType status; MagickBooleanType status;
XImagePtr ximg; XImagePtr ximg;
int x, y; int x, y;
...@@ -8344,16 +8343,19 @@ imagemagick_load_image (struct frame *f, struct image *img, ...@@ -8344,16 +8343,19 @@ imagemagick_load_image (struct frame *f, struct image *img,
/* Finally we are done manipulating the image. Figure out the /* Finally we are done manipulating the image. Figure out the
resulting width/height and transfer ownership to Emacs. */ resulting width/height and transfer ownership to Emacs. */
height = MagickGetImageHeight (image_wand); image_height = MagickGetImageHeight (image_wand);
width = MagickGetImageWidth (image_wand); image_width = MagickGetImageWidth (image_wand);
if (! (width <= INT_MAX && height <= INT_MAX if (! (image_width <= INT_MAX && image_height <= INT_MAX
&& check_image_size (f, width, height))) && check_image_size (f, image_width, image_height)))
{ {
image_error ("Invalid image size (see `max-image-size')", Qnil, Qnil); image_error ("Invalid image size (see `max-image-size')", Qnil, Qnil);
goto imagemagick_error; goto imagemagick_error;
} }
width = image_width;
height = image_height;
/* We can now get a valid pixel buffer from the imagemagick file, if all /* We can now get a valid pixel buffer from the imagemagick file, if all
went ok. */ went ok. */
...@@ -8438,10 +8440,12 @@ imagemagick_load_image (struct frame *f, struct image *img, ...@@ -8438,10 +8440,12 @@ imagemagick_load_image (struct frame *f, struct image *img,
image_height = MagickGetImageHeight (image_wand); image_height = MagickGetImageHeight (image_wand);
for (y = 0; y < image_height; y++) for (y = 0; y < image_height; y++)
{ {
pixels = PixelGetNextIteratorRow (iterator, &width); size_t row_width;
pixels = PixelGetNextIteratorRow (iterator, &row_width);
if (! pixels) if (! pixels)
break; break;
for (x = 0; x < (long) width; x++) int xlim = min (row_width, width);
for (x = 0; x < xlim; x++)
{ {
PixelGetMagickColor (pixels[x], &pixel); PixelGetMagickColor (pixels[x], &pixel);
XPutPixel (ximg, x, y, XPutPixel (ximg, x, y,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment