Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / ImageMagick / 7d9f6f1e79127b8f5125bbdf58af9f3779b65b81^! / .
commit7d9f6f1e79127b8f5125bbdf58af9f3779b65b81[log] [tgz]
authorcristy <urban-warrior@git.imagemagick.org>Sun Jul 12 13:13:49 2015 +0000
committercristy <urban-warrior@git.imagemagick.org>Sun Jul 12 13:13:49 2015 +0000
treed1c5513595676215c137293daf6dca6087012d5f
parent84c7c0480de81e8bd5fdb3a836be3a77540083a0 [diff]
diff --git a/MagickCore/cache.c b/MagickCore/cache.c
index e3ab002..58bbb2f 100644
--- a/MagickCore/cache.c
+++ b/MagickCore/cache.c

@@ -480,11 +480,17 @@
   MagickSizeType
     extent;
 
+  size_t
+    quantum;
+
   ssize_t
     count;
 
+  struct stat
+    file_stats;
+
   unsigned char
-    buffer[MagickMaxBufferExtent];
+    *buffer;
 
   /*
     Clone pixel cache on disk with identifcal morphology.
@@ -492,8 +498,14 @@
   if ((OpenPixelCacheOnDisk(cache_info,ReadMode) == MagickFalse) ||
       (OpenPixelCacheOnDisk(clone_info,IOMode) == MagickFalse))
     return(MagickFalse);
+  quantum=(size_t) MagickMaxBufferExtent;
+  if ((fstat(cache_info->file,&file_stats) == 0) && (file_stats.st_size > 0))
+    quantum=(size_t) MagickMin(file_stats.st_size,MagickMaxBufferExtent);
+  buffer=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*buffer));
+  if (buffer == (unsigned char *) NULL)
+    ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
   extent=0;
-  while ((count=read(cache_info->file,buffer,sizeof(buffer))) > 0)
+  while ((count=read(cache_info->file,buffer,quantum)) > 0)
   { 
     ssize_t
       number_bytes;
@@ -503,6 +515,7 @@
       break;
     extent+=number_bytes;
   }
+  buffer=(unsigned char *) RelinquishMagickMemory(buffer);
   if (extent != cache_info->length)
     return(MagickFalse);
   return(MagickTrue);
@@ -4215,16 +4228,24 @@
     y;
 
   size_t
+    number_channels,
     rows;
 
   if (nexus_info->authentic_pixel_cache != MagickFalse)
     return(MagickTrue);
-  offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns+
-    nexus_info->region.x;
-  length=(MagickSizeType) cache_info->number_channels*nexus_info->region.width*
+  offset=(MagickOffsetType) nexus_info->region.y*cache_info->columns;
+  if ((offset/cache_info->columns) != nexus_info->region.y)
+    return(MagickFalse);
+  offset+=nexus_info->region.x;
+  number_channels=cache_info->number_channels;
+  length=(MagickSizeType) number_channels*nexus_info->region.width*
     sizeof(Quantum);
-  extent=length*nexus_info->region.height;
+  if ((length/number_channels/sizeof(Quantum)) != nexus_info->region.width)
+    return(MagickFalse);
   rows=nexus_info->region.height;
+  extent=length*rows;
+  if ((extent == 0) || ((extent/length) != rows))
+    return(MagickFalse);
   y=0;
   q=nexus_info->pixels;
   switch (cache_info->type)