diff --git a/coders/dib.c b/coders/dib.c
index 9d735a4..1d713a1 100644
--- a/coders/dib.c
+++ b/coders/dib.c
@@ -514,6 +514,10 @@
dib_info.y_pixels=ReadBlobLSBLong(image);
dib_info.number_colors=ReadBlobLSBLong(image);
dib_info.colors_important=ReadBlobLSBLong(image);
+ if ((dib_info.bits_per_pixel != 1) && (dib_info.bits_per_pixel != 4) &&
+ (dib_info.bits_per_pixel != 8) && (dib_info.bits_per_pixel != 16) &&
+ (dib_info.bits_per_pixel != 24) && (dib_info.bits_per_pixel != 32))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((dib_info.compression == BI_BITFIELDS) &&
((dib_info.bits_per_pixel == 16) || (dib_info.bits_per_pixel == 32)))
{
@@ -521,6 +525,8 @@
dib_info.green_mask=ReadBlobLSBLong(image);
dib_info.blue_mask=ReadBlobLSBLong(image);
}
+ if (EOFBlob(image) != MagickFalse)
+ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
if (dib_info.width <= 0)
ThrowReaderException(CorruptImageError,"NegativeOrZeroImageSize");
if (dib_info.height == 0)
@@ -559,6 +565,8 @@
image->depth=8;
image->alpha_trait=dib_info.bits_per_pixel == 32 ? BlendPixelTrait :
UndefinedPixelTrait;
+ if ((dib_info.number_colors > 256) || (dib_info.colors_important > 256))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if ((dib_info.number_colors != 0) || (dib_info.bits_per_pixel < 16))
{
size_t
@@ -1167,7 +1175,7 @@
unsigned short
word;
/*
- Convert PseudoClass packet to DIB pixel.
+ Convert PseudoClass packet to DIB pixel.
*/
for (y=0; y < (ssize_t) image->rows; y++)
{
diff --git a/coders/gif.c b/coders/gif.c
index bd2ccaa..dc36af6 100644
--- a/coders/gif.c
+++ b/coders/gif.c
@@ -1668,6 +1668,9 @@
}
if (LocaleCompare(write_info->magick,"GIF87") != 0)
{
+ const char
+ *value;
+
/*
Write graphics control extension.
*/
@@ -1684,12 +1687,10 @@
(void) WriteBlobByte(image,(unsigned char) (opacity >= 0 ? opacity :
0));
(void) WriteBlobByte(image,(unsigned char) 0x00);
+ value=GetImageProperty(image,"comment",exception);
if ((LocaleCompare(write_info->magick,"GIF87") != 0) &&
- (GetImageProperty(image,"comment",exception) != (const char *) NULL))
+ (value != (const char *) NULL))
{
- const char
- *value;
-
register const char
*p;
@@ -1701,7 +1702,6 @@
*/
(void) WriteBlobByte(image,(unsigned char) 0x21);
(void) WriteBlobByte(image,(unsigned char) 0xfe);
- value=GetImageProperty(image,"comment",exception);
for (p=value; *p != '\0'; )
{
count=MagickMin(strlen(p),255);
diff --git a/coders/pdb.c b/coders/pdb.c
index 75224a9..2a63a0a 100644
--- a/coders/pdb.c
+++ b/coders/pdb.c
@@ -330,7 +330,9 @@
/*
Determine if this a PDB image file.
*/
- count=ReadBlob(image,32,(unsigned char *) pdb_info.name);
+ count=ReadBlob(image,sizeof(pdb_info.name),(unsigned char *) pdb_info.name);
+ if (count != sizeof(pdb_info.name))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
pdb_info.attributes=(short) ReadBlobMSBShort(image);
pdb_info.version=(short) ReadBlobMSBShort(image);
pdb_info.create_time=ReadBlobMSBLong(image);
@@ -371,7 +373,9 @@
/*
Read image header.
*/
- count=ReadBlob(image,32,(unsigned char *) pdb_image.name);
+ count=ReadBlob(image,sizeof(pdb_image.name),(unsigned char *) pdb_image.name);
+ if (count != sizeof(pdb_image.name))
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
pdb_image.version=ReadBlobByte(image);
pdb_image.type=(unsigned char) ((int) ReadBlobByte(image));
pdb_image.reserved_1=ReadBlobMSBLong(image);
@@ -759,8 +763,9 @@
} else {
bits_per_pixel=4;
}
- (void) ResetMagickMemory(pdb_info.name,0,32);
- (void) CopyMagickString(pdb_info.name,image_info->filename,32);
+ (void) ResetMagickMemory(&pdb_info.name,0,sizeof(pdb_info));
+ (void) CopyMagickString(pdb_info.name,image_info->filename,
+ sizeof(pdb_info.name));
pdb_info.attributes=0;
pdb_info.version=0;
pdb_info.create_time=time(NULL);
@@ -775,7 +780,7 @@
pdb_info.next_record=0;
comment=GetImageProperty(image,"comment",exception);
pdb_info.number_records=(comment == (const char *) NULL ? 1 : 2);
- (void) WriteBlob(image,32,(unsigned char *) pdb_info.name);
+ (void) WriteBlob(image,sizeof(pdb_info.name),(unsigned char *) pdb_info.name);
(void) WriteBlobMSBShort(image,(unsigned short) pdb_info.attributes);
(void) WriteBlobMSBShort(image,(unsigned short) pdb_info.version);
(void) WriteBlobMSBLong(image,(unsigned int) pdb_info.create_time);
@@ -789,7 +794,7 @@
(void) WriteBlobMSBLong(image,(unsigned int) pdb_info.seed);
(void) WriteBlobMSBLong(image,(unsigned int) pdb_info.next_record);
(void) WriteBlobMSBShort(image,(unsigned short) pdb_info.number_records);
- (void) CopyMagickString(pdb_image.name,pdb_info.name,32);
+ (void) CopyMagickString(pdb_image.name,pdb_info.name,sizeof(pdb_image.name));
pdb_image.version=1; /* RLE Compressed */
switch (bits_per_pixel)
{
@@ -921,7 +926,8 @@
/*
Write the Image data.
*/
- (void) WriteBlob(image,32,(unsigned char *) pdb_image.name);
+ (void) WriteBlob(image,sizeof(pdb_image.name),(unsigned char *)
+ pdb_image.name);
(void) WriteBlobByte(image,(unsigned char) pdb_image.version);
(void) WriteBlobByte(image,pdb_image.type);
(void) WriteBlobMSBLong(image,(unsigned int) pdb_image.reserved_1);