...

commit: 36e2aabfdef4603f5011d7df45fa470c4e509c62 [log] [tgz]
author: Cristy <[email protected]> Sun Nov 05 08:10:05 2017 -0500
committer: Cristy <[email protected]> Sun Nov 05 08:10:05 2017 -0500
tree: 3c9ae766af1ac168073dce2e7d0e1804a55808a4
parent: 6f24088d2a13ef258194019743796c75fa21e759 [diff] [blame]
diff --git a/coders/sfw.c b/coders/sfw.c
index f9a1402..5f526e5 100644
--- a/coders/sfw.c
+++ b/coders/sfw.c

@@ -252,6 +252,8 @@
   */
   if (GetBlobSize(image) != (size_t) GetBlobSize(image))
     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+  if (GetBlobSize(image) < 141)
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   buffer=(unsigned char *) AcquireQuantumMemory((size_t) GetBlobSize(image)+
     MagickPathExtent,sizeof(*buffer));
   if (buffer == (unsigned char *) NULL)
@@ -269,7 +271,8 @@
   */
   header=SFWScan(buffer,buffer+count-1,(const unsigned char *)
     "\377\310\377\320",4);
-  if (header == (unsigned char *) NULL)
+  if ((header == (unsigned char *) NULL) ||
+      ((header+140) > (buffer+GetBlobSize(image))))
     {
       buffer=(unsigned char *) RelinquishMagickMemory(buffer);
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
commit	36e2aabfdef4603f5011d7df45fa470c4e509c62	[log] [tgz]
author	Cristy <[email protected]>	Sun Nov 05 08:10:05 2017 -0500
committer	Cristy <[email protected]>	Sun Nov 05 08:10:05 2017 -0500
tree	3c9ae766af1ac168073dce2e7d0e1804a55808a4
parent	6f24088d2a13ef258194019743796c75fa21e759 [diff] [blame]