retitle 413036 graphicsmagick: Heap overflow in PICT coder. severity 413036 grave tags 413036 + patch tags 413036 + security thanks
Rectangular coordinates are read from the input file, and used to calculate the numbers of rows and columns to read in. Due to missing validation of input coordinates, results can wrap and yield excessive numbers of rows and columns that are inconsistent with other input values, and allow to overflow a heap buffer with user-supplied input later on. I haven't analysed in detail, but potentially this bug could be exploitable. Fix attached. Daniel.
--- a/coders/pict.c Sun Mar 04 21:10:40 2007 +0100 +++ b/coders/pict.c Mon Mar 05 00:49:54 2007 +0100 @@ -73,6 +73,9 @@ rectangle.left=ReadBlobMSBShort(image); \ rectangle.bottom=ReadBlobMSBShort(image); \ rectangle.right=ReadBlobMSBShort(image); \ + if (rectangle.top > rectangle.bottom || \ + rectangle.left > rectangle.right) \ + ThrowReaderException(CorruptImageError,ImproperImageHeader,image); \ } typedef struct _PICTCode