'[GM-commit] GraphicsMagick: ReadRLEImage(): Eliminate a unsigned offset over...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       graphicsmagick-commit
Subject:    [GM-commit] GraphicsMagick: ReadRLEImage(): Eliminate a unsigned offset over...
From:       GraphicsMagick Commits <graphicsmagick-commit () lists ! sourceforge ! net>
Date:       2023-04-08 23:04:19
Message-ID: mailman.4650.1680995068.1789.graphicsmagick-commit () lists ! sourceforge ! net
[Download RAW message or body]

changeset f00ee8bb732b in /hg/GraphicsMagick
details: http://hg.GraphicsMagick.org/hg/GraphicsMagick?cmd=changeset;node=f00ee8bb732b
                
summary: ReadRLEImage(): Eliminate a unsigned offset overflow runtime error from \
UBSAN.

diffstat:

 ChangeLog          |  10 +++++++---
 coders/rle.c       |   4 ++++
 www/Changelog.html |   9 ++++++---
 3 files changed, 17 insertions(+), 6 deletions(-)

diffs (82 lines):

diff -r f462cca796b5 -r f00ee8bb732b ChangeLog
--- a/ChangeLog	Sat Apr 08 14:19:11 2023 -0500
+++ b/ChangeLog	Sat Apr 08 18:04:16 2023 -0500
@@ -1,13 +1,17 @@
 2023-04-08  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
+	* coders/rle.c (ReadRLEImage): Eliminate a unsigned offset
+	overflow runtime error from UBSAN (SourceForge issue #706 test
+	case 'bug5').
+
 	* coders/png.c (WriteOnePNGImage): Address undefined behavior
 	while converting floating point resolution to unsigned integer.
-	(SourceForge issue #706 test case 'bug19');
+	(SourceForge issue #706 test case 'bug19').
 
 	* magick/utility.c (GetGeometry): Improve geometry parser to
 	validate that parsed double values do not underflow or overflow
 	when cast to 'unsigned long' or 'long' types. (SourceForge issue
-	#706 test case 'bug11');
+	#706 test case 'bug11').
 
 	* coders/mpc.c (ReadMPCImage): If an attribute appears multiple
 	times in the MPC header, only set it once.
@@ -16,7 +20,7 @@
 	times in the MIFF header, only set it once.
 
 	* magick/attribute.c (SetImageAttribute): Fix bounds issue when
-	concatenating string (SourceForge issue #706 test case 'bug11');
+	concatenating string (SourceForge issue #706 test case 'bug11').
 
 2023-04-02  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 
diff -r f462cca796b5 -r f00ee8bb732b coders/rle.c
--- a/coders/rle.c	Sat Apr 08 14:19:11 2023 -0500
+++ b/coders/rle.c	Sat Apr 08 18:04:16 2023 -0500
@@ -547,6 +547,8 @@
               }
             offset=(((size_t) \
image->rows-y-1)*image->columns*number_planes)+x*(size_t) number_planes+plane;  \
operand++; +            if ((SIZE_MAX - (size_t) rle_pixels) < offset)
+              ThrowRLEReaderException(CorruptImageError,UnableToRunlengthDecodeImage,image);
  p=rle_pixels+offset;
             for (i=0; i < (unsigned int) operand; i++)
               {
@@ -581,6 +583,8 @@
             (void) ReadBlobByte(image);
             operand++;
             offset=(((size_t) \
image->rows-y-1)*image->columns*number_planes)+x*(size_t) number_planes+plane; +      \
if ((SIZE_MAX - (size_t) rle_pixels) < offset) +              \
ThrowRLEReaderException(CorruptImageError,UnableToRunlengthDecodeImage,image);  \
p=rle_pixels+offset;  for (i=0; i < (unsigned int) operand; i++)
               {
diff -r f462cca796b5 -r f00ee8bb732b www/Changelog.html
--- a/www/Changelog.html	Sat Apr 08 14:19:11 2023 -0500
+++ b/www/Changelog.html	Sat Apr 08 18:04:16 2023 -0500
@@ -40,19 +40,22 @@
 <p>2023-04-08  Bob Friesenhahn  &lt;<a class="reference external" \
href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#6 \
4;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
  <blockquote>
 <ul class="simple">
+<li><p>coders/rle.c (ReadRLEImage): Eliminate a unsigned offset
+overflow runtime error from UBSAN (SourceForge issue #706 test
+case 'bug5').</p></li>
 <li><p>coders/png.c (WriteOnePNGImage): Address undefined behavior
 while converting floating point resolution to unsigned integer.
-(SourceForge issue #706 test case 'bug19');</p></li>
+(SourceForge issue #706 test case 'bug19').</p></li>
 <li><p>magick/utility.c (GetGeometry): Improve geometry parser to
 validate that parsed double values do not underflow or overflow
 when cast to 'unsigned long' or 'long' types. (SourceForge issue
-#706 test case 'bug11');</p></li>
+#706 test case 'bug11').</p></li>
 <li><p>coders/mpc.c (ReadMPCImage): If an attribute appears multiple
 times in the MPC header, only set it once.</p></li>
 <li><p>coders/miff.c (ReadMIFFImage): If an attribute appears multiple
 times in the MIFF header, only set it once.</p></li>
 <li><p>magick/attribute.c (SetImageAttribute): Fix bounds issue when
-concatenating string (SourceForge issue #706 test case 'bug11');</p></li>
+concatenating string (SourceForge issue #706 test case 'bug11').</p></li>
 </ul>
 </blockquote>
 <p>2023-04-02  Bob Friesenhahn  &lt;<a class="reference external" \
href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#6 \
4;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>



_______________________________________________
Graphicsmagick-commit mailing list
Graphicsmagick-commit@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/graphicsmagick-commit


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic