Medium severity6.5NVD Advisory· Published Mar 2, 2017· Updated May 13, 2026
CVE-2016-10060
CVE-2016-10060
Description
ImageMagick before 7.0.1-10 crashes when processing a crafted file due to unchecked fputc return value in ConcatenateImages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ImageMagick before 7.0.1-10 crashes when processing a crafted file due to unchecked fputc return value in ConcatenateImages.
Vulnerability
The ConcatenateImages function in MagickWand/magick-cli.c in ImageMagick before version 7.0.1-10 does not check the return value of the fputc function when writing concatenated image data to an output file. This oversight allows a remote attacker to cause a denial of service (application crash) by providing a specially crafted file that triggers a write failure. The affected versions are all prior to 7.0.1-10. [2][3]
Exploitation
An attacker can exploit this vulnerability by delivering a crafted image file to a user or service that processes it with ImageMagick's convert or similar command that invokes the ConcatenateImages code path. No authentication is required; the attacker only needs to convince the target to open the file. The crash occurs when fputc fails (e.g., due to disk full or other I/O error) and the return value is not checked, leading to undefined behavior or a crash. [2][3]
Impact
Successful exploitation results in a denial of service (application crash). The vulnerability does not allow arbitrary code execution or information disclosure; the impact is limited to availability. The crash can be triggered repeatedly, causing service disruption. [4]
Mitigation
The fix was implemented in commit 933e96f01a8c889c7bf5ffd30020e86a02a046e7, which adds a status variable to check the return of fputc and returns MagickFalse on failure. Users should upgrade to ImageMagick version 7.0.1-10 or later. Red Hat has rated this issue as Low severity and does not plan to address it in their updates. [3][4]
References
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*range: <6.9.4-1
- (no CPE)range: <7.0.1-10
- osv-coords14 versionspkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP1pkg:rpm/suse/ImageMagick&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012%20SP2
< 6.8.8.1-59.1+ 13 more
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.4.3.6-7.65.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.4.3.6-7.65.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.4.3.6-7.65.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
- (no CPE)range: < 6.8.8.1-59.1
Patches
231 file changed · +1 −1
ChangeLog+1 −1 modified@@ -1,5 +1,5 @@ 2016-06-05 7.0.1-10 Cristy <quetzlzacatenango@image...> - * Release ImageMagick version 7.0.1-10, GIT revision 18396:7590421:20160606. + * Release ImageMagick version 7.0.1-10, GIT revision 18406:ba4ad2d:20160607. 2016-06-04 7.0.1-10 Cristy <quetzlzacatenango@image...> * Deny indirect reads by policy, remove policy to permit, e.g.,
933e96f01a8chttps://github.com/ImageMagick/ImageMagick/issues/196
1 file changed · +19 −14
MagickWand/magick-cli.c+19 −14 modified@@ -636,12 +636,15 @@ static void MagickUsage(MagickBooleanType verbose) however the last argument provides the output filename. */ static MagickBooleanType ConcatenateImages(int argc,char **argv, - ExceptionInfo *exception ) + ExceptionInfo *exception ) { FILE *input, *output; + MagickBooleanType + status; + int c; @@ -650,29 +653,31 @@ static MagickBooleanType ConcatenateImages(int argc,char **argv, if (ExpandFilenames(&argc,&argv) == MagickFalse) ThrowFileException(exception,ResourceLimitError,"MemoryAllocationFailed", - GetExceptionMessage(errno)); - + GetExceptionMessage(errno)); output=fopen_utf8(argv[argc-1],"wb"); - if (output == (FILE *) NULL) { - ThrowFileException(exception,FileOpenError,"UnableToOpenFile",argv[argc-1]); - return(MagickFalse); - } - for (i=2; i < (ssize_t) (argc-1); i++) { -#if 0 - fprintf(stderr, "DEBUG: Concatenate Image: \"%s\"\n", argv[i]); -#endif + if (output == (FILE *) NULL) + { + ThrowFileException(exception,FileOpenError,"UnableToOpenFile", + argv[argc-1]); + return(MagickFalse); + } + status=MagickTrue; + for (i=2; i < (ssize_t) (argc-1); i++) + { input=fopen_utf8(argv[i],"rb"); - if (input == (FILE *) NULL) { + if (input == (FILE *) NULL) + { ThrowFileException(exception,FileOpenError,"UnableToOpenFile",argv[i]); continue; } for (c=fgetc(input); c != EOF; c=fgetc(input)) - (void) fputc((char) c,output); + if (fputc((char) c,output) != c) + status=MagickFalse; (void) fclose(input); (void) remove_utf8(argv[i]); } (void) fclose(output); - return(MagickTrue); + return(status); } WandExport MagickBooleanType MagickImageCommand(ImageInfo *image_info,int argc,
1 file changed · +3 −0
ChangeLog+3 −0 modified@@ -1,3 +1,6 @@ +2016-05-09 6.9.4-1 Cristy <quetzlzacatenango@image...> + * Release ImageMagick version 6.9.4-1, GIT revision 10755:d540dda:20160509. + 2016-05-07 6.9.4-1 Cristy <quetzlzacatenango@image...> * Remove https delegate.
56d6e20de489Prevent fault in MSL interpreter
2 files changed · +4 −0
ChangeLog+2 −0 modified@@ -1,6 +1,8 @@ 2016-11-01 6.9.6-4 Cristy <quetzlzacatenango@image...> * Off by one memory allocation (reference https://github.com/ImageMagick/ImageMagick/issues/296). + * Prevent fault in MSL interpreter (reference + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797). 2016-10-30 6.9.6-3 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.6-3, GIT revision 11117:e857a26:20161030.
coders/msl.c+2 −0 modified@@ -4999,6 +4999,8 @@ static void MSLStartElement(void *context,const xmlChar *tag, Image *image; + if (value == (char *) NULL) + break; (void) CopyMagickString(msl_info->image_info[n]->filename, value,MaxTextExtent); image=ReadImage(msl_info->image_info[n],exception);
4ec444f4eab8Fixed memory leak.
1 file changed · +2 −0
coders/psd.c+2 −0 modified@@ -1719,6 +1719,8 @@ ModuleExport MagickBooleanType ReadPSDLayers(Image *image, if (image->debug != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " layer data is empty"); + if (layer_info[i].info != (StringInfo *) NULL) + layer_info[i].info=DestroyStringInfo(layer_info[i].info); continue; }
f983dcdf9c17Fix TIFF divide by zero (bug report from Donghai Zhu)
2 files changed · +5 −3
ChangeLog+2 −2 modified@@ -3,8 +3,8 @@ pwchen&rayzhong of tencent). * Fix MSVG regression (reference https://github.com/ImageMagick/ImageMagick/issues/252). - * Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report - from Donghai Zhu). + * Prevent buffer overflow and other problems in SIXEL, PDB, MAP, TIFF, and + CALS coders (bug report from Donghai Zhu). 2016-08-14 6.9.5-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.5-7, GIT revision 10993:7d2fd25:20160814.
coders/tiff.c+3 −1 modified@@ -3469,7 +3469,9 @@ static MagickBooleanType WriteTIFFImage(const ImageInfo *image_info, if ((image_info->interlace == PlaneInterlace) || (image_info->interlace == PartitionInterlace)) (void) TIFFSetField(tiff,TIFFTAG_PLANARCONFIG,PLANARCONFIG_SEPARATE); - rows_per_strip=TIFFDefaultStripSize(tiff,0); + rows_per_strip=1; + if (TIFFScanlineSize(tiff) != 0) + rows_per_strip=TIFFDefaultStripSize(tiff,0); option=GetImageOption(image_info,"tiff:rows-per-strip"); if (option != (const char *) NULL) rows_per_strip=(size_t) strtol(option,(char **) NULL,10);
10b3823a7619Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report from Donghai Zhu)
5 files changed · +27 −23
ChangeLog+2 −0 modified@@ -3,6 +3,8 @@ pwchen&rayzhong of tencent). * Fix MSVG regression (reference https://github.com/ImageMagick/ImageMagick/issues/252). + * Prevent buffer overflow in SIXEL, PDB, MAP, and CALS coders (bug report + from Donghai Zhu). 2016-08-14 6.9.5-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.5-7, GIT revision 10993:7d2fd25:20160814.
coders/map.c+11 −10 modified@@ -401,22 +401,23 @@ static MagickBooleanType WriteMAPImage(const ImageInfo *image_info,Image *image) Write colormap to file. */ q=colormap; - if (image->depth <= 8) + q=colormap; + if (image->colors <= 256) for (i=0; i < (ssize_t) image->colors; i++) { - *q++=(unsigned char) image->colormap[i].red; - *q++=(unsigned char) image->colormap[i].green; - *q++=(unsigned char) image->colormap[i].blue; + *q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].red); + *q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].green); + *q++=(unsigned char) ScaleQuantumToChar(image->colormap[i].blue); } else for (i=0; i < (ssize_t) image->colors; i++) { - *q++=(unsigned char) ((size_t) image->colormap[i].red >> 8); - *q++=(unsigned char) image->colormap[i].red; - *q++=(unsigned char) ((size_t) image->colormap[i].green >> 8); - *q++=(unsigned char) image->colormap[i].green; - *q++=(unsigned char) ((size_t) image->colormap[i].blue >> 8); - *q++=(unsigned char) image->colormap[i].blue; + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) >> 8); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].red) & 0xff); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) >> 8); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].green) & 0xff);; + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) >> 8); + *q++=(unsigned char) (ScaleQuantumToShort(image->colormap[i].blue) & 0xff); } (void) WriteBlob(image,packet_size*image->colors,colormap); colormap=(unsigned char *) RelinquishMagickMemory(colormap);
coders/pdb.c+2 −1 modified@@ -825,7 +825,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image) buffer=(unsigned char *) AcquireQuantumMemory(512,sizeof(*buffer)); if (buffer == (unsigned char *) NULL) ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); - packet_size=(size_t) (image->depth > 8 ? 2: 1); + packet_size=(size_t) (image->depth > 8 ? 2 : 1); scanline=(unsigned char *) AcquireQuantumMemory(image->columns,packet_size* sizeof(*scanline)); if (scanline == (unsigned char *) NULL) @@ -838,6 +838,7 @@ static MagickBooleanType WritePDBImage(const ImageInfo *image_info,Image *image) quantum_info=AcquireQuantumInfo(image_info,image); if (quantum_info == (QuantumInfo *) NULL) ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed"); + status=SetQuantumDepth(image,quantum_info,image->depth > 8 ? 16 : 8); bits=8/(int) bits_per_pixel-1; /* start at most significant bits */ literal=0; repeat=0;
coders/sixel.c+11 −11 modified@@ -257,7 +257,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, imsx = 2048; imsy = 2048; - imbuf = (unsigned char *) AcquireQuantumMemory(imsx * imsy,1); + imbuf = (unsigned char *) AcquireQuantumMemory(imsx , imsy); if (imbuf == NULL) { return(MagickFalse); @@ -284,7 +284,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, sixel_palet[n] = SIXEL_RGB(255, 255, 255); } - (void) ResetMagickMemory(imbuf, background_color_index, imsx * imsy); + (void) ResetMagickMemory(imbuf, background_color_index, (size_t) imsx * imsy); while (*p != '\0') { if ((p[0] == '\033' && p[1] == 'P') || *p == 0x90) { @@ -358,14 +358,14 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, if (imsx < attributed_ph || imsy < attributed_pv) { dmsx = imsx > attributed_ph ? imsx : attributed_ph; dmsy = imsy > attributed_pv ? imsy : attributed_pv; - dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1); + dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy); if (dmbuf == (unsigned char *) NULL) { imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); return (MagickFalse); } - (void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy); + (void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy); for (y = 0; y < imsy; ++y) { - (void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx); + (void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + (size_t) imsx * y, imsx); } imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); imsx = dmsx; @@ -432,14 +432,14 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, dmsx = nx; dmsy = ny; - dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1); + dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy); if (dmbuf == (unsigned char *) NULL) { imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); return (MagickFalse); } - (void) ResetMagickMemory(dmbuf, background_color_index, dmsx * dmsy); + (void) ResetMagickMemory(dmbuf, background_color_index, (size_t) dmsx * dmsy); for (y = 0; y < imsy; ++y) { - (void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + imsx * y, imsx); + (void) CopyMagickMemory(dmbuf + dmsx * y, imbuf + (size_t) imsx * y, imsx); } imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); imsx = dmsx; @@ -482,7 +482,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, c <<= 1; } for (y = posision_y + i; y < posision_y + i + n; ++y) { - (void) ResetMagickMemory(imbuf + imsx * y + posision_x, color_index, repeat_count); + (void) ResetMagickMemory(imbuf + (size_t) imsx * y + posision_x, color_index, repeat_count); } if (max_x < (posision_x + repeat_count - 1)) { max_x = posision_x + repeat_count - 1; @@ -515,7 +515,7 @@ MagickBooleanType sixel_decode(unsigned char /* in */ *p, if (imsx > max_x || imsy > max_y) { dmsx = max_x; dmsy = max_y; - if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx * dmsy,1)) == NULL) { + if ((dmbuf = (unsigned char *) AcquireQuantumMemory(dmsx , dmsy)) == NULL) { imbuf = (unsigned char *) RelinquishMagickMemory(imbuf); return (MagickFalse); } @@ -1291,7 +1291,7 @@ static MagickBooleanType WriteSIXELImage(const ImageInfo *image_info,Image *imag Define SIXEL pixels. */ output = sixel_output_create(image); - sixel_pixels =(unsigned char *) AcquireQuantumMemory(image->columns * image->rows,1); + sixel_pixels =(unsigned char *) AcquireQuantumMemory(image->columns , image->rows); for (y=0; y < (ssize_t) image->rows; y++) { (void) GetVirtualPixels(image,0,y,image->columns,1,exception);
coders/tiff.c+1 −1 modified@@ -2492,8 +2492,8 @@ static MagickBooleanType WriteGROUP4Image(const ImageInfo *image_info, (void) SetImageType(huffman_image,BilevelType); write_info=CloneImageInfo((ImageInfo *) NULL); SetImageInfoFile(write_info,file); - (void) SetImageType(image,BilevelType); (void) SetImageDepth(image,1); + (void) SetImageType(image,BilevelType); write_info->compression=Group4Compression; write_info->type=BilevelType; (void) SetImageOption(write_info,"quantum:polarity","min-is-white");
9e187b73a8a1Changed the JPEG writer to raise a warning when the exif profile exceeds 65533 bytes and truncate it.
2 files changed · +11 −3
coders/jpeg.c+8 −3 modified@@ -1918,10 +1918,15 @@ static void WriteProfile(j_compress_ptr jpeg_info,Image *image) profile=GetImageProfile(image,name); p=GetStringInfoDatum(custom_profile); if (LocaleCompare(name,"EXIF") == 0) - for (i=0; i < (ssize_t) GetStringInfoLength(profile); i+=65533L) { - length=MagickMin(GetStringInfoLength(profile)-i,65533L); - jpeg_write_marker(jpeg_info,XML_MARKER,GetStringInfoDatum(profile)+i, + length=GetStringInfoLength(profile); + if (length > 65533L) + { + (void) ThrowMagickException(&image->exception,GetMagickModule(), + CoderWarning,"ExifProfileSizeExceedsLimit",image->filename); + length=65533L; + } + jpeg_write_marker(jpeg_info,XML_MARKER,GetStringInfoDatum(profile), (unsigned int) length); } if (LocaleCompare(name,"ICC") == 0)
config/english.xml+3 −0 modified@@ -205,6 +205,9 @@ </message> </error> <warning> + <message name="ExifProfileSizeExceedsLimit"> + exif profile size exceeds limit and will be truncated + </message> <message name="LosslessToLossyJPEGConversion"> lossless to lossy JPEG conversion </message>
ecc03a2518c2Prevent memory use after free
2 files changed · +2 −2
ChangeLog+2 −0 modified@@ -1,5 +1,7 @@ 2016-08-03 6.9.5-5 Cristy <quetzlzacatenango@image...> * Prevent buffer overflow (bug report from Max Thrane). + * Prevent memory use after free (reference + https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30245). 2016-07-30 6.9.5-4 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.5-4, GIT revision 10973:a00fa93:20160729.
coders/pwp.c+0 −2 modified@@ -248,8 +248,6 @@ static Image *ReadPWPImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) close(unique_file); (void) RelinquishUniqueFileResource(read_info->filename); read_info=DestroyImageInfo(read_info); - (void) CloseBlob(pwp_image); - pwp_image=DestroyImage(pwp_image); if (EOFBlob(image) != MagickFalse) { char
989f9f88ea6dPrevent buffer overflow (bug report from Max Thrane)
2 files changed · +4 −1
ChangeLog+3 −0 modified@@ -1,3 +1,6 @@ +2016-08-03 6.9.5-5 Cristy <quetzlzacatenango@image...> + * Prevent buffer overflow (bug report from Max Thrane). + 2016-07-30 6.9.5-4 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.5-4, GIT revision 10973:a00fa93:20160729.
magick/draw.c+1 −1 modified@@ -2998,7 +2998,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info) } length++; } - length=length*BezierQuantum/2; + length=length*BezierQuantum; break; } case CirclePrimitive:
f8877abac8e5Improve buffer flow sanity check
1 file changed · +6 −7
coders/tiff.c+6 −7 modified@@ -62,6 +62,7 @@ #include "magick/log.h" #include "magick/magick.h" #include "magick/memory_.h" +#include "magick/memory-private.h" #include "magick/module.h" #include "magick/monitor.h" #include "magick/monitor-private.h" @@ -1903,14 +1904,13 @@ RestoreMSCWarning } (void) SetImageStorageClass(image,DirectClass); number_pixels=(MagickSizeType) columns*rows; - if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t) - (number_pixels*sizeof(uint32)))) + if (HeapOverflowSanityCheck(rows,sizeof(*tile_pixels)) != MagickFalse) { TIFFClose(tiff); ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); } - tile_pixels=(uint32 *) AcquireQuantumMemory(number_pixels, - sizeof(*tile_pixels)); + tile_pixels=(uint32 *) AcquireQuantumMemory(columns, + rows*sizeof(*tile_pixels)); if (tile_pixels == (uint32 *) NULL) { TIFFClose(tiff); @@ -2012,14 +2012,13 @@ RestoreMSCWarning Convert TIFF image to DirectClass MIFF image. */ number_pixels=(MagickSizeType) image->columns*image->rows; - if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t) - (number_pixels*sizeof(uint32)))) + if (HeapOverflowSanityCheck(image->rows,sizeof(*pixels)) != MagickFalse) { TIFFClose(tiff); ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); } pixel_info=AcquireVirtualMemory(image->columns,image->rows* - sizeof(uint32)); + sizeof(*pixels)); if (pixel_info == (MemoryInfo *) NULL) { TIFFClose(tiff);
1 file changed · +6 −6
coders/tiff.c+6 −6 modified@@ -1297,12 +1297,6 @@ RestoreMSCWarning image->columns=(size_t) width; image->rows=(size_t) height; image->depth=(size_t) bits_per_sample; - status=SetImageExtent(image,image->columns,image->rows); - if (status == MagickFalse) - { - InheritException(exception,&image->exception); - return(DestroyImageList(image)); - } if (image->debug != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Image depth: %.20g", (double) image->depth); @@ -1559,6 +1553,12 @@ RestoreMSCWarning } goto next_tiff_frame; } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } method=ReadGenericMethod; if (TIFFGetField(tiff,TIFFTAG_ROWSPERSTRIP,&rows_per_strip) == 1) {
73fb0aac5b95RLE check for pixel offset less than 0 (heap overflow report from Craig Young).
2 files changed · +8 −4
ChangeLog+2 −0 modified@@ -4,6 +4,8 @@ 2016-06-04 6.9.4-8 Cristy <quetzlzacatenango@image...> * Deny indirect reads by policy, remove policy to permit, e.g., convert caption:@mytext.txt ... + * RLE check for pixel offset less than 0 (heap overflow report from Craig + Young). 2016-06-03 6.9.4-7 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.4-7, GIT revision 10847:339f803:20160602.
coders/rle.c+6 −4 modified@@ -178,11 +178,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_planes, number_planes_filled, one, - offset, pixel_info_length; ssize_t count, + offset, y; unsigned char @@ -395,7 +395,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; operand++; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); @@ -426,14 +427,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) operand++; offset=((image->rows-y-1)*image->columns*number_planes)+x* number_planes+plane; - p=pixels+offset; - if (offset+((size_t) operand*number_planes) > pixel_info_length) + if ((offset < 0) || + (offset+((size_t) operand*number_planes) > pixel_info_length)) { if (number_colormaps != 0) colormap=(unsigned char *) RelinquishMagickMemory(colormap); pixel_info=RelinquishVirtualMemory(pixel_info); ThrowReaderException(CorruptImageError,"UnableToReadImageData"); } + p=pixels+offset; for (i=0; i < (ssize_t) operand; i++) { if ((y < (ssize_t) image->rows) &&
4e914bbe3714https://github.com/ImageMagick/ImageMagick/issues/196
1 file changed · +5 −1
coders/tiff.c+5 −1 modified@@ -390,8 +390,10 @@ static Image *ReadGROUP4Image(const ImageInfo *image_info, length=fwrite("\000\000\000\000",1,4,file); length=WriteLSBLong(file,(long) image->resolution.x); length=WriteLSBLong(file,1); + status=MagickTrue; for (length=0; (c=ReadBlobByte(image)) != EOF; length++) - (void) fputc(c,file); + if (fputc(c,file) != c) + status=MagickFalse; offset=(ssize_t) fseek(file,(ssize_t) offset,SEEK_SET); length=WriteLSBLong(file,(unsigned int) length); (void) fclose(file); @@ -413,6 +415,8 @@ static Image *ReadGROUP4Image(const ImageInfo *image_info, (void) CopyMagickString(image->magick,"GROUP4",MagickPathExtent); } (void) RelinquishUniqueFileResource(filename); + if (status == MagickFalse) + image=DestroyImage(image); return(image); } #endif
fc6080f1321fCoder path traversal is not authorized, bug report provided by Masaaki Chida
3 files changed · +18 −1
ChangeLog+5 −0 modified@@ -1,3 +1,8 @@ +2016-06-02 6.9.4-7 Cristy <quetzlzacatenango@image...> + * Fix small memory leak (patch provided by Андрей Черный). + * Coder path traversal is not authorized (bug report provided by + Masaaki Chida). + 2016-05-31 6.9.4-6 Cristy <quetzlzacatenango@image...> * Release ImageMagick version 6.9.4-6, GIT revision 18334:97775b5:20160531.
magick/module.c+9 −0 modified@@ -547,6 +547,15 @@ static MagickBooleanType GetMagickModulePath(const char *filename, assert(path != (char *) NULL); assert(exception != (ExceptionInfo *) NULL); (void) CopyMagickString(path,filename,MaxTextExtent); +#if defined(MAGICKCORE_INSTALLED_SUPPORT) + if (strstr(path,"../") != (char *) NULL) + { + errno=EPERM; + (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, + "NotAuthorized","`%s'",path); + return(MagickFalse); + } +#endif module_path=(char *) NULL; switch (module_type) {
magick/xml-tree.c+4 −1 modified@@ -2140,7 +2140,10 @@ MagickExport XMLTreeInfo *NewXMLTree(const char *xml,ExceptionInfo *exception) if ((ignore_depth == 0) && (IsSkipTag(tag) == MagickFalse)) ParseOpenTag(root,tag,attributes); else - ignore_depth++; + { + ignore_depth++; + (void) DestroyXMLTreeAttributes(attributes); + } *p=c; } else
0474237508f3Suspend exception processing if there are too many exceptions
5 files changed · +76 −48
coders/label.c+7 −5 modified@@ -136,7 +136,7 @@ static Image *ReadLABELImage(const ImageInfo *image_info, status=GetMultilineTypeMetrics(image,draw_info,&metrics); if ((image->columns == 0) && (image->rows == 0)) { - image->columns=(size_t) (metrics.width+draw_info->stroke_width+0.5); + image->columns=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); image->rows=(size_t) floor(metrics.height+draw_info->stroke_width+0.5); } else @@ -205,14 +205,16 @@ static Image *ReadLABELImage(const ImageInfo *image_info, return((Image *) NULL); } if (image->columns == 0) - image->columns=(size_t) (metrics.width+draw_info->stroke_width+0.5); + image->columns=(size_t) floor(metrics.width+draw_info->stroke_width+0.5); if (image->columns == 0) - image->columns=(size_t) (draw_info->pointsize+draw_info->stroke_width+0.5); + image->columns=(size_t) floor(draw_info->pointsize+draw_info->stroke_width+ + 0.5); if (image->rows == 0) - image->rows=(size_t) (metrics.ascent-metrics.descent+ + image->rows=(size_t) floor(metrics.ascent-metrics.descent+ draw_info->stroke_width+0.5); if (image->rows == 0) - image->rows=(size_t) (draw_info->pointsize+draw_info->stroke_width+0.5); + image->rows=(size_t) floor(draw_info->pointsize+draw_info->stroke_width+ + 0.5); status=SetImageExtent(image,image->columns,image->rows); if (status == MagickFalse) {
coders/viff.c+2 −18 modified@@ -137,22 +137,6 @@ static MagickBooleanType IsVIFF(const unsigned char *magick,const size_t length) % o exception: return any errors or warnings in this structure. % */ - -static MagickBooleanType CheckMemoryOverflow(const size_t count, - const size_t quantum) -{ - size_t - size; - - size=count*quantum; - if ((count == 0) || (quantum != (size/count))) - { - errno=ENOMEM; - return(MagickTrue); - } - return(MagickFalse); -} - static Image *ReadVIFFImage(const ImageInfo *image_info, ExceptionInfo *exception) { @@ -520,13 +504,13 @@ static Image *ReadVIFFImage(const ImageInfo *image_info, } if (viff_info.data_storage_type == VFF_TYP_BIT) { - if (CheckMemoryOverflow((image->columns+7UL) >> 3UL,image->rows) != MagickFalse) + if (HeapOverflowSanityCheck((image->columns+7UL) >> 3UL,image->rows) != MagickFalse) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); max_packets=((image->columns+7UL) >> 3UL)*image->rows; } else { - if (CheckMemoryOverflow(number_pixels,viff_info.number_data_bands) != MagickFalse) + if (HeapOverflowSanityCheck(number_pixels,viff_info.number_data_bands) != MagickFalse) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); max_packets=(size_t) (number_pixels*viff_info.number_data_bands); }
magick/exception.c+21 −5 modified@@ -52,6 +52,11 @@ #include "magick/string_.h" #include "magick/utility.h" +/* + Global declarations. +*/ +#define MaxExceptions 128 + /* Forward declarations. */ @@ -193,6 +198,9 @@ MagickExport void CatchException(ExceptionInfo *exception) register const ExceptionInfo *p; + ssize_t + i; + assert(exception != (ExceptionInfo *) NULL); assert(exception->signature == MagickSignature); if (exception->exceptions == (void *) NULL) @@ -201,14 +209,22 @@ MagickExport void CatchException(ExceptionInfo *exception) ResetLinkedListIterator((LinkedListInfo *) exception->exceptions); p=(const ExceptionInfo *) GetNextValueInLinkedList((LinkedListInfo *) exception->exceptions); - while (p != (const ExceptionInfo *) NULL) + for (i=0; p != (const ExceptionInfo *) NULL; i++) { - if ((p->severity >= WarningException) && (p->severity < ErrorException)) - MagickWarning(p->severity,p->reason,p->description); - if ((p->severity >= ErrorException) && (p->severity < FatalErrorException)) - MagickError(p->severity,p->reason,p->description); if (p->severity >= FatalErrorException) MagickFatalError(p->severity,p->reason,p->description); + if (i < MaxExceptions) + { + if ((p->severity >= ErrorException) && + (p->severity < FatalErrorException)) + MagickError(p->severity,p->reason,p->description); + if ((p->severity >= WarningException) && (p->severity < ErrorException)) + MagickWarning(p->severity,p->reason,p->description); + } + else + if (i == MaxExceptions) + MagickError(ResourceLimitError,"too many exceptions", + "exception processing suspended"); p=(const ExceptionInfo *) GetNextValueInLinkedList((LinkedListInfo *) exception->exceptions); }
magick/memory.c+43 −20 modified@@ -234,22 +234,6 @@ static MagickBooleanType % o quantum: the number of bytes in each quantum. % */ - -static MagickBooleanType CheckMemoryOverflow(const size_t count, - const size_t quantum) -{ - size_t - size; - - size=count*quantum; - if ((count == 0) || (quantum != (size/count))) - { - errno=ENOMEM; - return(MagickTrue); - } - return(MagickFalse); -} - MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum) { #define AlignedExtent(size,alignment) \ @@ -263,7 +247,7 @@ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum) void *memory; - if (CheckMemoryOverflow(count,quantum) != MagickFalse) + if (HeapOverflowSanityCheck(count,quantum) != MagickFalse) return((void *) NULL); memory=NULL; alignment=CACHE_LINE_SIZE; @@ -544,7 +528,7 @@ MagickExport void *AcquireQuantumMemory(const size_t count,const size_t quantum) size_t extent; - if (CheckMemoryOverflow(count,quantum) != MagickFalse) + if (HeapOverflowSanityCheck(count,quantum) != MagickFalse) return((void *) NULL); extent=count*quantum; return(AcquireMagickMemory(extent)); @@ -584,7 +568,7 @@ MagickExport MemoryInfo *AcquireVirtualMemory(const size_t count, size_t extent; - if (CheckMemoryOverflow(count,quantum) != MagickFalse) + if (HeapOverflowSanityCheck(count,quantum) != MagickFalse) return((MemoryInfo *) NULL); memory_info=(MemoryInfo *) MagickAssumeAligned(AcquireAlignedMemory(1, sizeof(*memory_info))); @@ -917,6 +901,45 @@ MagickExport void *GetVirtualMemoryBlob(const MemoryInfo *memory_info) % % % % % % ++ H e a p O v e r f l o w S a n i t y C h e c k % +% % +% % +% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% +% HeapOverflowSanityCheck() returns MagickTrue if the heap allocation request +% does not exceed the maximum limits of a size_t otherwise MagickFalse. +% +% The format of the HeapOverflowSanityCheck method is: +% +% MagickBooleanType HeapOverflowSanityCheck(const size_t count, +% const size_t quantum) +% +% A description of each parameter follows: +% +% o size: the size of the memory in bytes we require. +% +*/ +MagickExport MagickBooleanType HeapOverflowSanityCheck(const size_t count, + const size_t quantum) +{ + size_t + size; + + size=count*quantum; + if ((count == 0) || (quantum != (size/count))) + { + errno=ENOMEM; + return(MagickTrue); + } + return(MagickFalse); +} + +/* +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% % +% % +% % % R e l i n q u i s h A l i g n e d M e m o r y % % % % % @@ -1222,7 +1245,7 @@ MagickExport void *ResizeQuantumMemory(void *memory,const size_t count, size_t extent; - if (CheckMemoryOverflow(count,quantum) != MagickFalse) + if (HeapOverflowSanityCheck(count,quantum) != MagickFalse) { memory=RelinquishMagickMemory(memory); return((void *) NULL);
magick/memory-private.h+3 −0 modified@@ -41,6 +41,9 @@ extern "C" { #define MagickAssumeAligned(address) (address) #endif +MagickExport MagickBooleanType + HeapOverflowSanityCheck(const size_t,const size_t) magick_alloc_sizes(1,2); + #if defined(__cplusplus) || defined(c_plusplus) } #endif
8a370f9ab120Added check for invalid number of frames.
1 file changed · +3 −1
coders/mat.c+3 −1 modified@@ -942,7 +942,9 @@ MATLAB_KO: ThrowReaderException(CorruptImageError,"ImproperImageHeader"); case 16: z2=z = ReadBlobXXXLong(image2); /* 4D matrix animation */ if(z!=3 && z!=1) ThrowReaderException(CoderError, "MultidimensionalMatricesAreNotSupported"); - Frames = ReadBlobXXXLong(image2); + Frames = ReadBlobXXXLong(image2); + if (Frames == 0) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); break; default: ThrowReaderException(CoderError, "MultidimensionalMatricesAreNotSupported"); }
3e9165285edahttps://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29710
1 file changed · +3 −2
coders/rle.c+3 −2 modified@@ -322,10 +322,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) number_planes_filled)) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); pixel_info=AcquireVirtualMemory(image->columns,image->rows* - number_planes_filled*sizeof(*pixels)); + MagickMax(number_planes_filled,4)*sizeof(*pixels)); if (pixel_info == (MemoryInfo *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - pixel_info_length=image->columns*image->rows*number_planes_filled; + pixel_info_length=image->columns*image->rows* + MagickMax(number_planes_filled,4); pixels=(unsigned char *) GetVirtualMemoryBlob(pixel_info); if ((flags & 0x01) && !(flags & 0x02)) {
2 files changed · +8 −6
coders/jpeg.c+1 −2 modified@@ -1229,8 +1229,7 @@ static Image *ReadJPEGImage(const ImageInfo *image_info, if (option != (const char *) NULL) if (AcquireImageColormap(image,StringToUnsignedLong(option)) == MagickFalse) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - if ((jpeg_info.output_components == 1) && - (jpeg_info.quantize_colors == 0)) + if ((jpeg_info.output_components == 1) && (jpeg_info.quantize_colors == 0)) { size_t colors;
coders/tiff.c+7 −4 modified@@ -1888,9 +1888,6 @@ RestoreMSCWarning columns, rows; - size_t - number_pixels; - /* Convert tiled TIFF image to DirectClass MIFF image. */ @@ -1901,7 +1898,13 @@ RestoreMSCWarning ThrowReaderException(CoderError,"ImageIsNotTiled"); } (void) SetImageStorageClass(image,DirectClass); - number_pixels=columns*rows; + number_pixels=(MagickSizeType) columns*rows; + if ((number_pixels*sizeof(uint32)) != (MagickSizeType) ((size_t) + (number_pixels*sizeof(uint32)))) + { + TIFFClose(tiff); + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + } tile_pixels=(uint32 *) AcquireQuantumMemory(number_pixels, sizeof(*tile_pixels)); if (tile_pixels == (uint32 *) NULL)
b173a3523978https://github.com/ImageMagick/ImageMagick/issues/131
1 file changed · +1 −0
coders/mat.c+1 −0 modified@@ -936,6 +936,7 @@ RestoreMSCWarning } } } while(z-- >= 2); + quantum_info=DestroyQuantumInfo(quantum_info); ExitLoop:
134463b926fahttps://github.com/ImageMagick/ImageMagick/issues/129
3 files changed · +30 −4
coders/viff.c+28 −4 modified@@ -137,6 +137,22 @@ static MagickBooleanType IsVIFF(const unsigned char *magick,const size_t length) % o exception: return any errors or warnings in this structure. % */ + +static MagickBooleanType CheckMemoryOverflow(const size_t count, + const size_t quantum) +{ + size_t + size; + + size=count*quantum; + if ((count == 0) || (quantum != (size/count))) + { + errno=ENOMEM; + return(MagickTrue); + } + return(MagickFalse); +} + static Image *ReadVIFFImage(const ImageInfo *image_info, ExceptionInfo *exception) { @@ -475,7 +491,7 @@ static Image *ReadVIFFImage(const ImageInfo *image_info, /* Initialize image structure. */ - image->alpha_trait=viff_info.number_data_bands == 4 ? BlendPixelTrait : + image->alpha_trait=viff_info.number_data_bands == 4 ? BlendPixelTrait : UndefinedPixelTrait; image->storage_class=(viff_info.number_data_bands < 3 ? PseudoClass : DirectClass); @@ -499,9 +515,17 @@ static Image *ReadVIFFImage(const ImageInfo *image_info, default: bytes_per_pixel=1; break; } if (viff_info.data_storage_type == VFF_TYP_BIT) - max_packets=((image->columns+7UL) >> 3UL)*image->rows; + { + if (CheckMemoryOverflow((image->columns+7UL) >> 3UL,image->rows) != MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + max_packets=((image->columns+7UL) >> 3UL)*image->rows; + } else - max_packets=(size_t) (number_pixels*viff_info.number_data_bands); + { + if (CheckMemoryOverflow(number_pixels,viff_info.number_data_bands) != MagickFalse) + ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); + max_packets=(size_t) (number_pixels*viff_info.number_data_bands); + } pixels=(unsigned char *) AcquireQuantumMemory(MagickMax(number_pixels, max_packets),bytes_per_pixel*sizeof(*pixels)); if (pixels == (unsigned char *) NULL) @@ -695,7 +719,7 @@ static Image *ReadVIFFImage(const ImageInfo *image_info, { ssize_t index; - + index=(ssize_t) GetPixelRed(image,q); SetPixelRed(image,image->colormap[ ConstrainColormapIndex(image,index,exception)].red,q);
MagickCore/memory.c+1 −0 modified@@ -233,6 +233,7 @@ static MagickBooleanType % o quantum: the number of bytes in each quantum. % */ + static MagickBooleanType CheckMemoryOverflow(const size_t count, const size_t quantum) {
MagickCore/quantum-import.c+1 −0 modified@@ -2024,6 +2024,7 @@ static void ImportGrayQuantum(const Image *image,QuantumInfo *quantum_info, assert(image != (Image *) NULL); assert(image->signature == MagickCoreSignature); + pixel=0; switch (quantum_info->depth) { case 1:
f3b483e8b054https://github.com/ImageMagick/ImageMagick/issues/131
1 file changed · +1 −1
coders/mat.c+1 −1 modified@@ -875,7 +875,7 @@ RestoreMSCWarning } /* ----- Load raster data ----- */ - BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(unsigned char)); /* Ldblk was set in the check phase */ + BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(double)); /* Ldblk was set in the check phase */ if (BImgBuff == NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
f6e9d0d9955e84 files changed · +541 −15
ChangeLog+2 −0 modified@@ -22,6 +22,8 @@ Mateusz Jurczyk of the Google Security Team). * Additional PNM sanity checks (reference http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26682). + * The SetImageBias() biad value is no longer ignored (reference + http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=25732). 2014-11-16 6.9.0-0 Cristy <quetzlzacatenango@image...> * New version 6.9.0-0, SVN revision 17067.
coders/aai.c+6 −0 modified@@ -158,6 +158,12 @@ static Image *ReadAAIImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } pixels=(unsigned char *) AcquireQuantumMemory(image->columns, 4*sizeof(*pixels)); if (pixels == (unsigned char *) NULL)
coders/art.c+6 −0 modified@@ -155,6 +155,12 @@ static Image *ReadARTImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert bi-level image to pixel packets. */
coders/avs.c+6 −0 modified@@ -160,6 +160,12 @@ static Image *ReadAVSImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } pixels=(unsigned char *) AcquireQuantumMemory(image->columns, 4*sizeof(*pixels)); if (pixels == (unsigned char *) NULL)
coders/bgr.c+6 −0 modified@@ -197,6 +197,12 @@ static Image *ReadBGRImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } switch (image_info->interlace) { case NoInterlace:
coders/bmp.c+6 −0 modified@@ -928,6 +928,12 @@ static Image *ReadBMPImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read image data. */
coders/cin.c+7 −1 modified@@ -721,11 +721,17 @@ static Image *ReadCINImage(const ImageInfo *image_info,ExceptionInfo *exception) image->depth=cin.image.channel[0].bits_per_pixel; image->columns=cin.image.channel[0].pixels_per_line; image->rows=cin.image.channel[0].lines_per_image; - if (image_info->ping) + if (image_info->ping != MagickFalse) { (void) CloseBlob(image); return(image); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert CIN raster image to pixel packets. */
coders/clipboard.c+8 −2 modified@@ -136,7 +136,7 @@ static Image *ReadCLIPBOARDImage(const ImageInfo *image_info, bitmapH=(HBITMAP) GetClipboardData(CF_BITMAP); hPal=(HPALETTE) GetClipboardData(CF_PALETTE); CloseClipboard(); - if ( bitmapH == NULL ) + if (bitmapH == NULL) ThrowReaderException(CoderError,"NoBitmapOnClipboard"); { BITMAPINFO @@ -163,8 +163,14 @@ static Image *ReadCLIPBOARDImage(const ImageInfo *image_info, GetObject(bitmapH,sizeof(BITMAP),(LPSTR) &bitmap); if ((image->columns == 0) || (image->rows == 0)) { - image->rows=bitmap.bmHeight; image->columns=bitmap.bmWidth; + image->rows=bitmap.bmHeight; + } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); } /* Initialize the bitmap header info.
coders/cmyk.c+6 −0 modified@@ -197,6 +197,12 @@ static Image *ReadCMYKImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } SetImageColorspace(image,CMYKColorspace); switch (image_info->interlace) {
coders/cut.c+7 −1 modified@@ -371,7 +371,13 @@ static Image *ReadCUTImage(const ImageInfo *image_info,ExceptionInfo *exception) image->depth=8; image->colors=(size_t) (GetQuantumRange(1UL*i)+1); - if (image_info->ping) goto Finish; + if (image_info->ping != MagickFalse) goto Finish; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* ----- Do something with palette ----- */ if ((clone_info=CloneImageInfo(image_info)) == NULL) goto NoPalette;
coders/dcm.c+6 −0 modified@@ -3689,6 +3689,12 @@ static Image *ReadDCMImage(const ImageInfo *image_info,ExceptionInfo *exception) image->columns=(size_t) width; image->rows=(size_t) height; image->depth=depth; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + break; + } image->colorspace=RGBColorspace; if ((image->colormap == (PixelPacket *) NULL) && (samples_per_pixel == 1)) {
coders/dds.c+6 −0 modified@@ -1834,6 +1834,12 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if ((decoder)(image, &dds_info, exception) != MagickTrue) {
coders/dib.c+7 −1 modified@@ -520,7 +520,7 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception) */ (void) ResetMagickMemory(&dib_info,0,sizeof(dib_info)); dib_info.size=ReadBlobLSBLong(image); - if (dib_info.size!=40) + if (dib_info.size != 40) ThrowReaderException(CorruptImageError,"ImproperImageHeader"); /* Microsoft Windows 3.X DIB image file. @@ -573,6 +573,12 @@ static Image *ReadDIBImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((geometry.height != 0) && (geometry.height < image->rows)) image->rows=geometry.height; } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (image->storage_class == PseudoClass) { size_t
coders/djvu.c+8 −1 modified@@ -418,7 +418,7 @@ get_page_image(LoadContext *lc, ddjvu_page_t *page, int x, int y, int w, int h, if (SyncAuthenticPixels(image,&image->exception) == MagickFalse) break; } - if (!image->ping) + if (image->ping == MagickFalse) SyncImage(image); } else { #if DEBUG @@ -577,6 +577,7 @@ static Image *ReadOneDJVUImage(LoadContext* lc,const int pagenum, Image *image; int logging; int tag; + MagickBooleanType status; /* so, we know that the page is there! Get its dimension, and */ @@ -667,6 +668,12 @@ static Image *ReadOneDJVUImage(LoadContext* lc,const int pagenum, image->matte = MagickTrue; /* is this useful? */ } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } #if DEBUG printf("now filling %.20g x %.20g\n",(double) image->columns,(double) image->rows);
coders/dps.c+6 −0 modified@@ -328,6 +328,12 @@ static Image *ReadDPSImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } switch (image->storage_class) { case DirectClass:
coders/dpx.c+6 −0 modified@@ -1126,6 +1126,12 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } for (n=0; n < (ssize_t) dpx.image.number_elements; n++) { /*
coders/emf.c+6 −0 modified@@ -507,6 +507,12 @@ static Image *ReadEMFImage(const ImageInfo *image_info, y=0; (void) GetGeometry(image_info->size,&x,&y,&image->columns,&image->rows); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (image_info->page != (char *) NULL) { char
coders/exr.c+6 −0 modified@@ -212,6 +212,12 @@ static Image *ReadEXRImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } scanline=(ImfRgba *) AcquireQuantumMemory(image->columns,sizeof(*scanline)); if (scanline == (ImfRgba *) NULL) {
coders/fax.c+6 −0 modified@@ -178,6 +178,12 @@ static Image *ReadFAXImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } status=HuffmanDecodeImage(image); if (status == MagickFalse) ThrowReaderException(CorruptImageError,"UnableToReadImageData");
coders/fits.c+6 −0 modified@@ -423,6 +423,12 @@ static Image *ReadFITSImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Initialize image structure. */
coders/fpx.c+6 −0 modified@@ -352,6 +352,12 @@ static Image *ReadFPXImage(const ImageInfo *image_info,ExceptionInfo *exception) FPX_ClearSystem(); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Allocate memory for the image and pixel buffer. */
coders/gif.c+6 −0 modified@@ -1350,6 +1350,12 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Decode image. */
coders/gray.c+6 −0 modified@@ -187,6 +187,12 @@ static Image *ReadGRAYImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } SetImageColorspace(image,GRAYColorspace); if (scene == 0) {
coders/hald.c+7 −2 modified@@ -125,6 +125,12 @@ static Image *ReadHALDImage(const ImageInfo *image_info, cube_size=level*level; image->columns=(size_t) (level*cube_size); image->rows=(size_t) (level*cube_size); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } for (y=0; y < (ssize_t) image->rows; y+=(ssize_t) level) { ssize_t @@ -137,8 +143,7 @@ static Image *ReadHALDImage(const ImageInfo *image_info, if (status == MagickFalse) continue; - q=QueueAuthenticPixels(image,0,y,image->columns,(size_t) level, - exception); + q=QueueAuthenticPixels(image,0,y,image->columns,(size_t) level,exception); if (q == (PixelPacket *) NULL) { status=MagickFalse;
coders/hdr.c+6 −0 modified@@ -382,6 +382,12 @@ static Image *ReadHDRImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read RGBE (red+green+blue+exponent) pixels. */
coders/hrz.c+6 −0 modified@@ -142,6 +142,12 @@ static Image *ReadHRZImage(const ImageInfo *image_info,ExceptionInfo *exception) image->columns=256; image->rows=240; image->depth=8; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } pixels=(unsigned char *) AcquireQuantumMemory(image->columns,3* sizeof(*pixels)); if (pixels == (unsigned char *) NULL)
coders/icon.c+6 −0 modified@@ -462,6 +462,12 @@ static Image *ReadICONImage(const ImageInfo *image_info, (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } bytes_per_line=(((image->columns*icon_info.bits_per_pixel)+31) & ~31) >> 3; (void) bytes_per_line;
coders/ipl.c+7 −1 modified@@ -315,9 +315,15 @@ static Image *ReadIPLImage(const ImageInfo *image_info,ExceptionInfo *exception) { SetHeaderFromIPL(image, &ipl_info); - if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) + if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* printf("Length: %.20g, Memory size: %.20g\n", (double) length,(double) image->depth);
coders/jbig.c+6 −0 modified@@ -219,6 +219,12 @@ static Image *ReadJBIGImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert X bitmap image to pixel packets. */
coders/jp2.c+6 −0 modified@@ -398,6 +398,12 @@ static Image *ReadJP2Image(const ImageInfo *image_info,ExceptionInfo *exception) image->columns=(size_t) jp2_image->comps[0].w; image->rows=(size_t) jp2_image->comps[0].h; image->depth=jp2_image->comps[0].prec; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } image->compression=JPEG2000Compression; if (jp2_image->numcomps <= 2) {
coders/jpeg.c+6 −0 modified@@ -1263,6 +1263,12 @@ static Image *ReadJPEGImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } memory_info=AcquireVirtualMemory((size_t) image->columns, jpeg_info.output_components*sizeof(*jpeg_pixels)); if (memory_info == (MemoryInfo *) NULL)
coders/label.c+6 −0 modified@@ -213,6 +213,12 @@ static Image *ReadLABELImage(const ImageInfo *image_info, draw_info->stroke_width+0.5); if (image->rows == 0) image->rows=(size_t) (draw_info->pointsize+draw_info->stroke_width+0.5); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (draw_info->gravity == UndefinedGravity) { (void) FormatLocaleString(geometry,MaxTextExtent,"%+g%+g",
coders/mac.c+6 −0 modified@@ -156,6 +156,12 @@ static Image *ReadMACImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert MAC raster image to pixel packets. */
coders/map.c+6 −0 modified@@ -206,6 +206,12 @@ static Image *ReadMAPImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read image pixels. */
coders/mat.c+6 −0 modified@@ -874,6 +874,12 @@ RestoreMSCWarning image->rows = temp; goto done_reading; /* !!!!!! BAD !!!! */ } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* ----- Load raster data ----- */ BImgBuff = (unsigned char *) AcquireQuantumMemory((size_t) (ldblk),sizeof(unsigned char)); /* Ldblk was set in the check phase */
coders/miff.c+6 −0 modified@@ -1246,6 +1246,12 @@ static Image *ReadMIFFImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Allocate image pixels. */
coders/mono.c+6 −0 modified@@ -154,6 +154,12 @@ static Image *ReadMONOImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert bi-level image to pixel packets. */
coders/mpc.c+6 −0 modified@@ -929,6 +929,12 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Attach persistent pixel cache. */
coders/mtv.c+6 −0 modified@@ -158,6 +158,12 @@ static Image *ReadMTVImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert MTV raster image to pixel packets. */
coders/mvg.c+6 −0 modified@@ -190,6 +190,12 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception) DefaultResolution; image->columns=(size_t) (draw_info->affine.sx*image->columns); image->rows=(size_t) (draw_info->affine.sy*image->rows); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (SetImageBackgroundColor(image) == MagickFalse) { InheritException(exception,&image->exception);
coders/null.c+9 −0 modified@@ -99,6 +99,9 @@ static Image *ReadNULLImage(const ImageInfo *image_info, Image *image; + MagickBooleanType + status; + MagickPixelPacket background; @@ -129,6 +132,12 @@ static Image *ReadNULLImage(const ImageInfo *image_info, image->columns=1; if (image->rows == 0) image->rows=1; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } image->matte=MagickTrue; GetMagickPixelPacket(image,&background); background.opacity=(MagickRealType) TransparentOpacity;
coders/otb.c+6 −0 modified@@ -168,6 +168,12 @@ static Image *ReadOTBImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert bi-level image to pixel packets. */
coders/palm.c+6 −0 modified@@ -329,6 +329,12 @@ static Image *ReadPALMImage(const ImageInfo *image_info, ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if ((image->columns == 0) || (image->rows == 0)) ThrowReaderException(CorruptImageError,"NegativeOrZeroImageSize"); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } bytes_per_row=ReadBlobMSBShort(image); flags=ReadBlobMSBShort(image); bits_per_pixel=(size_t) ReadBlobByte(image);
coders/pango.c+8 −2 modified@@ -375,11 +375,17 @@ static Image *ReadPANGOImage(const ImageInfo *image_info, (image->y_resolution == 0.0 ? 90.0 : image->y_resolution)+45.0)/90.0+ 0.5)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Render markup. */ - stride=(size_t) cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32, - (int) image->columns); + stride=(size_t) cairo_format_stride_for_width(CAIRO_FORMAT_ARGB32,(int) + image->columns); pixel_info=AcquireVirtualMemory(image->rows,stride*sizeof(*pixels)); if (pixel_info == (MemoryInfo *) NULL) {
coders/pcd.c+6 −0 modified@@ -594,6 +594,12 @@ static Image *ReadPCDImage(const ImageInfo *image_info,ExceptionInfo *exception) image->columns<<=1; image->rows<<=1; } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Allocate luma and chroma memory. */
coders/pcx.c+6 −0 modified@@ -395,6 +395,12 @@ static Image *ReadPCXImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read image data. */
coders/pdb.c+6 −0 modified@@ -402,6 +402,12 @@ static Image *ReadPDBImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } packets=(bits_per_pixel*image->columns+7)/8; pixels=(unsigned char *) AcquireQuantumMemory(packets+256UL,image->rows* sizeof(*pixels));
coders/pict.c+6 −0 modified@@ -922,6 +922,12 @@ static Image *ReadPICTImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if ((version == 1) || ((TellBlob(image) % 2) != 0)) code=ReadBlobByte(image); if (version == 2)
coders/pix.c+6 −0 modified@@ -161,6 +161,12 @@ static Image *ReadPIXImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert PIX raster image to pixel packets. */
coders/psd.c+6 −0 modified@@ -1653,6 +1653,12 @@ static Image *ReadPSDImage(const ImageInfo *image_info, image->depth=psd_info.depth; image->columns=psd_info.columns; image->rows=psd_info.rows; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (SetImageBackgroundColor(image) == MagickFalse) { InheritException(exception,&image->exception);
coders/raw.c+6 −0 modified@@ -180,6 +180,12 @@ static Image *ReadRAWImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (scene == 0) { length=GetQuantumExtent(canvas_image,quantum_info,quantum_type);
coders/rgb.c+6 −0 modified@@ -201,6 +201,12 @@ static Image *ReadRGBImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } switch (image_info->interlace) { case NoInterlace:
coders/rgf.c+6 −2 modified@@ -172,8 +172,12 @@ static Image *ReadRGFImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } - - + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read hex image data. */
coders/rla.c+6 −0 modified@@ -261,6 +261,12 @@ static Image *ReadRLAImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } scanlines=(ssize_t *) AcquireQuantumMemory(image->rows,sizeof(*scanlines)); if (scanlines == (ssize_t *) NULL) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
coders/rle.c+6 −0 modified@@ -293,6 +293,12 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Allocate RLE pixels. */
coders/scr.c+6 −0 modified@@ -156,6 +156,12 @@ static Image *ReadSCRImage(const ImageInfo *image_info,ExceptionInfo *exception) } image->columns = 256; image->rows = 192; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } count=ReadBlob(image,6144,(unsigned char *) zxscr); (void) count; count=ReadBlob(image,768,(unsigned char *) zxattr);
coders/screenshot.c+9 −1 modified@@ -133,6 +133,9 @@ static Image *ReadSCREENSHOTImage(const ImageInfo *image_info, int i; + MagickBooleanType + status; + register PixelPacket *q; @@ -162,7 +165,12 @@ static Image *ReadSCREENSHOTImage(const ImageInfo *image_info, screen->columns=(size_t) GetDeviceCaps(hDC,HORZRES); screen->rows=(size_t) GetDeviceCaps(hDC,VERTRES); screen->storage_class=DirectClass; - + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (image == (Image *) NULL) image=screen; else
coders/sct.c+6 −0 modified@@ -224,6 +224,12 @@ static Image *ReadSCTImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert SCT raster image to pixel packets. */
coders/sgi.c+6 −0 modified@@ -374,6 +374,12 @@ static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Allocate SGI pixels. */
coders/sixel.c+6 −1 modified@@ -1027,7 +1027,12 @@ static Image *ReadSIXELImage(const ImageInfo *image_info,ExceptionInfo *exceptio sixel_buffer=(char *) RelinquishMagickMemory(sixel_buffer); image->depth=24; image->storage_class=PseudoClass; - + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (AcquireImageColormap(image,image->colors) == MagickFalse) { sixel_pixels=(unsigned char *) RelinquishMagickMemory(sixel_pixels);
coders/stegano.c+6 −0 modified@@ -169,6 +169,12 @@ static Image *ReadSTEGANOImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Get hidden watermark from low-order bits of image. */
coders/sun.c+6 −0 modified@@ -412,6 +412,12 @@ static Image *ReadSUNImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if ((sun_info.length*sizeof(*sun_data))/sizeof(*sun_data) != sun_info.length || !sun_info.length) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
coders/svg.c+6 −0 modified@@ -2945,6 +2945,12 @@ static Image *ReadSVGImage(const ImageInfo *image_info,ExceptionInfo *exception) image->columns=gdk_pixbuf_get_width(pixel_buffer); image->rows=gdk_pixbuf_get_height(pixel_buffer); #endif + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } image->matte=MagickTrue; SetImageProperty(image,"svg:base-uri", rsvg_handle_get_base_uri(svg_handle));
coders/tga.c+6 −0 modified@@ -307,6 +307,12 @@ static Image *ReadTGAImage(const ImageInfo *image_info, (void) CloseBlob(image); return(image); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } (void) ResetMagickMemory(&pixel,0,sizeof(pixel)); pixel.opacity=(Quantum) OpaqueOpacity; if (tga_info.colormap_type != 0)
coders/tiff.c+6 −0 modified@@ -1195,6 +1195,12 @@ RestoreMSCWarning image->columns=(size_t) width; image->rows=(size_t) height; image->depth=(size_t) bits_per_sample; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (image->debug != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Image depth: %.20g", (double) image->depth);
coders/tile.c+9 −0 modified@@ -95,6 +95,9 @@ static Image *ReadTILEImage(const ImageInfo *image_info, ImageInfo *read_info; + MagickBooleanType + status; + /* Initialize Image structure. */ @@ -115,6 +118,12 @@ static Image *ReadTILEImage(const ImageInfo *image_info, image=AcquireImage(image_info); if ((image->columns == 0) || (image->rows == 0)) ThrowReaderException(OptionError,"MustSpecifyImageSize"); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (*image_info->filename == '\0') ThrowReaderException(OptionError,"MustSpecifyAnImageName"); image->colorspace=tile_image->colorspace;
coders/tim.c+6 −0 modified@@ -223,6 +223,12 @@ static Image *ReadTIMImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read image data. */
coders/ttf.c+6 −0 modified@@ -225,6 +225,12 @@ static Image *ReadTTFImage(const ImageInfo *image_info,ExceptionInfo *exception) image=DestroyImageList(image); return((Image *) NULL); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Color canvas with background color */
coders/txt.c+12 −0 modified@@ -228,6 +228,12 @@ static Image *ReadTEXTImage(const ImageInfo *image_info,Image *image, delta.x)+0.5); image->rows=(size_t) floor((((double) page.height*image->y_resolution)/ delta.y)+0.5); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } image->page.x=0; image->page.y=0; texture=(Image *) NULL; @@ -437,6 +443,12 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception) image->rows=height; for (depth=1; (GetQuantumRange(depth)+1) < max_value; depth++) ; image->depth=depth; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } LocaleLower(colorspace); i=(ssize_t) strlen(colorspace)-1; image->matte=MagickFalse;
coders/uyvy.c+6 −0 modified@@ -145,6 +145,12 @@ static Image *ReadUYVYImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Accumulate UYVY, then unpack into two pixels. */
coders/vicar.c+6 −0 modified@@ -285,6 +285,12 @@ static Image *ReadVICARImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Read VICAR pixels. */
coders/viff.c+6 −0 modified@@ -478,6 +478,12 @@ static Image *ReadVIFFImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Allocate VIFF pixels. */
coders/vips.c+6 −0 modified@@ -416,6 +416,12 @@ static Image *ReadVIPSImage(const ImageInfo *image_info, ThrowReaderException(CorruptImageError,"ImproperImageHeader"); image->columns=(size_t) ReadBlobLong(image); image->rows=(size_t) ReadBlobLong(image); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } channels=ReadBlobLong(image); (void) ReadBlobLong(image); /* Legacy */ format=(VIPSBandFormat) ReadBlobLong(image);
coders/wbmp.c+6 −0 modified@@ -185,6 +185,12 @@ static Image *ReadWBMPImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Convert bi-level image to pixel packets. */
coders/webp.c+6 −0 modified@@ -286,6 +286,12 @@ static Image *ReadWEBPImage(const ImageInfo *image_info, (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } webp_status=WebPDecode(stream,length,&configure); } if (webp_status != VP8_STATUS_OK)
coders/wmf.c+9 −0 modified@@ -2584,6 +2584,9 @@ static Image *ReadWMFImage(const ImageInfo *image_info,ExceptionInfo *exception) Image *image; + MagickBooleanType + status; + unsigned long wmf_options_flags = 0; @@ -2875,6 +2878,12 @@ static Image *ReadWMFImage(const ImageInfo *image_info,ExceptionInfo *exception) "leave ReadWMFImage()"); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (image->debug != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " Creating canvas image with size %lux%lu",(unsigned long) image->rows,
coders/wpg.c+6 −0 modified@@ -1413,6 +1413,12 @@ static Image *ReadWPGImage(const ImageInfo *image_info, ThrowReaderException(CoderError,"DataEncodingSchemeIsNotSupported"); } } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } Finish: (void) CloseBlob(image);
coders/xbm.c+6 −0 modified@@ -291,6 +291,12 @@ static Image *ReadXBMImage(const ImageInfo *image_info,ExceptionInfo *exception) (void) CloseBlob(image); return(GetFirstImageInList(image)); } + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* Initialize hex values. */
coders/xc.c+6 −0 modified@@ -132,6 +132,12 @@ static Image *ReadXCImage(const ImageInfo *image_info,ExceptionInfo *exception) image->columns=1; if (image->rows == 0) image->rows=1; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } (void) CopyMagickString(image->filename,image_info->filename,MaxTextExtent); status=QueryMagickColor((char *) image_info->filename,&color,exception); if (status == MagickFalse)
coders/xcf.c+6 −0 modified@@ -1275,6 +1275,12 @@ static Image *ReadXCFImage(const ImageInfo *image_info,ExceptionInfo *exception) XCFLayerInfo *layer_info; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } /* The read pointer. */
coders/xpm.c+6 −0 modified@@ -432,6 +432,12 @@ static Image *ReadXPMImage(const ImageInfo *image_info,ExceptionInfo *exception) /* Read image pixels. */ + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } for (y=0; y < (ssize_t) image->rows; y++) { p=NextXPMLine(p);
coders/xwd.c+6 −0 modified@@ -399,6 +399,12 @@ static Image *ReadXWDImage(const ImageInfo *image_info,ExceptionInfo *exception) image->columns=(size_t) ximage->width; image->rows=(size_t) ximage->height; image->depth=8; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if ((header.ncolors == 0U) || (ximage->red_mask != 0) || (ximage->green_mask != 0) || (ximage->blue_mask != 0)) image->storage_class=DirectClass;
coders/ycbcr.c+12 −0 modified@@ -149,6 +149,12 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, image=AcquireImage(image_info); if ((image->columns == 0) || (image->rows == 0)) ThrowReaderException(OptionError,"MustSpecifyImageSize"); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } SetImageColorspace(image,YCbCrColorspace); if (image_info->interlace != PartitionInterlace) { @@ -204,6 +210,12 @@ static Image *ReadYCBCRImage(const ImageInfo *image_info, if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } SetImageColorspace(image,YCbCrColorspace); switch (image_info->interlace) {
coders/yuv.c+12 −0 modified@@ -146,6 +146,12 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) image=AcquireImage(image_info); if ((image->columns == 0) || (image->rows == 0)) ThrowReaderException(OptionError,"MustSpecifyImageSize"); + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } quantum=(size_t) (image->depth <= 8 ? 1 : 2); interlace=image_info->interlace; horizontal_factor=2; @@ -213,6 +219,12 @@ static Image *ReadYUVImage(const ImageInfo *image_info,ExceptionInfo *exception) if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0)) if (image->scene >= (image_info->scene+image_info->number_scenes-1)) break; + status=SetImageExtent(image,image->columns,image->rows); + if (status == MagickFalse) + { + InheritException(exception,&image->exception); + return(DestroyImageList(image)); + } if (interlace == PartitionInterlace) { AppendImageFormat("Y",image->filename);
Vulnerability mechanics
Root cause
"The ConcatenateImages function does not check the return value of the fputc function."
Attack vector
An attacker can provide a crafted file to the ImageMagick `convert` command when using the `+append` or `-append` options. This crafted file, when processed by the `ConcatenateImages` function, can trigger a condition where the `fputc` function fails to write data to the output file. The application does not check the return value of `fputc`, leading to a denial of service.
Affected code
The vulnerability exists in the `ConcatenateImages` function located in `MagickWand/magick-cli.c`. The specific lines affected are within the loop that iterates through input files and writes their content to the output file using `fputc`.
What the fix does
The patch introduces a check for the return value of the `fputc` function within the `ConcatenateImages` function. If `fputc` returns a value different from the character written, the `status` variable is set to `MagickFalse`. This `status` variable is then returned by the `ConcatenateImages` function, allowing the application to handle the error gracefully instead of crashing.
Preconditions
- inputA crafted input file that causes `fputc` to fail.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- www.openwall.com/lists/oss-security/2016/12/26/9nvdMailing ListPatchThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryVDB Entry
- github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7nvdPatchThird Party Advisory
- github.com/ImageMagick/ImageMagick/issues/196nvdPatchThird Party Advisory
- www.securityfocus.com/bid/95208nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.