tag 413035 + patch
thanks
Simple NULL pointer dereference due to missing check. Might be
considered a DoS, but no grave security implications. Patch fixes the
segfault with the supplied testcase. (If you don't error out but handle
the NULL pointer gracefully, the testfile causes gm to allocate >800M of
memory as it provides bogus information about image size. I don't think
this is a bug in gm as the OOM case is correctly handled, and an image
might legitimately uncompress to huge sizes in memory.)
Daniel.
--- a/coders/png.c Fri Mar 02 23:21:52 2007 +0100
+++ b/coders/png.c Sat Mar 03 01:43:36 2007 +0100
@@ -4622,6 +4622,8 @@ static Image *ReadMNGImage(const ImageIn
continue;
}
#ifdef MNG_INSERT_LAYERS
+ if (length < 8)
+ ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
image_width=mng_get_long(p);
image_height=mng_get_long(&p[4]);
#endif
