Hello,
I found something strange in coders/png.c. Namely, the check for
image_info->ping is wrong. ImageMagick tries to allocate memory for
pixels even if I set image_info->ping to MagickTrue, even though my
intention is exactly to examine the image size and reject big images
without consuming significant resources. So far, I have worked around
the problem locally with the following patch, but I am not sure if it
is correct. Please reply with the correct version of the patch. I
don't know the purpose of setting image->columns to 0, as that
immediately marks the image as invalid.
Index: coders/png.c
===================================================================
--- coders/png.c (revision 13868)
+++ coders/png.c (working copy)
@@ -2224,8 +2224,9 @@
*/
if (image->delay != 0)
mng_info->scenes_found++;
- if ((image_info->ping != MagickFalse) && (image_info->number_scenes != 0) &&
- mng_info->scenes_found > (long)
(image_info->first_scene+image_info->number_scenes))
+ if ((image_info->ping != MagickFalse) ||
+ ((image_info->number_scenes != 0) &&
+ mng_info->scenes_found > (long)
(image_info->first_scene+image_info->number_scenes)))
{
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -2235,8 +2236,6 @@
#if defined(PNG_SETJMP_NOT_THREAD_SAFE)
RelinquishSemaphoreInfo(png_semaphore);
#endif
- if (image != (Image *) NULL)
- image->columns=0;
if (logging != MagickFalse)
(void) LogMagickEvent(CoderEvent,GetMagickModule(),
" exit ReadOnePNGImage().");
[and just below that, we see a call to AcquireQuantumMemory() for
image pixels, exactly the thing that image_info->ping is used to
avoid!]
--
Alexander E. Patrakov
_______________________________________________
Magick-developers mailing list
Magick-developers@imagemagick.org
http://studio.imagemagick.org/mailman/listinfo/magick-developers
