averello/ImageMagick-mirror
1
0
Fork 0
mirror of https://github.com/ImageMagick/ImageMagick.git synced 2026-05-25 11:24:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Prevent out of bounds heap write in uhdr encoder (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vhqj-f5cj-9x8h)

Browse Source
This commit is contained in:
Dirk Lemstra
2026-02-06 21:03:53 +01:00
parent c9c87dbaba
commit ffe589df5f
1 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
coders/uhdr.c
+16 -8
View File
@@ -618,20 +618,28 @@ static MagickBooleanType WriteUHDRImage(const ImageInfo *image_info,
{
/* Classify image as hdr/sdr intent basing on depth */
int
bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
int
aligned_width = image->columns + (image->columns & 1);
int
aligned_height = image->rows + (image->rows & 1);
bpp;
ssize_t
picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
aligned_height,
aligned_width;
size_t
picSize;
void
*crBuffer = NULL, *cbBuffer = NULL, *yBuffer = NULL;
if (((double) image->columns > sqrt(MAGICK_SSIZE_MAX/3.0)) ||
((double) image->rows > sqrt(MAGICK_SSIZE_MAX/3.0)))
{
(void) ThrowMagickException(exception,GetMagickModule(),ImageError,
"WidthOrHeightExceedsLimit","%s",image->filename);
goto next_image;
}
bpp = image->depth >= hdrIntentMinDepth ? 2 : 1;
aligned_width = image->columns + (image->columns & 1);
picSize = aligned_width * aligned_height * bpp * 1.5 /* 2x2 sub-sampling */;
if (IssRGBCompatibleColorspace(image->colorspace) && !IsGrayColorspace(image->colorspace))
{
if (image->depth >= hdrIntentMinDepth && hdr_ct == UHDR_CT_LINEAR)