#427 One possible buffer overflow vulnerability in GraphicsMagick-1.3.25/coders/pict.c:ReadPICTImage()

[shqking]

Hello all.

In GraphicsMagick-1.3.25/coders/pict.c:ReadPICTImage(), the returned value for function ReadBlobByte() should be checked with EOF before used as the array indice, which might cause buffer overflow.

The vulnerability code snippet is shown as below.

899    if ((version == 1) || ((TellBlob(image) % 2) != 0))
900      code=ReadBlobByte(image);
901    if (version == 2)
902      code=ReadBlobMSBShort(image);
903    if (code > 0xa1)
904      {
905        if (IsEventLogging())
906          (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Code %04X:",code);
907      }
908    else
909      {
910        if (IsEventLogging())
911          (void) LogMagickEvent(CoderEvent,GetMagickModule(),"Code  %04X %.1024s: %.1024s",code,
912            codes[code].name,codes[code].description);
913        switch (code)

Function ReadBlobByte() might return EOF, which is a negative number, and the following use of variable code as array index at line 912 might lead to buffer overflow.

Attached please find a possible workaround I suggest.
Thanks a lot.

[Bob Friesenhahn]

The issue was larger than described and so I made more changes than in your patch. Please double-check Mercurial changeset b1afa3e8f0ab and make sure that it solves the issue.

[shqking]

Glad to see it is fixed. Thanks.