Menu

#473 NULL pointer dereference in ReadCINEONImage

v1.0_(example)
closed-fixed
Bob Friesenhahn
None
5
2017-09-30
2017-09-25
bestshow
No

Here is the critical code: (in ReadCINEONImage)

          scandata=MagickAllocateMemory(unsigned char *,scandata_bytes); //776
          scanline=scandata;
          MagickBitStreamInitializeRead(&bit_stream,scanline);
          for (y=0; y < (long) image->rows; y++)
            {
              q=SetImagePixels(image,0,y,image->columns,1);
              if (q == (PixelPacket *) NULL)
                break;
              /*
                Packed 10 bit samples with 2 bit pad at end of 32-bit word.
              */
              scanline=scandata;
              i=3;
              for (x=(long) image->columns; x > 0; x--, i++)
                {
                  if (i > 2)
                    {
                      scanline=scandata;
                      if (ReadBlobZC(image,scandata_bytes,&scanline) !=
                          scandata_bytes)
                        break;
                      MagickBitStreamInitializeRead(&bit_stream,scanline);
                      i=0;
                    }
                  q->red=q->green=q->blue=
                    ScaleShortToQuantum(MagickBitStreamMSBRead(&bit_stream,10)*scale_to_short);
                  q->opacity=0U;
                  q++;
                }
               ......

MagickAllocateMemory(...) may return NULL, so some of the following operations on the "scanline" will Dereference Null pointer to cause memory error.

Credit : ADLab of Venustech

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-09-30
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-09-30

    This problem is fixed by Mercurial changeset 15181:53a4d841e90f. Thanks for the report!

     

Log in to post a comment.