Menu

#474 NULL pointer dereference in ReadCINEONImage

v1.0_(example)
closed-fixed
None
5
2017-09-30
2017-09-25
bestshow
No

Here is the critical code: (in ReadCINEONImage)
~~~
scandata=MagickAllocateMemory(unsigned char *,scandata_bytes); //821
for (y=0; y < (long) image->rows; y++)
{
magick_uint32_t red;
magick_uint32_t green;
magick_uint32_t blue;

          q=SetImagePixels(image,0,y,image->columns,1);
          if (q == (PixelPacket *) NULL)
            break;
          scanline=scandata;
          if (ReadBlobZC(image,scandata_bytes,&scanline) != scandata_bytes)
            break;
          MagickBitStreamInitializeRead(&bit_stream,scanline);
          for (x=0 ; x < (long) image->columns; x++)
            {
              /*
                Packed 10 bit samples with 2 bit pad at end of 32-bit word.
              */
              red   = MagickBitStreamMSBRead(&bit_stream,10);
              green = MagickBitStreamMSBRead(&bit_stream,10);
              blue  = MagickBitStreamMSBRead(&bit_stream,10);
              (void) MagickBitStreamMSBRead(&bit_stream,2);

              q->red     = ScaleShortToQuantum(red*scale_to_short);
              q->green   = ScaleShortToQuantum(green*scale_to_short);
              q->blue    = ScaleShortToQuantum(blue*scale_to_short);
              q->opacity = 0U;

/ printf("i:%u,%u,%u --> %u,%u,%u\n", red, green, blue, /
/ (unsigned int)q->red, (unsigned int)q->green, (unsigned int)q->blue); /
q++;
}
if (!SyncImagePixels(image))
break;
if (image->previous == (Image *) NULL)
if (QuantumTick(y,image->rows))
if (!MagickMonitorFormatted(y,image->rows,exception,
LoadImageText,image->filename,
image->columns,image->rows))
break;
}
......
~~~

MagickAllocateMemory(...) may return NULL, so some of the following operations on the "scanline" will Dereference Null pointer to cause memory error.

Credit : ADLab of Venustech

Discussion

  • Bob Friesenhahn

    Bob Friesenhahn - 2017-09-30
    • status: open --> closed-fixed
    • assigned_to: Bob Friesenhahn
     
  • Bob Friesenhahn

    Bob Friesenhahn - 2017-09-30

    This problem is fixed by Mercurial changeset 15181:53a4d841e90f. Thanks for the report!

     

Log in to post a comment.

MongoDB Logo MongoDB