# HG changeset patch # User Bob Friesenhahn # Date 1590851896 18000 # Sat May 30 10:18:16 2020 -0500 # Node ID 50395430a37188d0d197e71bd85ed6dd0f649ee3 # Parent 4917a4242fc0a12f2f6baa10f1c5a9b3e68c20dd MNG: Fix small heap overwrite or assertion if magnifying and image to be magnified has rows or columns == 1. [Retrieved (and updated to remove ChangeLog and version changes) from: https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3] Signed-off-by: Fabrice Fontaine diff -r 4917a4242fc0 -r 50395430a371 coders/png.c --- a/coders/png.c Fri May 01 13:49:13 2020 -0500 +++ b/coders/png.c Sat May 30 10:18:16 2020 -0500 @@ -5304,7 +5304,7 @@ if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), "MAGN chunk (%lu bytes): " - "First_magnified_object_id=%u, Last_magnified_object_id=%u, " + "First_magnified_object_id=%u, Las t_magnified_object_id=%u, " "MB=%u, ML=%u, MR=%u, MT=%u, MX=%u, MY=%u, " "X_method=%u, Y_method=%u", length, @@ -5679,6 +5679,8 @@ /* If magnifying and a supported method is requested then magnify the image. + + http://www.libpng.org/pub/mng/spec/mng-1.0-20010209-pdg.html#mng-MAGN */ if (((mng_info->magn_methx > 0) && (mng_info->magn_methx <= 5)) && ((mng_info->magn_methy > 0) && (mng_info->magn_methy <= 5))) @@ -5689,7 +5691,28 @@ if (logging) (void) LogMagickEvent(CoderEvent,GetMagickModule(), - " Processing MNG MAGN chunk"); + " Processing MNG MAGN chunk: MB=%u, ML=%u," + " MR=%u, MT=%u, MX=%u, MY=%u," + " X_method=%u, Y_method=%u", + mng_info->magn_mb,mng_info->magn_ml, + mng_info->magn_mr,mng_info->magn_mt, + mng_info->magn_mx,mng_info->magn_my, + mng_info->magn_methx, + mng_info->magn_methy); + + /* + If the image width is 1, then X magnification is done + by simple pixel replication. + */ + if (image->columns == 1) + mng_info->magn_methx = 1; + + /* + If the image height is 1, then Y magnification is done + by simple pixel replication. + */ + if (image->rows == 1) + mng_info->magn_methy = 1; if (mng_info->magn_methx == 1) { @@ -5734,12 +5757,10 @@ Image *large_image; - int - yy; - long m, - y; + y, + yy; register long x;