BUG: WriteOnePNGImage() opaque array is too small
Posted: 2011-01-25T05:40:30-07:00
When compiling and testing the imagemagick library under windows, I encountered the following error:
in the WriteOnePNGImage() function, an array opaque is defined:
The array consists of 260 elements, but up to 300 elements (indices 0 - 299) may be accessed and set by the code.
Under windows, in the debug version of convert.exe, this causes an assertion failure warning about the stack that has been corrupted around the opaque variable:
"Run-Time Check Failure #2 - Stack around the variable 'opaque' was corrupted."
Under *nix variants, the bug probably exists as well, but might not manifest itself.
imagemagick source: 6.6.7
windows version: windows xp, sp3 (5.1, build 2600)
visual studio version: 2008
affected code, all in coders/png.c:
Other defined variables might be affected in the same way, but I did not test that:
With kind regards,
Roland
in the WriteOnePNGImage() function, an array opaque is defined:
Code: Select all
PixelPacket opaque[260]Under windows, in the debug version of convert.exe, this causes an assertion failure warning about the stack that has been corrupted around the opaque variable:
"Run-Time Check Failure #2 - Stack around the variable 'opaque' was corrupted."
Under *nix variants, the bug probably exists as well, but might not manifest itself.
imagemagick source: 6.6.7
windows version: windows xp, sp3 (5.1, build 2600)
visual studio version: 2008
affected code, all in coders/png.c:
Code: Select all
// definition:
PixelPacket // line 7008-7010
...
opaque[260],Code: Select all
// usage of the opaque variable: number_opaque can have a maximum value of 299, which causes the code to set values outside of the opaque array.
if (colormap[i].opacity == OpaqueOpacity) // line 7142-7143
opaque[number_opaque++] = colormap[i];Code: Select all
PixelPacket // line 7008-7012
semitransparent[260],
transparent[260];Roland
