https://github.com/ImageMagick/ImageMagick/issues/1554
Cherry-pick of upstream f7206618d27c2e69d977abf40e3035a33e5f6be0
Bug: 140328986
Merged-In: I4b82259cf9309d5df15b3d7518ddb6650126a61f
(cherry picked from commit 1475a365af527e0b0b3efeea6c8267c493ac48d9)
diff --git a/coders/mat.c b/coders/mat.c
index 73b26fc..54eb0e2 100644
--- a/coders/mat.c
+++ b/coders/mat.c
@@ -640,6 +640,7 @@
Object parser loop.
*/
ldblk=ReadBlobLSBLong(image);
+ if(EOFBlob(image)) break;
if ((ldblk > 9999) || (ldblk < 0))
break;
HDR.Type[3]=ldblk % 10; ldblk /= 10; /* T digit */
@@ -960,10 +961,10 @@
}
filepos = TellBlob(image);
- while(!EOFBlob(image)) /* object parser loop */
+ while(filepos < GetBlobSize(image) && !EOFBlob(image)) /* object parser loop */
{
Frames = 1;
- if (filepos != (unsigned int) filepos)
+ if(filepos > GetBlobSize(image) || filepos < 0)
break;
if(SeekBlob(image,filepos,SEEK_SET) != filepos) break;
/* printf("pos=%X\n",TellBlob(image)); */
@@ -972,7 +973,7 @@
if(EOFBlob(image)) break;
MATLAB_HDR.ObjectSize = ReadBlobXXXLong(image);
if(EOFBlob(image)) break;
- if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) > GetBlobSize(image))
+ if((MagickSizeType) (MATLAB_HDR.ObjectSize+filepos) >= GetBlobSize(image))
goto MATLAB_KO;
filepos += (MagickOffsetType) MATLAB_HDR.ObjectSize + 4 + 4;
@@ -1275,6 +1276,7 @@
{
if (logging) (void)LogMagickEvent(CoderEvent,GetMagickModule(),
" MAT cannot read scanrow %u from a file.", (unsigned)(MATLAB_HDR.SizeY-i-1));
+ ThrowReaderException(CorruptImageError,"UnexpectedEndOfFile");
goto ExitLoop;
}
if((CellType==miINT8 || CellType==miUINT8) && (MATLAB_HDR.StructureFlag & FLAG_LOGICAL))
