BlobToImage corrupted the blob
Posted: 2012-11-21T19:48:42-07:00
Found that the blob passed to function BlobToImage will become bad pointer after the function call return. The blob initially points to contents of a psd file.
Did some debugging to IM code and found that blob became invalid after the call to SeekBlob(image,layer_offset,SEEK_CUR) by ReadPSDImage in psd.c. In SeekBlob, image->blob->offset+=offset seem to exceed the length of the file. I have tried to add the following code to SeekBlob and it seem to solve the problem :
Following is my program code snippets, access violation happen when call delete [] databyte:
IM version is 6.8.0
Windows 7
Any comment anyone?
Thanks
ElvinLee
Did some debugging to IM code and found that blob became invalid after the call to SeekBlob(image,layer_offset,SEEK_CUR) by ReadPSDImage in psd.c. In SeekBlob, image->blob->offset+=offset seem to exceed the length of the file. I have tried to add the following code to SeekBlob and it seem to solve the problem :
Code: Select all
case SEEK_CUR:
{
if ((image->blob->offset+offset) < 0)
return(-1);
image->blob->offset+=offset;
if( image->blob->offset > image->blob->length )
image->blob->offset = image->blob->length;
break;
}
Code: Select all
int main(int argc, char** argv)
{
MagickCoreGenesis(*argv,MagickTrue);
FILE* file = NULL;
if( fopen_s( &file, "Test_PSD.psd", "rb" ) != 0)
{
printf("load file error");
exit(1);
}
fseek(file, 0, SEEK_END);
size_t length = ftell(file);
fseek(file, 0, SEEK_SET);
BYTE* databyte = new BYTE[length];
int rlength = fread(databyte, 1, length, file);
Image* image = NULL;
ImageInfo *image_info;
ExceptionInfo* exception = AcquireExceptionInfo();
image_info=AcquireImageInfo();
try
{
image = BlobToImage(image_info, databyte, length, &exception);
}
catch(...)
{
return 1;
}
delete [] databyte;
fclose(file);
if(image != NULL)
{
DestroyImage(image);
}
MagickCoreTerminus();
return 0;
}
Windows 7
Any comment anyone?
Thanks
ElvinLee