BUG: WriteOnePNGImage() opaque array is too small

[reblom]

When compiling and testing the imagemagick library under windows, I encountered the following error:
in the WriteOnePNGImage() function, an array opaque is defined:

Code: Select all

 PixelPacket opaque[260]

The array consists of 260 elements, but up to 300 elements (indices 0 - 299) may be accessed and set by the code.

Under windows, in the debug version of convert.exe, this causes an assertion failure warning about the stack that has been corrupted around the opaque variable:
"Run-Time Check Failure #2 - Stack around the variable 'opaque' was corrupted."

Under *nix variants, the bug probably exists as well, but might not manifest itself.

imagemagick source: 6.6.7
windows version: windows xp, sp3 (5.1, build 2600)
visual studio version: 2008

affected code, all in coders/png.c:

Code: Select all

// definition:
     PixelPacket  // line 7008-7010
    ...
       opaque[260],

Code: Select all

// usage of the opaque variable: number_opaque can have a maximum value of 299, which causes the code to set values outside of the opaque array.
 if (colormap[i].opacity == OpaqueOpacity) // line 7142-7143
    opaque[number_opaque++] = colormap[i];

Other defined variables might be affected in the same way, but I did not test that:

Code: Select all

     PixelPacket // line 7008-7012
       semitransparent[260],
       transparent[260];

With kind regards,
Roland

[reblom]

I forgot to mention:

I encountered the bug using the following commandline:
convert.exe -resize 100x100 d:\amsterdam.jpg d:\amsterdam.png

Where amsterdam.jpg is the image downloaded from here:
http://news.cheapflights.com/wp-content ... terdam.jpg

Greetings,
Roland

[glennrp]

I believe I fixed that in 6.6.7-2.

Glenn

[reblom]

I downloaded version 6.6.7-2 (previously I used imagemagick-windows.zip, which is based on 6.6.7), and it is indeed fixed there.
Thank you!

Greetings,
Roland