BlobToImage corrupted the blob

[elvinlee]

Found that the blob passed to function BlobToImage will become bad pointer after the function call return. The blob initially points to contents of a psd file.
Did some debugging to IM code and found that blob became invalid after the call to SeekBlob(image,layer_offset,SEEK_CUR) by ReadPSDImage in psd.c. In SeekBlob, image->blob->offset+=offset seem to exceed the length of the file. I have tried to add the following code to SeekBlob and it seem to solve the problem :

Code: Select all

case SEEK_CUR:
 {
          if ((image->blob->offset+offset) < 0)
            return(-1);
image->blob->offset+=offset;
if( image->blob->offset > image->blob->length )
  image->blob->offset =  image->blob->length;
break;
}

Following is my program code snippets, access violation happen when call delete [] databyte:

Code: Select all

int main(int argc, char** argv)
{
      MagickCoreGenesis(*argv,MagickTrue);

     FILE* file = NULL;
     if( fopen_s( &file, "Test_PSD.psd", "rb" ) != 0)
      {
         printf("load file error");
         exit(1);
      }

      fseek(file, 0, SEEK_END);

      size_t length = ftell(file);

      fseek(file, 0, SEEK_SET);

      BYTE* databyte = new BYTE[length];

      int rlength = fread(databyte, 1, length, file);

    Image* image = NULL;
    ImageInfo *image_info;
    ExceptionInfo* exception = AcquireExceptionInfo();
    image_info=AcquireImageInfo();

      try
      {
         image = BlobToImage(image_info, databyte, length, &exception);
      }
      catch(...)
      {
         return 1;
      }

      delete [] databyte;
      fclose(file);

      if(image != NULL)
      {
         DestroyImage(image);
      }

      MagickCoreTerminus();
    return 0;
}

IM version is 6.8.0
Windows 7

Any comment anyone?

Thanks
ElvinLee