# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1648301533 18000
# Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12
# Parent  07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0
ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer.

---
 ChangeLog          |  7 +++++++
 coders/miff.c      | 11 +++++++++++
 magick/version.h   |  2 ++
 www/Changelog.html |  7 +++++++
 4 files changed, 27 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index a89c828..5116ad0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2022-03-26  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
+	* coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
+	row length prior to reading data into fixed size buffer.
+	Addresses SourceForge bug #664 "[bug]Heap buffer overflow when
+	parsing MIFF".  This severe bug only impacts builds with BZLIB
+	support.
+
 2019-04-17  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
 	* coders/xwd.c (ReadXWDImage): Added even more XWD header
 	validation logic.  Addresses problems noted by email from Hongxu
diff --git a/coders/miff.c b/coders/miff.c
index 00813c4..9149a15 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1674,9 +1674,20 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
                       else
                         {
                           length=ReadBlobMSBLong(image);
+			  if (image->logging)
+			    (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+					    	  "length = %"MAGICK_SIZE_T_F"u",
+						  (MAGICK_SIZE_T) length);
+			  if ((length == 0) || (length > compressed_length))
+			    {
+			      (void) BZ2_bzDecompressEnd(&bzip_info);
+			      ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage,
+					      	       image);
+			    }
                           bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in);
                           if ((size_t) bzip_info.avail_in != length)
                             {
+			      (void) BZ2_bzDecompressEnd(&bzip_info);
                               ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
                                                    image);
                             }
diff --git a/magick/version.h b/magick/version.h
index a9e0dca..1e17abc 100644
--- a/magick/version.h
+++ b/magick/version.h
@@ -40,6 +40,8 @@ extern "C" {
 #define MagickLibVersionNumber 21,18,1
 #define MagickChangeDate   "20190417"
 #define MagickReleaseDate  "snapshot-20190417"
+#define MagickChangeDate   "20220326"
+#define MagickReleaseDate  "snapshot-20220326"
 	
 /*
   The MagickLibInterfaceNewest and MagickLibInterfaceOldest defines
diff --git a/www/Changelog.html b/www/Changelog.html
index e5a21da..5ec8096 100644
--- a/www/Changelog.html
+++ b/www/Changelog.html
@@ -34,6 +34,13 @@
 </div>
 <div class="document">
 
+<p>2022-03-26  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
+<blockquote>
+* coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
+row length prior to reading data into fixed size buffer.
+Addresses SourceForge bug #664 &quot;[bug]Heap buffer overflow when
+parsing MIFF&quot;.  This severe bug only impacts builds with BZLIB
+support.</blockquote>
 <p>2019-04-17  Bob Friesenhahn  &lt;<a class="reference external" href="mailto:bfriesen&#37;&#52;&#48;simple&#46;dallas&#46;tx&#46;us">bfriesen<span>&#64;</span>simple<span>&#46;</span>dallas<span>&#46;</span>tx<span>&#46;</span>us</a>&gt;</p>
 <blockquote>
 <ul class="simple">
-- 
2.23.0