From b78822716fd79b380ddce5cbe23ce82d08e1df96 Mon Sep 17 00:00:00 2001

From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>

Date: Thu, 14 Nov 2013 12:36:55 +0000

Subject: [PATCH] Fix CVE-2014-1947, CVE-2014-2030

Upstream commit: r13736

Make layer_name large enough so that an overflow does not occur if

there are more than 99 layers.

---

 coders/psd.c | 12 ++++++------

 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/coders/psd.c b/coders/psd.c

index 3c0b938..5c23992 100644

--- a/coders/psd.c

+++ b/coders/psd.c

@@ -2101,9 +2101,6 @@ static MagickBooleanType WritePSDImage(const ImageInfo *image_info,Image *image)

   StringInfo

     *bim_profile;

-  unsigned char

-    layer_name[4];

-

   /*

     Open image file.

   */

@@ -2361,12 +2358,15 @@ static MagickBooleanType WritePSDImage(const ImageInfo *image_info,Image *image)

         property=(const char *) GetImageProperty(next_image,"label");

         if (property == (const char *) NULL)

           {

+            char

+              layer_name[MaxTextExtent];

+

             (void) WriteBlobMSBLong(image,16);

             (void) WriteBlobMSBLong(image,0);

             (void) WriteBlobMSBLong(image,0);

-            (void) FormatLocaleString((char *) layer_name,MaxTextExtent,

-              "L%06ld",(long) layer_count++);

-            WritePascalString( image, (char*)layer_name, 4 );

+            (void) FormatLocaleString(layer_name,MaxTextExtent,"L%06ld",(long)

+              layer_count++);

+            WritePascalString(image,layer_name,4);

           }

         else

           {

-- 

1.8.3.1