File ImageMagick-CVE-2016-4562,4563,4564.patch of Package ImageMagick.8212

m 2d009ebb22bcc8865e2ffecf5764ac4f1599a647 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 4 May 2016 19:08:19 -0400
Subject: [PATCH] Prevent buffer overflow in magick/draw.c

Index: ImageMagick-6.8.9-8/magick/draw.c
===================================================================
--- ImageMagick-6.8.9-8.orig/magick/draw.c	2014-05-01 02:42:05.000000000 +0200
+++ ImageMagick-6.8.9-8/magick/draw.c	2016-06-08 09:01:46.292651843 +0200
@@ -1584,7 +1584,7 @@ static MagickBooleanType DrawDashPolygon
   status=MagickTrue;
   maximum_length=0.0;
   total_length=0.0;
-  for (i=1; i < (ssize_t) number_vertices; i++)
+  for (i=1; (i < (ssize_t) number_vertices) && (length >= 0.0); i++)
   {
     dx=primitive_info[i].point.x-primitive_info[i-1].point.x;
     dy=primitive_info[i].point.y-primitive_info[i-1].point.y;
@@ -1701,6 +1701,135 @@ static inline void TracePoint(PrimitiveI
   primitive_info->point=point;
 }
 
+static void GetNextToken(const char *start,const char **end,
+  const size_t extent,char *token)
+{
+  double
+    value;
+
+  register const char
+    *p;
+
+  register ssize_t
+    i;
+
+  assert(start != (const char *) NULL);
+  assert(token != (char *) NULL);
+  i=0;
+  p=start;
+  while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
+    p++;
+  switch (*p)
+  {
+    case '\0':
+      break;
+    case '"':
+    case '\'':
+    case '`':
+    case '{':
+    {
+      register char
+        escape;
+
+      switch (*p)
+      {
+        case '"': escape='"'; break;
+        case '\'': escape='\''; break;
+        case '`': escape='\''; break;
+        case '{': escape='}'; break;
+        default: escape=(*p); break;
+      }
+      for (p++; *p != '\0'; p++)
+      {
+        if ((*p == '\\') && ((*(p+1) == escape) || (*(p+1) == '\\')))
+          p++;
+        else
+          if (*p == escape)
+            {
+              p++;
+              break;
+            }
+        if (i < (ssize_t) (extent-1))
+          token[i++]=(*p);
+      }
+      break;
+    }
+    case '/':
+    {
+      if (i < (ssize_t) (extent-1))
+        token[i++]=(*p++);
+      if ((*p == '>') || (*p == '/'))
+        if (i < (ssize_t) (extent-1))
+          token[i++]=(*p++);
+      break;
+    }
+    default:
+    {
+      char
+        *q;
+
+      value=StringToDouble(p,&q);
+      (void) value;
+      if ((p != q) && (*p != ','))
+        {
+          for ( ; (p < q) && (*p != ','); p++)
+            if (i < (ssize_t) (extent-1))
+              token[i++]=(*p);
+          if (*p == '%')
+            if (i < (ssize_t) (extent-1))
+              token[i++]=(*p++);
+          break;
+        }
+      if ((*p != '\0') && (isalpha((int) ((unsigned char) *p)) == 0) &&
+          (*p != *DirectorySeparator) && (*p != '#') && (*p != '<'))
+        {
+          if (i < (ssize_t) (extent-1))
+            token[i++]=(*p++);
+          break;
+        }
+      for ( ; *p != '\0'; p++)
+      {
+        if (((isspace((int) ((unsigned char) *p)) != 0) || (*p == '=') ||
+            (*p == ',') || (*p == ':') || (*p == ';')) && (*(p-1) != '\\'))
+          break;
+        if ((i > 0) && (*p == '<'))
+          break;
+        if (i < (ssize_t) (extent-1))
+          token[i++]=(*p);
+        if (*p == '>')
+          break;
+        if (*p == '(')
+          for (p++; *p != '\0'; p++)
+          {
+            if (i < (ssize_t) (extent-1))
+              token[i++]=(*p);
+            if ((*p == ')') && (*(p-1) != '\\'))
+              break;
+          }
+      }
+      break;
+    }
+  }
+  token[i]='\0';
+  if (LocaleNCompare(token,"url(",4) == 0)
+    {
+      ssize_t
+        offset;
+
+      offset=4;
+      if (token[offset] == '#')
+        offset++;
+      i=(ssize_t) strlen(token);
+      (void) CopyMagickString(token,token+offset,MaxTextExtent);
+      token[i-offset-1]='\0';
+    }
+  while (isspace((int) ((unsigned char) *p)) != 0)
+    p++;
+  if (end != (const char **) NULL)
+    *end=(const char *) p;
+}
+
+
 MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info)
 {
 #define RenderImageTag  "Render/Image"
@@ -1831,7 +1960,7 @@ MagickExport MagickBooleanType DrawImage
     /*
       Interpret graphic primitive.
     */
-    GetMagickToken(q,&q,keyword);
+    GetNextToken(q,&q,MaxTextExtent,keyword);
     if (*keyword == '\0')
       break;
     if (*keyword == '#')
@@ -2135,7 +2264,7 @@ MagickExport MagickBooleanType DrawImage
         if (LocaleCompare("font-weight",keyword) == 0)
           {
             GetMagickToken(q,&q,token);
-            graphic_context[n]->weight=StringToUnsignedLong(token);
+            graphic_context[n]->weight=(ssize_t) StringToUnsignedLong(token);
             if (LocaleCompare(token,"all") == 0)
               graphic_context[n]->weight=0;
             if (LocaleCompare(token,"bold") == 0)
@@ -5985,17 +6114,29 @@ static PrimitiveInfo *TraceStrokePolygon
       }
     if (q >= (ssize_t) (max_strokes-6*BezierQuantum-360))
       {
-         max_strokes+=6*BezierQuantum+360;
-         path_p=(PointInfo *) ResizeQuantumMemory(path_p,(size_t) max_strokes,
-           sizeof(*path_p));
-         path_q=(PointInfo *) ResizeQuantumMemory(path_q,(size_t) max_strokes,
-           sizeof(*path_q));
-         if ((path_p == (PointInfo *) NULL) || (path_q == (PointInfo *) NULL))
-           {
-             polygon_primitive=(PrimitiveInfo *)
-               RelinquishMagickMemory(polygon_primitive);
-             return((PrimitiveInfo *) NULL);
-           }
+        if (~max_strokes < (6*BezierQuantum+360))
+          {
+            path_p=(PointInfo *) RelinquishMagickMemory(path_p);
+            path_q=(PointInfo *) RelinquishMagickMemory(path_q);
+          }
+        else
+          {
+            max_strokes+=6*BezierQuantum+360;
+            path_p=(PointInfo *) ResizeQuantumMemory(path_p,max_strokes,
+              sizeof(*path_p));
+            path_q=(PointInfo *) ResizeQuantumMemory(path_q,max_strokes,
+              sizeof(*path_q));
+          }
+        if ((path_p == (PointInfo *) NULL) || (path_q == (PointInfo *) NULL))
+          {
+            if (path_p != (PointInfo *) NULL)
+              path_p=(PointInfo *) RelinquishMagickMemory(path_p);
+            if (path_q != (PointInfo *) NULL)
+              path_q=(PointInfo *) RelinquishMagickMemory(path_q);
+            polygon_primitive=(PrimitiveInfo *)
+              RelinquishMagickMemory(polygon_primitive);
+            return((PrimitiveInfo *) NULL);
+          }
       }
     dot_product=dx.q*dy.p-dx.p*dy.q;
     if (dot_product <= 0.0)
@@ -6057,7 +6198,7 @@ static PrimitiveInfo *TraceStrokePolygon
           q++;
           for (j=1; j < (ssize_t) arc_segments; j++)
           {
-            delta_theta=(j*(theta.q-theta.p)/arc_segments);
+            delta_theta=(double) (j*(theta.q-theta.p)/arc_segments);
             path_q[q].x=(double) (center.x+mid*cos(fmod((double)
               (theta.p+delta_theta),DegreesToRadians(360.0))));
             path_q[q].y=(double) (center.y+mid*sin(fmod((double)
@@ -6127,7 +6268,7 @@ static PrimitiveInfo *TraceStrokePolygon
           path_p[p++]=box_p[1];
           for (j=1; j < (ssize_t) arc_segments; j++)
           {
-            delta_theta=(j*(theta.q-theta.p)/arc_segments);
+            delta_theta=(double) (j*(theta.q-theta.p)/arc_segments);
             path_p[p].x=(double) (center.x+mid*cos(fmod((double)
               (theta.p+delta_theta),DegreesToRadians(360.0))));
             path_p[p].y=(double) (center.y+mid*sin(fmod((double)