File ImageMagick-CVE-2017-8345,8350.patch of Package ImageMagick.8212

From 8919f333923ad144068fd028d274ca640750e9e6 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Thu, 27 Apr 2017 11:29:45 +0200
Subject: [PATCH] Refactored MngInfoFreeStruct.

---
 coders/png.c | 81 ++++++++++++++++++++++--------------------------------------
 1 file changed, 30 insertions(+), 51 deletions(-)

Index: ImageMagick-6.8.8-1/coders/png.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/png.c	2017-05-03 13:55:52.702560619 +0200
+++ ImageMagick-6.8.8-1/coders/png.c	2017-05-03 14:31:17.646030137 +0200
@@ -1701,24 +1701,22 @@ static void MngInfoDiscardObject(MngInfo
     }
 }
 
-static void MngInfoFreeStruct(MngInfo *mng_info,
-    MagickBooleanType *have_mng_structure)
+static MngInfo *MngInfoFreeStruct(MngInfo *mng_info)
 {
-  if (*have_mng_structure != MagickFalse && (mng_info != (MngInfo *) NULL))
-    {
-      register ssize_t
-        i;
+  register ssize_t
+    i;
+
+  if (mng_info == (MngInfo *) NULL)
+    return((MngInfo *) NULL);
 
-      for (i=1; i < MNG_MAX_OBJECTS; i++)
-        MngInfoDiscardObject(mng_info,i);
+  for (i=1; i < MNG_MAX_OBJECTS; i++)
+    MngInfoDiscardObject(mng_info,i);
 
-      if (mng_info->global_plte != (png_colorp) NULL)
-        mng_info->global_plte=(png_colorp)
-          RelinquishMagickMemory(mng_info->global_plte);
+  if (mng_info->global_plte != (png_colorp) NULL)
+    mng_info->global_plte=(png_colorp)
+      RelinquishMagickMemory(mng_info->global_plte);
 
-      mng_info=(MngInfo *) RelinquishMagickMemory(mng_info);
-      *have_mng_structure=MagickFalse;
-    }
+  return((MngInfo *) RelinquishMagickMemory(mng_info));
 }
 
 static MngBox mng_minimum_box(MngBox box1,MngBox box2)
@@ -3961,7 +3959,6 @@ static Image *ReadPNGImage(const ImageIn
     *previous;
 
   MagickBooleanType
-    have_mng_structure,
     logging,
     status;
 
@@ -4005,7 +4002,6 @@ static Image *ReadPNGImage(const ImageIn
   /*
     Allocate a MngInfo structure.
   */
-  have_mng_structure=MagickFalse;
   mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
 
   if (mng_info == (MngInfo *) NULL)
@@ -4016,11 +4012,10 @@ static Image *ReadPNGImage(const ImageIn
   */
   (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
   mng_info->image=image;
-  have_mng_structure=MagickTrue;
 
   previous=image;
   image=ReadOnePNGImage(mng_info,image_info,exception);
-  MngInfoFreeStruct(mng_info,&have_mng_structure);
+  mng_info=MngInfoFreeStruct(mng_info);
 
   if (image == (Image *) NULL)
     {
@@ -4206,7 +4201,7 @@ static Image *ReadOneJNGImage(MngInfo *m
       AcquireNextImage(image_info,image);
 
       if (GetNextImageInList(image) == (Image *) NULL)
-        return((Image *) NULL);
+        return(DestroyImageList(image));
 
       image=SyncNextImageInList(image);
     }
@@ -4379,7 +4374,7 @@ static Image *ReadOneJNGImage(MngInfo *m
           exception);
 
         if (status == MagickFalse)
-          return((Image *) NULL);
+          return(DestroyImageList(image));
 
         if ((image_info->ping == MagickFalse) && (jng_color_type >= 12))
           {
@@ -4409,7 +4404,7 @@ static Image *ReadOneJNGImage(MngInfo *m
               exception);
 
             if (status == MagickFalse)
-              return((Image *) NULL);
+              return(DestroyImageList(image));
 
             if (jng_alpha_compression_method == 0)
               {
@@ -4684,7 +4679,7 @@ static Image *ReadOneJNGImage(MngInfo *m
   color_image_info=DestroyImageInfo(color_image_info);
 
   if (jng_image == (Image *) NULL)
-    return((Image *) NULL);
+    return(DestroyImageList(image));
 
   if (logging != MagickFalse)
     (void) LogMagickEvent(CoderEvent,GetMagickModule(),
@@ -4838,7 +4833,6 @@ static Image *ReadJNGImage(const ImageIn
     *previous;
 
   MagickBooleanType
-    have_mng_structure,
     logging,
     status;
 
@@ -4865,7 +4859,7 @@ static Image *ReadJNGImage(const ImageIn
   status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
 
   if (status == MagickFalse)
-    return((Image *) NULL);
+    return(DestroyImageList(image));
 
   if (LocaleCompare(image_info->magick,"JNG") != 0)
     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
@@ -4879,7 +4873,6 @@ static Image *ReadJNGImage(const ImageIn
 
   /* Allocate a MngInfo structure.  */
 
-  have_mng_structure=MagickFalse;
   mng_info=(MngInfo *) AcquireMagickMemory(sizeof(*mng_info));
 
   if (mng_info == (MngInfo *) NULL)
@@ -4888,11 +4881,10 @@ static Image *ReadJNGImage(const ImageIn
   /* Initialize members of the MngInfo structure.  */
 
   (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
-  have_mng_structure=MagickTrue;
 
   mng_info->image=image;
   image=ReadOneJNGImage(mng_info,image_info,exception);
-  MngInfoFreeStruct(mng_info,&have_mng_structure);
+  mng_info=MngInfoFreeStruct(mng_info);
 
   if (image == (Image *) NULL)
     {
@@ -4920,7 +4912,8 @@ static Image *ReadJNGImage(const ImageIn
 }
 #endif
 
-static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
+     ExceptionInfo *exception)
 {
   char
     page_geometry[MaxTextExtent];
@@ -4930,8 +4923,7 @@ static Image *ReadMNGImage(const ImageIn
     *previous;
 
   MagickBooleanType
-    logging,
-    have_mng_structure;
+    logging;
 
   volatile int
     first_mng_object,
@@ -4948,9 +4940,6 @@ static Image *ReadMNGImage(const ImageIn
   MagickOffsetType
     offset;
 
-  MngInfo
-    *mng_info;
-
   MngBox
     default_fb,
     fb,
@@ -5021,37 +5010,10 @@ static Image *ReadMNGImage(const ImageIn
   default_fb.left=0;
   default_fb.right=0;
 
-  /* Open image file.  */
-
-  assert(image_info != (const ImageInfo *) NULL);
-  assert(image_info->signature == MagickSignature);
-  (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image_info->filename);
-  assert(exception != (ExceptionInfo *) NULL);
-  assert(exception->signature == MagickSignature);
-  logging=LogMagickEvent(CoderEvent,GetMagickModule(),"Enter ReadMNGImage()");
-  image=AcquireImage(image_info);
-  mng_info=(MngInfo *) NULL;
-  status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
-
-  if (status == MagickFalse)
-    return((Image *) NULL);
-
-  first_mng_object=MagickFalse;
-  skipping_loop=(-1);
-  have_mng_structure=MagickFalse;
-
-  /* Allocate a MngInfo structure.  */
-
-  mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
-
-  if (mng_info == (MngInfo *) NULL)
-    ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-
-  /* Initialize members of the MngInfo structure.  */
+  logging=LogMagickEvent(CoderEvent,GetMagickModule(),
+    "  Enter ReadOneMNGImage()");
 
-  (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
-  mng_info->image=image;
-  have_mng_structure=MagickTrue;
+  image=mng_info->image;
 
   if (LocaleCompare(image_info->magick,"MNG") == 0)
     {
@@ -5072,6 +5034,7 @@ static Image *ReadMNGImage(const ImageIn
       mng_info->exists[0]=MagickTrue;
     }
 
+  skipping_loop=(-1);
   first_mng_object=MagickTrue;
   mng_type=0;
 #if defined(MNG_INSERT_LAYERS)
@@ -5234,7 +5197,7 @@ static Image *ReadMNGImage(const ImageIn
                 AcquireNextImage(image_info,image);
 
                 if (GetNextImageInList(image) == (Image *) NULL)
-                  return((Image *) NULL);
+                  return(DestroyImageList(image));
 
                 image=SyncNextImageInList(image);
                 mng_info->image=image;
@@ -5685,11 +5648,7 @@ static Image *ReadMNGImage(const ImageIn
                     AcquireNextImage(image_info,image);
 
                     if (GetNextImageInList(image) == (Image *) NULL)
-                      {
-                        image=DestroyImageList(image);
-                        MngInfoFreeStruct(mng_info,&have_mng_structure);
-                        return((Image *) NULL);
-                      }
+                      return(DestroyImageList(image));
 
                     image=SyncNextImageInList(image);
                   }
@@ -5895,8 +5854,12 @@ static Image *ReadMNGImage(const ImageIn
                           SEEK_SET);
 
                         if (offset < 0)
-                          ThrowReaderException(CorruptImageError,
-                            "ImproperImageHeader");
+                          {
+                            chunk=(unsigned char *) RelinquishMagickMemory(
+                               chunk);
+                            ThrowReaderException(CorruptImageError,
+                               "ImproperImageHeader");
+                          }
                       }
 
                     else
@@ -6211,7 +6174,10 @@ static Image *ReadMNGImage(const ImageIn
           }
 #if defined(MNG_INSERT_LAYERS)
         if (length < 8)
-          ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+          {
+            chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+            ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+          }
 
         image_width=(size_t) mng_get_long(p);
         image_height=(size_t) mng_get_long(&p[4]);
@@ -6239,11 +6205,7 @@ static Image *ReadMNGImage(const ImageIn
                     AcquireNextImage(image_info,image);
 
                     if (GetNextImageInList(image) == (Image *) NULL)
-                      {
-                        image=DestroyImageList(image);
-                        MngInfoFreeStruct(mng_info,&have_mng_structure);
-                        return((Image *) NULL);
-                      }
+                      return(DestroyImageList(image));
 
                     image=SyncNextImageInList(image);
                   }
@@ -6292,11 +6254,7 @@ static Image *ReadMNGImage(const ImageIn
               AcquireNextImage(image_info,image);
 
               if (GetNextImageInList(image) == (Image *) NULL)
-                {
-                  image=DestroyImageList(image);
-                  MngInfoFreeStruct(mng_info,&have_mng_structure);
-                  return((Image *) NULL);
-                }
+                return(DestroyImageList(image));
 
               image=SyncNextImageInList(image);
             }
@@ -6341,11 +6299,7 @@ static Image *ReadMNGImage(const ImageIn
             AcquireNextImage(image_info,image);
 
             if (GetNextImageInList(image) == (Image *) NULL)
-              {
-                image=DestroyImageList(image);
-                MngInfoFreeStruct(mng_info,&have_mng_structure);
-                return((Image *) NULL);
-              }
+              return(DestroyImageList(image));
 
             image=SyncNextImageInList(image);
           }
@@ -6416,16 +6370,13 @@ static Image *ReadMNGImage(const ImageIn
             (void) CloseBlob(previous);
           }
 
-        MngInfoFreeStruct(mng_info,&have_mng_structure);
         return((Image *) NULL);
       }
 
     if (image->columns == 0 || image->rows == 0)
       {
         (void) CloseBlob(image);
-        image=DestroyImageList(image);
-        MngInfoFreeStruct(mng_info,&have_mng_structure);
-        return((Image *) NULL);
+        return(DestroyImageList(image));
       }
 
     mng_info->image=image;
@@ -6536,11 +6487,7 @@ static Image *ReadMNGImage(const ImageIn
                 AcquireNextImage(image_info,image);
 
                 if (GetNextImageInList(image) == (Image *) NULL)
-                  {
-                    image=DestroyImageList(image);
-                    MngInfoFreeStruct(mng_info,&have_mng_structure);
-                    return((Image *) NULL);
-                  }
+                  return(DestroyImageList(image));
 
                 large_image=SyncNextImageInList(image);
 
@@ -6620,7 +6567,6 @@ static Image *ReadMNGImage(const ImageIn
                     (next == (PixelPacket *) NULL))
                   {
                      image=DestroyImageList(image);
-                     MngInfoFreeStruct(mng_info,&have_mng_structure);
                      ThrowReaderException(ResourceLimitError,
                        "MemoryAllocationFailed");
                   }
@@ -7085,14 +7031,11 @@ static Image *ReadMNGImage(const ImageIn
           AcquireNextImage(image_info,image);
           if (GetNextImageInList(image) == (Image *) NULL)
             {
-              image=DestroyImageList(image);
-              MngInfoFreeStruct(mng_info,&have_mng_structure);
-
               if (logging != MagickFalse)
                 (void) LogMagickEvent(CoderEvent,GetMagickModule(),
                   "  Allocation failed, returning NULL.");
 
-              return((Image *) NULL);
+              return(DestroyImageList(image));
             }
           image=SyncNextImageInList(image);
         }
@@ -7128,7 +7071,7 @@ static Image *ReadMNGImage(const ImageIn
           CoderError,"Linked list is corrupted, beginning of list not found",
           "`%s'",image_info->filename);
 
-        return((Image *) NULL);
+        return(DestroyImageList(image));
       }
 
     image=GetPreviousImageInList(image);
@@ -7166,11 +7109,7 @@ static Image *ReadMNGImage(const ImageIn
       (void) ThrowMagickException(&image->exception,GetMagickModule(),
         CoderError,"No visible images in file","`%s'",image_info->filename);
 
-      if (image != (Image *) NULL)
-        image=DestroyImageList(image);
-
-      MngInfoFreeStruct(mng_info,&have_mng_structure);
-      return((Image *) NULL);
+      return(DestroyImageList(image));
     }
 
   if (mng_info->ticks_per_second)
@@ -7302,9 +7241,63 @@ static Image *ReadMNGImage(const ImageIn
       }
    }
 
-  image=GetFirstImageInList(image);
-  MngInfoFreeStruct(mng_info,&have_mng_structure);
-  have_mng_structure=MagickFalse;
+  if (logging != MagickFalse)
+    (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+      "  exit ReadOneJNGImage();");
+
+  return(image);
+}
+
+static Image *ReadMNGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+{
+  Image
+    *image;
+
+  MagickBooleanType
+    logging,
+    status;
+
+  MngInfo
+    *mng_info;
+
+  /* Open image file.  */
+
+  assert(image_info != (const ImageInfo *) NULL);
+  assert(image_info->signature == MagickSignature);
+  (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image_info->filename);
+  assert(exception != (ExceptionInfo *) NULL);
+  assert(exception->signature == MagickSignature);
+  logging=LogMagickEvent(CoderEvent,GetMagickModule(),"Enter ReadMNGImage()");
+  image=AcquireImage(image_info);
+  mng_info=(MngInfo *) NULL;
+  status=OpenBlob(image_info,image,ReadBinaryBlobMode,exception);
+
+  if (status == MagickFalse)
+    return((Image *) NULL);
+
+  /* Allocate a MngInfo structure.  */
+
+  mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
+
+  if (mng_info == (MngInfo *) NULL)
+    ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+  /* Initialize members of the MngInfo structure.  */
+
+  (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
+  mng_info->image=image;
+  image=ReadOneMNGImage(mng_info,image_info,exception);
+  mng_info=MngInfoFreeStruct(mng_info);
+
+  if (image == (Image *) NULL)
+    {
+      if (logging != MagickFalse)
+        (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+          "exit ReadMNGImage() with error");
+
+      return((Image *) NULL);
+    }
+  (void) CloseBlob(image);
 
   if (logging != MagickFalse)
     (void) LogMagickEvent(CoderEvent,GetMagickModule(),"exit ReadMNGImage()");
@@ -11500,7 +11493,6 @@ static MagickBooleanType WritePNGImage(c
   MagickBooleanType
     excluding,
     logging,
-    have_mng_structure,
     status;
 
   MngInfo
@@ -11525,7 +11517,6 @@ static MagickBooleanType WritePNGImage(c
   /*
     Allocate a MngInfo structure.
   */
-  have_mng_structure=MagickFalse;
   mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
 
   if (mng_info == (MngInfo *) NULL)
@@ -11537,7 +11528,6 @@ static MagickBooleanType WritePNGImage(c
   (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
   mng_info->image=image;
   mng_info->equal_backgrounds=MagickTrue;
-  have_mng_structure=MagickTrue;
 
   /* See if user has requested a specific PNG subformat */
 
@@ -12276,7 +12266,7 @@ static MagickBooleanType WritePNGImage(c
 
   (void) CloseBlob(image);
 
-  MngInfoFreeStruct(mng_info,&have_mng_structure);
+  mng_info=MngInfoFreeStruct(mng_info);
 
   if (logging != MagickFalse)
     (void) LogMagickEvent(CoderEvent,GetMagickModule(),"exit WritePNGImage()");
@@ -12877,7 +12867,6 @@ static MagickBooleanType WriteOneJNGImag
 static MagickBooleanType WriteJNGImage(const ImageInfo *image_info,Image *image)
 {
   MagickBooleanType
-    have_mng_structure,
     logging,
     status;
 
@@ -12900,7 +12889,6 @@ static MagickBooleanType WriteJNGImage(c
   /*
     Allocate a MngInfo structure.
   */
-  have_mng_structure=MagickFalse;
   mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
   if (mng_info == (MngInfo *) NULL)
     ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
@@ -12909,15 +12897,14 @@ static MagickBooleanType WriteJNGImage(c
   */
   (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
   mng_info->image=image;
-  have_mng_structure=MagickTrue;
 
   (void) WriteBlob(image,8,(const unsigned char *) "\213JNG\r\n\032\n");
 
   status=WriteOneJNGImage(mng_info,image_info,image);
+  mng_info=MngInfoFreeStruct(mng_info);
   (void) CloseBlob(image);
 
   (void) CatchImageException(image);
-  MngInfoFreeStruct(mng_info,&have_mng_structure);
   if (logging != MagickFalse)
     (void) LogMagickEvent(CoderEvent,GetMagickModule(),
       "  exit WriteJNGImage()");
@@ -12936,7 +12923,6 @@ static MagickBooleanType WriteMNGImage(c
     *next_image;
 
   MagickBooleanType
-    have_mng_structure,
     status;
 
   volatile MagickBooleanType
@@ -12998,7 +12984,6 @@ static MagickBooleanType WriteMNGImage(c
   /*
     Allocate a MngInfo structure.
   */
-  have_mng_structure=MagickFalse;
   mng_info=(MngInfo *) AcquireMagickMemory(sizeof(MngInfo));
   if (mng_info == (MngInfo *) NULL)
     ThrowWriterException(ResourceLimitError,"MemoryAllocationFailed");
@@ -13007,7 +12992,6 @@ static MagickBooleanType WriteMNGImage(c
   */
   (void) ResetMagickMemory(mng_info,0,sizeof(MngInfo));
   mng_info->image=image;
-  have_mng_structure=MagickTrue;
   write_mng=LocaleCompare(image_info->magick,"MNG") == 0;
 
   /*
@@ -13765,7 +13749,7 @@ static MagickBooleanType WriteMNGImage(c
 
     if (status == MagickFalse)
       {
-        MngInfoFreeStruct(mng_info,&have_mng_structure);
+        mng_info=MngInfoFreeStruct(mng_info);
         (void) CloseBlob(image);
         return(MagickFalse);
       }
@@ -13798,7 +13782,7 @@ static MagickBooleanType WriteMNGImage(c
     Relinquish resources.
   */
   (void) CloseBlob(image);
-  MngInfoFreeStruct(mng_info,&have_mng_structure);
+  mng_info=MngInfoFreeStruct(mng_info);
 
   if (logging != MagickFalse)
     (void) LogMagickEvent(CoderEvent,GetMagickModule(),"exit WriteMNGImage()");