File ImageMagick-CVE-2017-13758.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/magick/draw.c
===================================================================
--- ImageMagick-6.8.8-1.orig/magick/draw.c 2018-05-25 13:56:51.170692560 +0200
+++ ImageMagick-6.8.8-1/magick/draw.c 2018-05-25 14:02:45.719696926 +0200
@@ -1867,6 +1867,7 @@ MagickExport MagickBooleanType DrawImage
double
angle,
factor,
+ points_extent,
primitive_extent;
DrawInfo
@@ -1901,7 +1902,6 @@ MagickExport MagickBooleanType DrawImage
bounds;
size_t
- length,
number_points;
ssize_t
@@ -3014,17 +3014,17 @@ MagickExport MagickBooleanType DrawImage
/*
Speculate how many points our primitive might consume.
*/
- length=primitive_info[j].coordinates;
+ points_extent=(double) primitive_info[j].coordinates;
switch (primitive_type)
{
case RectanglePrimitive:
{
- length*=5;
+ points_extent*=5;
break;
}
case RoundRectanglePrimitive:
{
- length*=5+8*BezierQuantum;
+ points_extent*=5+8*BezierQuantum;
break;
}
case BezierPrimitive:
@@ -3032,7 +3032,7 @@ MagickExport MagickBooleanType DrawImage
if (primitive_info[j].coordinates > 107)
(void) ThrowMagickException(&image->exception,GetMagickModule(),
DrawError,"TooManyBezierCoordinates","`%s'",token);
- length=BezierQuantum*primitive_info[j].coordinates;
+ points_extent=(double) (BezierQuantum*primitive_info[j].coordinates);
break;
}
case PathPrimitive:
@@ -3042,7 +3042,7 @@ MagickExport MagickBooleanType DrawImage
*t;
GetMagickToken(q,&q,token);
- length=1;
+ points_extent=1;
t=token;
for (s=token; *s != '\0'; s=t)
{
@@ -3056,9 +3056,9 @@ MagickExport MagickBooleanType DrawImage
t++;
continue;
}
- length++;
+ points_extent++;
}
- length=length*BezierQuantum;
+ points_extent=points_extent*BezierQuantum;
break;
}
case CirclePrimitive:
@@ -3073,18 +3073,24 @@ MagickExport MagickBooleanType DrawImage
alpha=bounds.x2-bounds.x1;
beta=bounds.y2-bounds.y1;
radius=hypot((double) alpha,(double) beta);
- length=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360;
+ points_extent=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360;
break;
}
default:
break;
}
- if ((size_t) (i+length) >= number_points)
+ if (((double) ((size_t) points_extent)) < points_extent)
+ {
+ (void) ThrowMagickException(&image->exception,GetMagickModule(),
+ ResourceLimitError,"MemoryAllocationFailed","`%s'",image->filename);
+ break;
+ }
+ if ((size_t) (i+points_extent) >= number_points)
{
/*
Resize based on speculative points required by primitive.
*/
- number_points+=length+1;
+ number_points+=points_extent+1;
primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info,
(size_t) number_points,sizeof(*primitive_info));
if (primitive_info == (PrimitiveInfo *) NULL)