File ImageMagick-CVE-2017-17680,17882.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/coders/xpm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/xpm.c 2018-01-02 13:27:01.087547432 +0100
+++ ImageMagick-6.8.8-1/coders/xpm.c 2018-01-02 14:24:11.468444201 +0100
@@ -329,7 +329,10 @@ static Image *ReadXPMImage(const ImageIn
}
if ((count != 4) || (width > 10) || (image->columns == 0) ||
(image->rows == 0) || (image->colors == 0))
+ {
+ xpm_buffer=DestroyString(xpm_buffer);
ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
/*
Remove unquoted characters.
*/
@@ -353,7 +356,11 @@ static Image *ReadXPMImage(const ImageIn
xpm_colors=NewSplayTree(CompareXPMColor,RelinquishMagickMemory,
(void *(*)(void *)) NULL);
if (AcquireImageColormap(image,image->colors) == MagickFalse)
+ {
+ xpm_buffer=DestroyString(xpm_buffer);
+ xpm_colors=DestroySplayTree(xpm_colors);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
/*
Read image colormap.
*/
@@ -403,7 +410,11 @@ static Image *ReadXPMImage(const ImageIn
image->depth=pixel.depth;
}
if (j < (ssize_t) image->colors)
+ {
+ xpm_buffer=DestroyString(xpm_buffer);
+ xpm_colors=DestroySplayTree(xpm_colors);
ThrowReaderException(CorruptImageError,"CorruptImage");
+ }
j=0;
if (image_info->ping == MagickFalse)
{
@@ -432,11 +443,16 @@ static Image *ReadXPMImage(const ImageIn
break;
}
if (y < (ssize_t) image->rows)
+ {
+ xpm_buffer=DestroyString(xpm_buffer);
+ xpm_colors=DestroySplayTree(xpm_colors);
ThrowReaderException(CorruptImageError,"NotEnoughPixelData");
+ }
}
/*
Relinquish resources.
*/
+ xpm_buffer=DestroyString(xpm_buffer);
xpm_colors=DestroySplayTree(xpm_colors);
(void) CloseBlob(image);
return(GetFirstImageInList(image));