File ImageMagick-CVE-2017-7941.patch of Package ImageMagick
From 721dc1305b2bfff92e5ca605dc1a47c61ce90b9f Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Mon, 17 Apr 2017 19:03:46 +0200
Subject: [PATCH] Fixed memory leak reported in #428.
---
coders/sgi.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
Index: ImageMagick-6.8.8-1/coders/sgi.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/sgi.c 2017-04-25 11:55:41.787382853 +0200
+++ ImageMagick-6.8.8-1/coders/sgi.c 2017-04-25 11:55:41.919384929 +0200
@@ -431,7 +431,10 @@ static Image *ReadSGIImage(const ImageIn
scanline=(unsigned char *) AcquireQuantumMemory(iris_info.columns,
bytes_per_pixel*sizeof(*scanline));
if (scanline == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ {
+ pixel_info=RelinquishVirtualMemory(pixel_info);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
for (z=0; z < (ssize_t) iris_info.depth; z++)
{
p=pixels+bytes_per_pixel*z;
@@ -488,12 +491,11 @@ static Image *ReadSGIImage(const ImageIn
(runlength == (size_t *) NULL) ||
(packet_info == (MemoryInfo *) NULL))
{
- if (offsets == (ssize_t *) NULL)
- offsets=(ssize_t *) RelinquishMagickMemory(offsets);
- if (runlength == (size_t *) NULL)
- runlength=(size_t *) RelinquishMagickMemory(runlength);
- if (packet_info == (MemoryInfo *) NULL)
+ offsets=(ssize_t *) RelinquishMagickMemory(offsets);
+ runlength=(size_t *) RelinquishMagickMemory(runlength);
+ if (packet_info != (MemoryInfo *) NULL)
packet_info=RelinquishVirtualMemory(packet_info);
+ pixel_info=RelinquishVirtualMemory(pixel_info);
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
}
packets=(unsigned char *) GetVirtualMemoryBlob(packet_info);
@@ -503,7 +505,13 @@ static Image *ReadSGIImage(const ImageIn
{
runlength[i]=ReadBlobMSBLong(image);
if (runlength[i] > (4*(size_t) iris_info.columns+10))
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ offsets=(ssize_t *) RelinquishMagickMemory(offsets);
+ runlength=(size_t *) RelinquishMagickMemory(runlength);
+ packet_info=RelinquishVirtualMemory(packet_info);
+ pixel_info=RelinquishVirtualMemory(pixel_info);
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
}
/*
Check data order.
@@ -539,7 +547,14 @@ static Image *ReadSGIImage(const ImageIn
(runlength[y+z*iris_info.rows]/bytes_per_pixel),packets,
1L*iris_info.columns,p+bytes_per_pixel*z);
if (status == MagickFalse)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ offsets=(ssize_t *) RelinquishMagickMemory(offsets);
+ runlength=(size_t *) RelinquishMagickMemory(runlength);
+ packet_info=RelinquishVirtualMemory(packet_info);
+ pixel_info=RelinquishVirtualMemory(pixel_info);
+ ThrowReaderException(CorruptImageError,
+ "ImproperImageHeader");
+ }
p+=(iris_info.columns*4*bytes_per_pixel);
}
}
@@ -569,7 +584,14 @@ static Image *ReadSGIImage(const ImageIn
(runlength[y+z*iris_info.rows]/bytes_per_pixel),packets,
1L*iris_info.columns,p+bytes_per_pixel*z);
if (status == MagickFalse)
- ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ {
+ offsets=(ssize_t *) RelinquishMagickMemory(offsets);
+ runlength=(size_t *) RelinquishMagickMemory(runlength);
+ packet_info=RelinquishVirtualMemory(packet_info);
+ pixel_info=RelinquishVirtualMemory(pixel_info);
+ ThrowReaderException(CorruptImageError,
+ "ImproperImageHeader");
+ }
}
p+=(iris_info.columns*4*bytes_per_pixel);
}