File ImageMagick-CVE-2017-9407.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/coders/palm.c
===================================================================
--- ImageMagick-6.8.8-1.orig/coders/palm.c 2018-01-31 12:40:13.957110985 +0100
+++ ImageMagick-6.8.8-1/coders/palm.c 2018-01-31 12:41:27.210372914 +0100
@@ -415,7 +415,10 @@ static Image *ReadPALMImage(const ImageI
lastrow=(unsigned char *) AcquireQuantumMemory(MagickMax(bytes_per_row,
2*image->columns),sizeof(*lastrow));
if (lastrow == (unsigned char *) NULL)
- ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ {
+ one_row=(unsigned char *) RelinquishMagickMemory(one_row);
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+ }
}
mask=(size_t) (1U << bits_per_pixel)-1;
for (y = 0; y < (ssize_t) image->rows; y++)
@@ -473,7 +476,12 @@ static Image *ReadPALMImage(const ImageI
if (bits_per_pixel == 16)
{
if (image->columns > (2*bytes_per_row))
- ThrowReaderException(CorruptImageError,"CorruptImage");
+ {
+ one_row=(unsigned char *) RelinquishMagickMemory(one_row);
+ if (compressionType == PALM_COMPRESSION_SCANLINE)
+ lastrow=(unsigned char *) RelinquishMagickMemory(lastrow);
+ ThrowReaderException(CorruptImageError,"CorruptImage");
+ }
for (x=0; x < (ssize_t) image->columns; x++)
{
color16=(*ptr++ << 8);
@@ -494,7 +502,12 @@ static Image *ReadPALMImage(const ImageI
for (x=0; x < (ssize_t) image->columns; x++)
{
if ((size_t) (ptr-one_row) >= bytes_per_row)
- ThrowReaderException(CorruptImageError,"CorruptImage");
+ {
+ one_row=(unsigned char *) RelinquishMagickMemory(one_row);
+ if (compressionType == PALM_COMPRESSION_SCANLINE)
+ lastrow=(unsigned char *) RelinquishMagickMemory(lastrow);
+ ThrowReaderException(CorruptImageError,"CorruptImage");
+ }
index=(IndexPacket) (mask-(((*ptr) & (mask << bit)) >> bit));
SetPixelIndex(indexes+x,index);
SetPixelRGBO(q,image->colormap+(ssize_t) index);
