File ImageMagick-CVE-2014-9820.patch of Package ImageMagick.16891

Index: ImageMagick-6.8.9-8/coders/xpm.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/xpm.c	2016-06-15 10:02:07.998260332 +0200
+++ ImageMagick-6.8.9-8/coders/xpm.c	2016-06-15 10:03:31.875608245 +0200
@@ -152,13 +152,17 @@ static int CompareXPMColor(const void *t
   return(strcmp(p,q));
 }
 
-static char *CopyXPMColor(char *destination,const char *source,size_t length)
-{
-  while (length-- && (*source != '\0'))
-    *destination++=(*source++);
-  *destination='\0';
-  return(destination-length);
-}
+ static size_t CopyXPMColor(char *destination,const char *source,size_t length)
+ {
+   register char
+     *p;
+ 
+   p=source;
+   while (length-- && (*p != '\0'))
+     *destination++=(*p++);
+   *destination='\0';
+   return((size_t) (p-source));
+ }
 
 static char *NextXPMLine(char *p)
 {
@@ -285,8 +289,10 @@ static Image *ReadXPMImage(const ImageIn
   */
   length=MaxTextExtent;
   xpm_buffer=(char *) AcquireQuantumMemory((size_t) length,sizeof(*xpm_buffer));
+  if (xpm_buffer == (char *) NULL)
+    ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+  *xpm_buffer='\0';
   p=xpm_buffer;
-  if (xpm_buffer != (char *) NULL)
     while (ReadBlobString(image,p) != (char *) NULL)
     {
       if ((*p == '#') && ((p == xpm_buffer) || (*(p-1) == '\n')))
@@ -415,13 +421,12 @@ static Image *ReadXPMImage(const ImageIn
         indexes=GetAuthenticIndexQueue(image);
         for (x=0; x < (ssize_t) image->columns; x++)
         {
-          (void) CopyXPMColor(key,p,(size_t) width);
+          p+=CopyXPMColor(key,p,MagickMin(width,MaxTextExtent));
           j=(ssize_t) GetValueFromSplayTree(xpm_colors,key);
           if (image->storage_class == PseudoClass)
             SetPixelIndex(indexes+x,j);
           *r=image->colormap[j];
           r++;
-          p+=width;
         }
         if (SyncAuthenticPixels(image,exception) == MagickFalse)
           break;