File ImageMagick-CVE-2016-7524,7800.patch of Package ImageMagick.9293

Index: ImageMagick-6.8.9-8/coders/meta.c
===================================================================
--- ImageMagick-6.8.9-8.orig/coders/meta.c	2016-10-06 15:51:36.305608047 +0200
+++ ImageMagick-6.8.9-8/coders/meta.c	2016-10-06 16:02:00.655484064 +0200
@@ -194,48 +194,47 @@ static int stringnicmp(const char *p,con
   return(toupper((int) *p)-toupper((int) *q));
 }
 
-static int convertHTMLcodes(char *s, int len)
+static size_t convertHTMLcodes(char *s, const size_t len)
 {
-  if (len <=0 || s==(char*)NULL || *s=='\0')
-    return 0;
+  int
+    value;
 
-  if (s[1] == '#')
+  if ((len == 0) || (s == (char*)NULL) || (*s=='\0'))
+    return(0);
+  if ((len > 3) && (s[1] == '#') && (strchr(s,';') != (char *) NULL) &&
+      (sscanf(s,"&#%d;",&value) == 1))
     {
-      int val, o;
-
-      if (sscanf(s,"&#%d;",&val) == 1)
+      size_t o = 3;
+      while (s[o] != ';')
       {
-        o = 3;
-        while (s[o] != ';')
-        {
-          o++;
-          if (o > 5)
-            break;
-        }
-        if (o < 6)
-          (void) strcpy(s+1,s+1+o);
-        *s = val;
-        return o;
+        o++;
+        if (o > 5)
+          break;
       }
+      if (o < 6)
+        (void) strcpy(s+1,s+1+o);
+      *s=value;
+      return(o);
     }
   else
     {
       int
         i,
-        codes = (int) (sizeof(html_codes) / sizeof(html_code));
+        codes;
 
+      codes=sizeof(html_codes)/sizeof(html_code);
       for (i=0; i < codes; i++)
       {
         if (html_codes[i].len <= len)
-          if (stringnicmp(s,html_codes[i].code,(size_t) html_codes[i].len) == 0)
+          if (stringnicmp(s, html_codes[i].code,(size_t) (html_codes[i].len)) == 0)
             {
               (void) strcpy(s+1,s+html_codes[i].len);
               *s = html_codes[i].val;
-              return html_codes[i].len-1;
+              return(html_codes[i].len-1);
             }
       }
     }
-  return 0;
+  return(0);
 }
 
 static char *super_fgets(char **b, int *blen, Image *file)
@@ -395,10 +394,17 @@ static ssize_t parse8BIM(Image *ifile, I
             {
               if (brkused && next > 0)
                 {
+                  size_t
+                    codes_len;
+
                   char
                     *s = &token[next-1];
 
-                  len -= (ssize_t) convertHTMLcodes(s,(int) strlen(s));
+                  codes_len = (ssize_t) convertHTMLcodes(s,strlen(s));
+                  if (codes_len > len)
+                    len = 0;
+                  else
+                    len -= codes_len;
                 }
             }
 
@@ -671,10 +677,17 @@ static ssize_t parse8BIMW(Image *ifile,
             {
               if (brkused && next > 0)
                 {
+                  size_t
+                    codes_len;
+
                   char
                     *s = &token[next-1];
 
-                  len -= (ssize_t) convertHTMLcodes(s,(int) strlen(s));
+                  codes_len = (ssize_t) convertHTMLcodes(s,strlen(s));
+                  if (codes_len > len)
+                    len = 0;
+                  else
+                    len -= codes_len;
                 }
             }