File ImageMagick-CVE-2019-13307.patch of Package ImageMagick.24236

Index: ImageMagick-7.0.7-34/MagickCore/statistic.c
===================================================================
--- ImageMagick-7.0.7-34.orig/MagickCore/statistic.c	2019-07-19 12:28:06.269509734 +0200
+++ ImageMagick-7.0.7-34/MagickCore/statistic.c	2019-07-19 12:29:31.589978823 +0200
@@ -137,13 +137,19 @@ typedef struct _PixelChannels
     channel[CompositePixelChannel];
 } PixelChannels;
 
-static PixelChannels **DestroyPixelThreadSet(PixelChannels **pixels)
+static PixelChannels **DestroyPixelThreadSet(const Image *images,
+  PixelChannels **pixels)
 {
   register ssize_t
     i;
 
+  size_t
+    rows;
+
   assert(pixels != (PixelChannels **) NULL);
-  for (i=0; i < (ssize_t) GetMagickResourceLimit(ThreadResource); i++)
+  rows=MagickMax(GetImageListLength(images),
+    (size_t) GetMagickResourceLimit(ThreadResource));
+  for (i=0; i < (ssize_t) rows; i++)
     if (pixels[i] != (PixelChannels *) NULL)
       pixels[i]=(PixelChannels *) RelinquishMagickMemory(pixels[i]);
   pixels=(PixelChannels **) RelinquishMagickMemory(pixels);
@@ -163,25 +169,25 @@ static PixelChannels **AcquirePixelThrea
 
   size_t
     columns,
-    number_threads;
+    rows;
 
-  number_threads=(size_t) GetMagickResourceLimit(ThreadResource);
-  pixels=(PixelChannels **) AcquireQuantumMemory(number_threads,
-    sizeof(*pixels));
+  rows=MagickMax(GetImageListLength(images),
+    (size_t) GetMagickResourceLimit(ThreadResource));
+  pixels=(PixelChannels **) AcquireQuantumMemory(rows,sizeof(*pixels));
   if (pixels == (PixelChannels **) NULL)
     return((PixelChannels **) NULL);
-  (void) memset(pixels,0,number_threads*sizeof(*pixels));
-  columns=images->columns;
+  (void) memset(pixels,0,rows*sizeof(*pixels));
+  columns=MagickMax(GetImageListLength(images),MaxPixelChannels);
   for (next=images; next != (Image *) NULL; next=next->next)
     columns=MagickMax(next->columns,columns);
-  for (i=0; i < (ssize_t) number_threads; i++)
+  for (i=0; i < (ssize_t) rows; i++)
   {
     register ssize_t
       j;
 
     pixels[i]=(PixelChannels *) AcquireQuantumMemory(columns,sizeof(**pixels));
     if (pixels[i] == (PixelChannels *) NULL)
-      return(DestroyPixelThreadSet(pixels));
+      return(DestroyPixelThreadSet(images,pixels));
     for (j=0; j < (ssize_t) columns; j++)
     {
       register ssize_t
@@ -766,7 +772,7 @@ MagickExport Image *EvaluateImages(const
       }
     }
   evaluate_view=DestroyCacheView(evaluate_view);
-  evaluate_pixels=DestroyPixelThreadSet(evaluate_pixels);
+  evaluate_pixels=DestroyPixelThreadSet(images,evaluate_pixels);
   random_info=DestroyRandomInfoThreadSet(random_info);
   if (status == MagickFalse)
     image=DestroyImage(image);
@@ -2340,7 +2346,7 @@ MagickExport Image *PolynomialImage(cons
       }
   }
   polynomial_view=DestroyCacheView(polynomial_view);
-  polynomial_pixels=DestroyPixelThreadSet(polynomial_pixels);
+  polynomial_pixels=DestroyPixelThreadSet(images,polynomial_pixels);
   if (status == MagickFalse)
     image=DestroyImage(image);
   return(image);