File GraphicsMagick-CVE-2017-13063,13064,13065.patch of Package GraphicsMagick.7727
Index: GraphicsMagick-1.3.25/coders/svg.c
===================================================================
--- GraphicsMagick-1.3.25.orig/coders/svg.c 2016-09-05 21:20:23.000000000 +0200
+++ GraphicsMagick-1.3.25/coders/svg.c 2017-10-20 12:39:35.106109960 +0200
@@ -266,11 +266,12 @@ static char **GetStyleTokens(void *conte
char
**tokens;
- register const char
+ const char
*p,
*q;
- register size_t
+ size_t
+ alloc_tokens,
i;
SVGInfo
@@ -278,21 +279,27 @@ static char **GetStyleTokens(void *conte
svg_info=(SVGInfo *) context;
*number_tokens=0;
+ alloc_tokens=0;
if (text == (const char *) NULL)
return((char **) NULL);
/*
Determine the number of arguments.
+
+ style="fill: red; stroke: blue; stroke-width: 3"
*/
for (p=text; *p != '\0'; p++)
if (*p == ':')
- (*number_tokens)+=2;
- tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens));
+ alloc_tokens+=2;
+ if (alloc_tokens == 0)
+ return((char **) NULL);
+ tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens));
if (tokens == (char **) NULL)
{
ThrowException3(svg_info->exception,ResourceLimitError,
MemoryAllocationFailed,UnableToConvertStringToTokens);
return((char **) NULL);
}
+ (void) memset(tokens,0,(alloc_tokens+2)*sizeof(*tokens));
/*
Convert string to an ASCII list.
*/
@@ -303,14 +310,36 @@ static char **GetStyleTokens(void *conte
if ((*q != ':') && (*q != ';') && (*q != '\0'))
continue;
tokens[i]=AllocateString(p);
+ if (tokens[i] == NULL)
+ {
+ ThrowException3(svg_info->exception,ResourceLimitError,
+ MemoryAllocationFailed,UnableToConvertStringToTokens);
+ break;
+ }
(void) strlcpy(tokens[i],p,q-p+1);
- Strip(tokens[i++]);
+ Strip(tokens[i]);
+ i++;
+ if (i >= alloc_tokens)
+ break;
p=q+1;
}
- tokens[i]=AllocateString(p);
- (void) strlcpy(tokens[i],p,q-p+1);
- Strip(tokens[i++]);
+ if (i < alloc_tokens)
+ {
+ tokens[i]=AllocateString(p);
+ if (tokens[i] == NULL)
+ {
+ ThrowException3(svg_info->exception,ResourceLimitError,
+ MemoryAllocationFailed,UnableToConvertStringToTokens);
+ }
+ else
+ {
+ (void) strlcpy(tokens[i],p,q-p+1);
+ Strip(tokens[i]);
+ i++;
+ }
+ }
tokens[i]=(char *) NULL;
+ *number_tokens=i;
return(tokens);
}
@@ -1555,6 +1584,8 @@ static void SVGStartElement(void *contex
{
(void) LogMagickEvent(CoderEvent,GetMagickModule()," ");
tokens=GetStyleTokens(context,value,&number_tokens);
+ if ((tokens != (char **) NULL) && (number_tokens > 0))
+ {
for (j=0; j < (number_tokens-1); j+=2)
{
keyword=(char *) tokens[j];
@@ -1775,9 +1806,13 @@ static void SVGStartElement(void *contex
break;
}
}
+ }
+ if (tokens != (char **) NULL)
+ {
for (j=0; tokens[j] != (char *) NULL; j++)
MagickFreeMemory(tokens[j]);
MagickFreeMemory(tokens);
+ }
break;
}
break;
