File GraphicsMagick-CVE-2016-7800.patch of Package GraphicsMagick.7782
--- a/coders/meta.c
+++ b/coders/meta.c
@@ -396,10 +396,17 @@
{
if (brkused && next > 0)
{
+ size_t
+ codes_len;
+
char
*s = &token[next-1];
- len -= convertHTMLcodes(s, strlen(s));
+ codes_len = convertHTMLcodes(s, strlen(s));
+ if (codes_len > len)
+ len = 0;
+ else
+ len -= codes_len;
}
}
@@ -450,7 +457,7 @@
next=0;
outputlen += len;
while (len--)
- (void) WriteBlobByte(ofile,token[next++]); /* boom */
+ (void) WriteBlobByte(ofile,token[next++]);
if (outputlen & 1)
{
@@ -682,10 +689,17 @@
{
if (brkused && next > 0)
{
+ size_t
+ codes_len;
+
char
*s = &token[next-1];
- len -= convertHTMLcodes(s, strlen(s));
+ codes_len = convertHTMLcodes(s, strlen(s));
+ if (codes_len > len)
+ len = 0;
+ else
+ len -= codes_len;
}
}
