File ImageMagick-CVE-2019-13307.patch of Package ImageMagick.18390
Index: ImageMagick-7.0.7-34/MagickCore/statistic.c
===================================================================
--- ImageMagick-7.0.7-34.orig/MagickCore/statistic.c 2019-07-19 12:28:06.269509734 +0200
+++ ImageMagick-7.0.7-34/MagickCore/statistic.c 2019-07-19 12:29:31.589978823 +0200
@@ -137,13 +137,19 @@ typedef struct _PixelChannels
channel[CompositePixelChannel];
} PixelChannels;
-static PixelChannels **DestroyPixelThreadSet(PixelChannels **pixels)
+static PixelChannels **DestroyPixelThreadSet(const Image *images,
+ PixelChannels **pixels)
{
register ssize_t
i;
+ size_t
+ rows;
+
assert(pixels != (PixelChannels **) NULL);
- for (i=0; i < (ssize_t) GetMagickResourceLimit(ThreadResource); i++)
+ rows=MagickMax(GetImageListLength(images),
+ (size_t) GetMagickResourceLimit(ThreadResource));
+ for (i=0; i < (ssize_t) rows; i++)
if (pixels[i] != (PixelChannels *) NULL)
pixels[i]=(PixelChannels *) RelinquishMagickMemory(pixels[i]);
pixels=(PixelChannels **) RelinquishMagickMemory(pixels);
@@ -163,25 +169,25 @@ static PixelChannels **AcquirePixelThrea
size_t
columns,
- number_threads;
+ rows;
- number_threads=(size_t) GetMagickResourceLimit(ThreadResource);
- pixels=(PixelChannels **) AcquireQuantumMemory(number_threads,
- sizeof(*pixels));
+ rows=MagickMax(GetImageListLength(images),
+ (size_t) GetMagickResourceLimit(ThreadResource));
+ pixels=(PixelChannels **) AcquireQuantumMemory(rows,sizeof(*pixels));
if (pixels == (PixelChannels **) NULL)
return((PixelChannels **) NULL);
- (void) memset(pixels,0,number_threads*sizeof(*pixels));
- columns=images->columns;
+ (void) memset(pixels,0,rows*sizeof(*pixels));
+ columns=MagickMax(GetImageListLength(images),MaxPixelChannels);
for (next=images; next != (Image *) NULL; next=next->next)
columns=MagickMax(next->columns,columns);
- for (i=0; i < (ssize_t) number_threads; i++)
+ for (i=0; i < (ssize_t) rows; i++)
{
register ssize_t
j;
pixels[i]=(PixelChannels *) AcquireQuantumMemory(columns,sizeof(**pixels));
if (pixels[i] == (PixelChannels *) NULL)
- return(DestroyPixelThreadSet(pixels));
+ return(DestroyPixelThreadSet(images,pixels));
for (j=0; j < (ssize_t) columns; j++)
{
register ssize_t
@@ -766,7 +772,7 @@ MagickExport Image *EvaluateImages(const
}
}
evaluate_view=DestroyCacheView(evaluate_view);
- evaluate_pixels=DestroyPixelThreadSet(evaluate_pixels);
+ evaluate_pixels=DestroyPixelThreadSet(images,evaluate_pixels);
random_info=DestroyRandomInfoThreadSet(random_info);
if (status == MagickFalse)
image=DestroyImage(image);
@@ -2340,7 +2346,7 @@ MagickExport Image *PolynomialImage(cons
}
}
polynomial_view=DestroyCacheView(polynomial_view);
- polynomial_pixels=DestroyPixelThreadSet(polynomial_pixels);
+ polynomial_pixels=DestroyPixelThreadSet(images,polynomial_pixels);
if (status == MagickFalse)
image=DestroyImage(image);
return(image);