File ImageMagick-CVE-2019-13304,13305,13306.patch of Package ImageMagick.30356
Index: ImageMagick-7.0.7-34/coders/pnm.c
===================================================================
--- ImageMagick-7.0.7-34.orig/coders/pnm.c 2018-05-20 17:55:43.000000000 +0200
+++ ImageMagick-7.0.7-34/coders/pnm.c 2019-07-18 11:44:16.044760360 +0200
@@ -1746,13 +1746,13 @@ static MagickBooleanType WritePNMImage(c
{
*q++=(unsigned char) (GetPixelLuma(image,p) >= (QuantumRange/2.0) ?
'0' : '1');
- *q++=' ';
if ((q-pixels+1) >= (ssize_t) sizeof(pixels))
{
*q++='\n';
(void) WriteBlob(image,q-pixels,pixels);
q=pixels;
}
+ *q++=' ';
p+=GetPixelChannels(image);
}
*q++='\n';
@@ -1814,14 +1814,14 @@ static MagickBooleanType WritePNMImage(c
count=(ssize_t) FormatLocaleString(buffer,MagickPathExtent,
"%u ",ScaleQuantumToLong(index));
extent=(size_t) count;
- (void) strncpy((char *) q,buffer,extent);
- q+=extent;
if ((q-pixels+extent+1) >= sizeof(pixels))
{
*q++='\n';
(void) WriteBlob(image,q-pixels,pixels);
q=pixels;
}
+ (void) strncpy((char *) q,buffer,extent);
+ q+=extent;
p+=GetPixelChannels(image);
}
*q++='\n';
@@ -1889,14 +1889,14 @@ static MagickBooleanType WritePNMImage(c
ScaleQuantumToLong(GetPixelGreen(image,p)),
ScaleQuantumToLong(GetPixelBlue(image,p)));
extent=(size_t) count;
- (void) strncpy((char *) q,buffer,extent);
- q+=extent;
- if ((q-pixels+extent+1) >= sizeof(pixels))
+ if ((q-pixels+extent+2) >= sizeof(pixels))
{
*q++='\n';
(void) WriteBlob(image,q-pixels,pixels);
q=pixels;
}
+ (void) strncpy((char *) q,buffer,extent);
+ q+=extent;
p+=GetPixelChannels(image);
}
*q++='\n';