File GraphicsMagick-CVE-2016-2317.patch of Package GraphicsMagick.6323
Index: GraphicsMagick-1.3.20/coders/svg.c
===================================================================
--- GraphicsMagick-1.3.20.orig/coders/svg.c 2013-03-10 00:19:31.000000000 +0100
+++ GraphicsMagick-1.3.20/coders/svg.c 2016-06-23 10:05:21.805840780 +0200
@@ -316,25 +316,22 @@ static char **GetTransformTokens(void *c
*p,
*q;
- register long
+ register size_t
i;
SVGInfo
*svg_info;
+ size_t
+ alloc_tokens;
+
svg_info=(SVGInfo *) context;
*number_tokens=0;
if (text == (const char *) NULL)
return((char **) NULL);
- /*
- Determine the number of arguments.
- */
- for (p=text; *p != '\0'; p++)
- {
- if (*p == '(')
- (*number_tokens)+=2;
- }
- tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens));
+
+ alloc_tokens=8;
+ tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens));
if (tokens == (char **) NULL)
{
ThrowException3(svg_info->exception,ResourceLimitError,
@@ -350,15 +347,28 @@ static char **GetTransformTokens(void *c
{
if ((*q != '(') && (*q != ')') && (*q != '\0'))
continue;
+ if (i == alloc_tokens)
+ {
+ alloc_tokens <<= 1;
+ MagickReallocMemory(char **,tokens,(alloc_tokens+2)*sizeof(*tokens));
+ if (tokens == (char **) NULL)
+ {
+ ThrowException3(svg_info->exception,ResourceLimitError,
+ MemoryAllocationFailed,UnableToConvertStringToTokens);
+ return((char **) NULL);
+ }
+ }
tokens[i]=AllocateString(p);
(void) strlcpy(tokens[i],p,q-p+1);
- Strip(tokens[i++]);
+ Strip(tokens[i]);
+ i++;
p=q+1;
}
tokens[i]=AllocateString(p);
(void) strlcpy(tokens[i],p,q-p+1);
Strip(tokens[i++]);
tokens[i]=(char *) NULL;
+ *number_tokens=i;
return(tokens);
}
@@ -1177,18 +1187,20 @@ static void SVGStartElement(void *contex
IdentityAffine(&transform);
(void) LogMagickEvent(CoderEvent,GetMagickModule()," ");
tokens=GetTransformTokens(context,value,&number_tokens);
- for (j=0; j < (number_tokens-1); j+=2)
+ if ((tokens != (char **) NULL) && (number_tokens > 0))
{
- keyword=(char *) tokens[j];
- if (keyword == (char *) NULL)
- continue;
- value=(char *) tokens[j+1];
- (void) LogMagickEvent(CoderEvent,GetMagickModule(),
- " %.1024s: %.1024s",keyword,value);
- current=transform;
- IdentityAffine(&affine);
- switch (*keyword)
+ for (j=0; j < (number_tokens-1); j+=2)
{
+ keyword=(char *) tokens[j];
+ if (keyword == (char *) NULL)
+ continue;
+ value=(char *) tokens[j+1];
+ (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+ " %.1024s: %.1024s",keyword,value);
+ current=transform;
+ IdentityAffine(&affine);
+ switch (*keyword)
+ {
case 'M':
case 'm':
{
@@ -1293,22 +1305,23 @@ static void SVGStartElement(void *contex
}
default:
break;
- }
- transform.sx=current.sx*affine.sx+current.ry*affine.rx;
- transform.rx=current.rx*affine.sx+current.sy*affine.rx;
- transform.ry=current.sx*affine.ry+current.ry*affine.sy;
- transform.sy=current.rx*affine.ry+current.sy*affine.sy;
- transform.tx=current.sx*affine.tx+current.ry*affine.ty+
- current.tx;
- transform.ty=current.rx*affine.tx+current.sy*affine.ty+
- current.ty;
- }
- MVGPrintf(svg_info->file,"affine %g %g %g %g %g %g\n",
- transform.sx,transform.rx,transform.ry,transform.sy,
- transform.tx,transform.ty);
- for (j=0; tokens[j] != (char *) NULL; j++)
- MagickFreeMemory(tokens[j]);
- MagickFreeMemory(tokens);
+ } /* end switch */
+ transform.sx=current.sx*affine.sx+current.ry*affine.rx;
+ transform.rx=current.rx*affine.sx+current.sy*affine.rx;
+ transform.ry=current.sx*affine.ry+current.ry*affine.sy;
+ transform.sy=current.rx*affine.ry+current.sy*affine.sy;
+ transform.tx=current.sx*affine.tx+current.ry*affine.ty+
+ current.tx;
+ transform.ty=current.rx*affine.tx+current.sy*affine.ty+
+ current.ty;
+ } /* end for */
+ MVGPrintf(svg_info->file,"affine %g %g %g %g %g %g\n",
+ transform.sx,transform.rx,transform.ry,transform.sy,
+ transform.tx,transform.ty);
+ for (j=0; tokens[j] != (char *) NULL; j++)
+ MagickFreeMemory(tokens[j]);
+ MagickFreeMemory(tokens);
+ } /* end if */
break;
}
if (LocaleCompare(keyword,"gradientUnits") == 0)
@@ -1746,6 +1759,8 @@ static void SVGStartElement(void *contex
IdentityAffine(&transform);
(void) LogMagickEvent(CoderEvent,GetMagickModule()," ");
tokens=GetTransformTokens(context,value,&number_tokens);
+ if ((tokens != (char **) NULL) && (number_tokens > 0))
+ {
for (j=0; j < (number_tokens-1); j+=2)
{
keyword=(char *) tokens[j];
@@ -1873,8 +1888,10 @@ static void SVGStartElement(void *contex
MVGPrintf(svg_info->file,"affine %g %g %g %g %g %g\n",
transform.sx,transform.rx,transform.ry,transform.sy,
transform.tx,transform.ty);
- for (j=0; tokens[j] != (char *) NULL; j++)
- MagickFreeMemory(tokens[j]);
+ }
+ if (number_tokens > 0)
+ for (j=0; tokens[j] != (char *) NULL; j++)
+ MagickFreeMemory(tokens[j]);
MagickFreeMemory(tokens);
break;
}
Index: GraphicsMagick-1.3.20/magick/render.c
===================================================================
--- GraphicsMagick-1.3.20.orig/magick/render.c 2016-06-23 10:05:21.649838266 +0200
+++ GraphicsMagick-1.3.20/magick/render.c 2016-06-23 10:05:21.805840780 +0200
@@ -432,7 +432,7 @@ ConvertPathToPolygon(const PathInfo *pat
{
number_edges<<=1;
MagickReallocMemory(EdgeInfo *,polygon_info->edges,
- number_edges*sizeof(EdgeInfo));
+ MagickArraySize(number_edges,sizeof(EdgeInfo)));
if (polygon_info->edges == (EdgeInfo *) NULL)
return((PolygonInfo *) NULL);
}
@@ -484,7 +484,7 @@ ConvertPathToPolygon(const PathInfo *pat
{
number_edges<<=1;
MagickReallocMemory(EdgeInfo *,polygon_info->edges,
- number_edges*sizeof(EdgeInfo));
+ MagickArraySize(number_edges,sizeof(EdgeInfo)));
if (polygon_info->edges == (EdgeInfo *) NULL)
return((PolygonInfo *) NULL);
}
@@ -517,7 +517,7 @@ ConvertPathToPolygon(const PathInfo *pat
if (n == number_points)
{
number_points<<=1;
- MagickReallocMemory(PointInfo *,points,number_points*sizeof(PointInfo));
+ MagickReallocMemory(PointInfo *,points,MagickArraySize(number_points,sizeof(PointInfo)));
if (points == (PointInfo *) NULL)
return((PolygonInfo *) NULL);
}
@@ -541,7 +541,7 @@ ConvertPathToPolygon(const PathInfo *pat
{
number_edges<<=1;
MagickReallocMemory(EdgeInfo *,polygon_info->edges,
- number_edges*sizeof(EdgeInfo));
+ MagickArraySize(number_edges,sizeof(EdgeInfo)));
if (polygon_info->edges == (EdgeInfo *) NULL)
return((PolygonInfo *) NULL);
}
@@ -2309,7 +2309,7 @@ DrawImage(Image *image,const DrawInfo *d
{
n++;
MagickReallocMemory(DrawInfo **,graphic_context,
- (n+1)*sizeof(DrawInfo *));
+ MagickArraySize((n+1),sizeof(DrawInfo *)));
if (graphic_context == (DrawInfo **) NULL)
{
ThrowException3(&image->exception,ResourceLimitError,
@@ -2671,7 +2671,7 @@ DrawImage(Image *image,const DrawInfo *d
continue;
number_points<<=1;
MagickReallocMemory(PrimitiveInfo *,primitive_info,
- number_points*sizeof(PrimitiveInfo));
+ MagickArraySize(number_points,sizeof(PrimitiveInfo)));
if (primitive_info == (PrimitiveInfo *) NULL)
{
ThrowException3(&image->exception,ResourceLimitError,
@@ -2777,7 +2777,7 @@ DrawImage(Image *image,const DrawInfo *d
{
number_points+=length+1;
MagickReallocMemory(PrimitiveInfo *,primitive_info,
- number_points*sizeof(PrimitiveInfo));
+ MagickArraySize(number_points,sizeof(PrimitiveInfo)));
if (primitive_info == (PrimitiveInfo *) NULL)
{
ThrowException3(&image->exception,ResourceLimitError,
@@ -5468,8 +5468,8 @@ TraceStrokePolygon(const DrawInfo *draw_
if (q >= (max_strokes-6*BezierQuantum-360))
{
max_strokes+=6*BezierQuantum+360;
- MagickReallocMemory(PointInfo *,path_p,max_strokes*sizeof(PointInfo));
- MagickReallocMemory(PointInfo *,path_q,max_strokes*sizeof(PointInfo));
+ MagickReallocMemory(PointInfo *,path_p,MagickArraySize(max_strokes,sizeof(PointInfo)));
+ MagickReallocMemory(PointInfo *,path_q,MagickArraySize(max_strokes,sizeof(PointInfo)));
if ((path_p == (PointInfo *) NULL) || (path_q == (PointInfo *) NULL))
{
MagickFreeMemory(polygon_primitive);
