File GraphicsMagick-CVE-2016-5240.patch of Package GraphicsMagick.6323
Index: GraphicsMagick-1.3.20/magick/render.c
===================================================================
--- GraphicsMagick-1.3.20.orig/magick/render.c 2016-06-08 10:44:49.258451101 +0200
+++ GraphicsMagick-1.3.20/magick/render.c 2016-06-08 10:44:49.274451367 +0200
@@ -1501,7 +1501,7 @@ DrawDashPolygon(const DrawInfo *draw_inf
status=MagickPass;
maximum_length=0.0;
total_length=0.0;
- for (i=1; i < number_vertices; i++)
+ for (i=1; (i < number_vertices) && (length >= 0.0); i++)
{
dx=primitive_info[i].point.x-primitive_info[i-1].point.x;
dy=primitive_info[i].point.y-primitive_info[i-1].point.y;
@@ -1513,7 +1513,7 @@ DrawDashPolygon(const DrawInfo *draw_inf
n=0;
length=scale*draw_info->dash_pattern[n];
}
- for (total_length=0.0; maximum_length >= (length+total_length); )
+ for (total_length=0.0; (length >= 0.0) && (maximum_length >= (length+total_length)); )
{
total_length+=length;
if (n & 0x01)
@@ -2415,8 +2415,7 @@ DrawImage(Image *image,const DrawInfo *d
}
if (LocaleCompare("stroke-dasharray",keyword) == 0)
{
- if (graphic_context[n]->dash_pattern != (double *) NULL)
- MagickFreeMemory(graphic_context[n]->dash_pattern);
+ MagickFreeMemory(graphic_context[n]->dash_pattern);
if (IsPoint(q))
{
char
@@ -2446,7 +2445,14 @@ DrawImage(Image *image,const DrawInfo *d
if (*token == ',')
GetToken(q,&q,token);
graphic_context[n]->dash_pattern[j]=MagickAtoF(token);
+ if (graphic_context[n]->dash_pattern[j] < 0.0)
+ status=MagickFail;
}
+ if (status == MagickFail)
+ {
+ MagickFreeMemory(graphic_context[n]->dash_pattern);
+ break;
+ }
if (x & 0x01)
for ( ; j < (2*x); j++)
graphic_context[n]->dash_pattern[j]=
