Overview

File ImageMagick-CVE-2017-13758.patch of Package ImageMagick.8768

Index: ImageMagick-6.8.8-1/magick/draw.c
===================================================================
--- ImageMagick-6.8.8-1.orig/magick/draw.c	2018-05-25 13:56:51.170692560 +0200
+++ ImageMagick-6.8.8-1/magick/draw.c	2018-05-25 14:02:45.719696926 +0200
@@ -1867,6 +1867,7 @@ MagickExport MagickBooleanType DrawImage
   double
     angle,
     factor,
+    points_extent,
     primitive_extent;
 
   DrawInfo
@@ -1901,7 +1902,6 @@ MagickExport MagickBooleanType DrawImage
     bounds;
 
   size_t
-    length,
     number_points;
 
   ssize_t
@@ -3014,17 +3014,17 @@ MagickExport MagickBooleanType DrawImage
     /*
       Speculate how many points our primitive might consume.
     */
-    length=primitive_info[j].coordinates;
+    points_extent=(double) primitive_info[j].coordinates;
     switch (primitive_type)
     {
       case RectanglePrimitive:
       {
-        length*=5;
+        points_extent*=5;
         break;
       }
       case RoundRectanglePrimitive:
       {
-        length*=5+8*BezierQuantum;
+        points_extent*=5+8*BezierQuantum;
         break;
       }
       case BezierPrimitive:
@@ -3032,7 +3032,7 @@ MagickExport MagickBooleanType DrawImage
         if (primitive_info[j].coordinates > 107)
           (void) ThrowMagickException(&image->exception,GetMagickModule(),
             DrawError,"TooManyBezierCoordinates","`%s'",token);
-        length=BezierQuantum*primitive_info[j].coordinates;
+        points_extent=(double) (BezierQuantum*primitive_info[j].coordinates);
         break;
       }
       case PathPrimitive:
@@ -3042,7 +3042,7 @@ MagickExport MagickBooleanType DrawImage
           *t;
 
         GetMagickToken(q,&q,token);
-        length=1;
+        points_extent=1;
         t=token;
         for (s=token; *s != '\0'; s=t)
         {
@@ -3056,9 +3056,9 @@ MagickExport MagickBooleanType DrawImage
               t++;
               continue;
             }
-          length++;
+          points_extent++;
         }
-        length=length*BezierQuantum;
+        points_extent=points_extent*BezierQuantum;
         break;
       }
       case CirclePrimitive:
@@ -3073,18 +3073,24 @@ MagickExport MagickBooleanType DrawImage
         alpha=bounds.x2-bounds.x1;
         beta=bounds.y2-bounds.y1;
         radius=hypot((double) alpha,(double) beta);
-        length=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360;
+        points_extent=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360;
         break;
       }
       default:
         break;
     }
-    if ((size_t) (i+length) >= number_points)
+    if (((double) ((size_t) points_extent)) < points_extent)
+      {
+        (void) ThrowMagickException(&image->exception,GetMagickModule(),
+          ResourceLimitError,"MemoryAllocationFailed","`%s'",image->filename);
+        break;
+      }
+    if ((size_t) (i+points_extent) >= number_points)
       {
         /*
           Resize based on speculative points required by primitive.
         */
-        number_points+=length+1;
+        number_points+=points_extent+1;
         primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info,
           (size_t) number_points,sizeof(*primitive_info));
         if (primitive_info == (PrimitiveInfo *) NULL)
openSUSE Build Service is sponsored by
Places