Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
ImageMagick
ImageMagick-CVE-2017-13758.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File ImageMagick-CVE-2017-13758.patch of Package ImageMagick
Index: ImageMagick-6.8.8-1/magick/draw.c =================================================================== --- ImageMagick-6.8.8-1.orig/magick/draw.c 2018-05-25 13:56:51.170692560 +0200 +++ ImageMagick-6.8.8-1/magick/draw.c 2018-05-25 14:02:45.719696926 +0200 @@ -1867,6 +1867,7 @@ MagickExport MagickBooleanType DrawImage double angle, factor, + points_extent, primitive_extent; DrawInfo @@ -1901,7 +1902,6 @@ MagickExport MagickBooleanType DrawImage bounds; size_t - length, number_points; ssize_t @@ -3014,17 +3014,17 @@ MagickExport MagickBooleanType DrawImage /* Speculate how many points our primitive might consume. */ - length=primitive_info[j].coordinates; + points_extent=(double) primitive_info[j].coordinates; switch (primitive_type) { case RectanglePrimitive: { - length*=5; + points_extent*=5; break; } case RoundRectanglePrimitive: { - length*=5+8*BezierQuantum; + points_extent*=5+8*BezierQuantum; break; } case BezierPrimitive: @@ -3032,7 +3032,7 @@ MagickExport MagickBooleanType DrawImage if (primitive_info[j].coordinates > 107) (void) ThrowMagickException(&image->exception,GetMagickModule(), DrawError,"TooManyBezierCoordinates","`%s'",token); - length=BezierQuantum*primitive_info[j].coordinates; + points_extent=(double) (BezierQuantum*primitive_info[j].coordinates); break; } case PathPrimitive: @@ -3042,7 +3042,7 @@ MagickExport MagickBooleanType DrawImage *t; GetMagickToken(q,&q,token); - length=1; + points_extent=1; t=token; for (s=token; *s != '\0'; s=t) { @@ -3056,9 +3056,9 @@ MagickExport MagickBooleanType DrawImage t++; continue; } - length++; + points_extent++; } - length=length*BezierQuantum; + points_extent=points_extent*BezierQuantum; break; } case CirclePrimitive: @@ -3073,18 +3073,24 @@ MagickExport MagickBooleanType DrawImage alpha=bounds.x2-bounds.x1; beta=bounds.y2-bounds.y1; radius=hypot((double) alpha,(double) beta); - length=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; + points_extent=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; break; } default: break; } - if ((size_t) (i+length) >= number_points) + if (((double) ((size_t) points_extent)) < points_extent) + { + (void) ThrowMagickException(&image->exception,GetMagickModule(), + ResourceLimitError,"MemoryAllocationFailed","`%s'",image->filename); + break; + } + if ((size_t) (i+points_extent) >= number_points) { /* Resize based on speculative points required by primitive. */ - number_points+=length+1; + number_points+=points_extent+1; primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info, (size_t) number_points,sizeof(*primitive_info)); if (primitive_info == (PrimitiveInfo *) NULL)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor