rpms / ImageMagick

Clone
Source Code
GIT

Blame SOURCES/ImageMagick-cve-2016-5240.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c9s-sig-cloud-openstack-xena
  1.   e53adb08f17dadba33d436bb03bfec210bd61dbe
  2.   SOURCES
  3.   ImageMagick-cve-2016-5240.patch
Blob History Raw
e53adb 
diff -up ImageMagick-6.7.8-9/magick/draw.c.svg-endless-loop ImageMagick-6.7.8-9/magick/draw.c
e53adb 
--- ImageMagick-6.7.8-9/magick/draw.c.svg-endless-loop	2012-07-30 14:28:56.000000000 +0200
e53adb 
+++ ImageMagick-6.7.8-9/magick/draw.c	2016-06-03 13:54:20.337142553 +0200
e53adb 
@@ -1569,7 +1569,7 @@ static MagickBooleanType DrawDashPolygon
e53adb 
   status=MagickTrue;
e53adb 
   maximum_length=0.0;
e53adb 
   total_length=0.0;
e53adb 
-  for (i=1; i < (ssize_t) number_vertices; i++)
e53adb 
+  for (i=1; (i < (ssize_t) number_vertices) && (length >= 0.0); i++)
e53adb 
   {
e53adb 
     dx=primitive_info[i].point.x-primitive_info[i-1].point.x;
e53adb 
     dy=primitive_info[i].point.y-primitive_info[i-1].point.y;
e53adb 
@@ -1581,7 +1581,7 @@ static MagickBooleanType DrawDashPolygon
e53adb 
           n=0;
e53adb 
         length=scale*(draw_info->dash_pattern[n]+(n == 0 ? -0.5 : 0.5));
e53adb 
       }
e53adb 
-    for (total_length=0.0; (total_length+length) <= maximum_length; )
e53adb 
+    for (total_length=0.0; (length >= 0.0) && (total_length+length) <= maximum_length; )
e53adb 
     {
e53adb 
       total_length+=length;
e53adb 
       if ((n & 0x01) != 0)
e53adb 
@@ -2561,9 +2561,7 @@ MagickExport MagickBooleanType DrawImage
e53adb 
           }
e53adb 
         if (LocaleCompare("stroke-dasharray",keyword) == 0)
e53adb 
           {
e53adb 
-            if (graphic_context[n]->dash_pattern != (double *) NULL)
e53adb 
-              graphic_context[n]->dash_pattern=(double *)
e53adb 
-                RelinquishMagickMemory(graphic_context[n]->dash_pattern);
e53adb 
+            graphic_context[n]->dash_pattern = RelinquishMagickMemory(graphic_context[n]->dash_pattern);
e53adb 
             if (IsPoint(q) != MagickFalse)
e53adb 
               {
e53adb 
                 const char
e53adb 
@@ -2596,7 +2594,14 @@ MagickExport MagickBooleanType DrawImage
e53adb 
                     GetMagickToken(q,&q,token);
e53adb 
                   graphic_context[n]->dash_pattern[j]=StringToDouble(token,
e53adb 
                     (char **) NULL);
e53adb 
+                  if (graphic_context[n]->dash_pattern[j] < 0.0)
e53adb 
+                    status=MagickFalse;
e53adb 
                 }
e53adb 
+                if (status == MagickFalse)
e53adb 
+                  {
e53adb 
+                    graphic_context[n]->dash_pattern = RelinquishMagickMemory(graphic_context[n]->dash_pattern);
e53adb 
+                    break;
e53adb 
+                  }
e53adb 
                 if ((x & 0x01) != 0)
e53adb 
                   for ( ; j < (2*x); j++)
e53adb 
                     graphic_context[n]->dash_pattern[j]=

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation