Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564
Brian May <bam@debian.org> writes:
> Significant changes to TraceStrokePolygon function:
Here is a diff ignoring white space changes:
@@ -6021,13 +6022,25 @@
}
if (q >= (ssize_t) (max_strokes-6*BezierQuantum-360))
{
+ if (~max_strokes < (6*BezierQuantum+360))
+ {
+ path_p=(PointInfo *) RelinquishMagickMemory(path_p);
+ path_q=(PointInfo *) RelinquishMagickMemory(path_q);
+ }
+ else
+ {
max_strokes+=6*BezierQuantum+360;
- path_p=(PointInfo *) ResizeQuantumMemory(path_p,(size_t) max_strokes,
+ path_p=(PointInfo *) ResizeQuantumMemory(path_p,max_strokes,
sizeof(*path_p));
- path_q=(PointInfo *) ResizeQuantumMemory(path_q,(size_t) max_strokes,
+ path_q=(PointInfo *) ResizeQuantumMemory(path_q,max_strokes,
sizeof(*path_q));
+ }
if ((path_p == (PointInfo *) NULL) || (path_q == (PointInfo *) NULL))
{
+ if (path_p != (PointInfo *) NULL)
+ path_p=(PointInfo *) RelinquishMagickMemory(path_p);
+ if (path_q != (PointInfo *) NULL)
+ path_q=(PointInfo *) RelinquishMagickMemory(path_q);
polygon_primitive=(PrimitiveInfo *)
RelinquishMagickMemory(polygon_primitive);
return((PrimitiveInfo *) NULL);
If I am reading this correctly - the if condition is there to ensure
that "max_strokes+=6*BezierQuantum+360" will not overflow.
I guess if it *did* overflow then we could end up requesting less memory
then we require and using memory past the end of what was allocated.
--
Brian May <bam@debian.org>
Reply to: