community/graphicsmagick/CVE-2017-13063-13064.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

diff --git a/coders/svg.c b/coders/svg.c
index 82c87c3..2f88e37 100644
--- a/coders/svg.c
+++ b/coders/svg.c
@@ -266,11 +266,12 @@ static char **GetStyleTokens(void *context,const char *text,size_t *number_token
   char
     **tokens;
 
-  register const char
+  const char
     *p,
     *q;
 
-  register size_t
+  size_t
+    alloc_tokens,
     i;
 
   SVGInfo
@@ -278,21 +279,27 @@ static char **GetStyleTokens(void *context,const char *text,size_t *number_token
 
   svg_info=(SVGInfo *) context;
   *number_tokens=0;
+  alloc_tokens=0;
   if (text == (const char *) NULL)
     return((char **) NULL);
   /*
     Determine the number of arguments.
+
+    style="fill: red; stroke: blue; stroke-width: 3"
   */
   for (p=text; *p != '\0'; p++)
     if (*p == ':')
-      (*number_tokens)+=2;
-  tokens=MagickAllocateMemory(char **,(*number_tokens+2)*sizeof(*tokens));
+      alloc_tokens+=2;
+  if (alloc_tokens == 0)
+    return((char **) NULL);
+  tokens=MagickAllocateMemory(char **,(alloc_tokens+2)*sizeof(*tokens));
   if (tokens == (char **) NULL)
     {
       ThrowException3(svg_info->exception,ResourceLimitError,
         MemoryAllocationFailed,UnableToConvertStringToTokens);
       return((char **) NULL);
     }
+  (void) memset(tokens,0,(alloc_tokens+2)*sizeof(*tokens));
   /*
     Convert string to an ASCII list.
   */
@@ -303,14 +310,36 @@ static char **GetStyleTokens(void *context,const char *text,size_t *number_token
     if ((*q != ':') && (*q != ';') && (*q != '\0'))
       continue;
     tokens[i]=AllocateString(p);
+    if (tokens[i] == NULL)
+      {
+        ThrowException3(svg_info->exception,ResourceLimitError,
+                        MemoryAllocationFailed,UnableToConvertStringToTokens);
+        break;
+      }
     (void) strlcpy(tokens[i],p,q-p+1);
-    Strip(tokens[i++]);
+    Strip(tokens[i]);
+    i++;
+    if (i >= alloc_tokens)
+      break;
     p=q+1;
   }
-  tokens[i]=AllocateString(p);
-  (void) strlcpy(tokens[i],p,q-p+1);
-  Strip(tokens[i++]);
+  if (i < alloc_tokens)
+    {
+      tokens[i]=AllocateString(p);
+      if (tokens[i] == NULL)
+        {
+          ThrowException3(svg_info->exception,ResourceLimitError,
+                          MemoryAllocationFailed,UnableToConvertStringToTokens);
+        }
+      else
+        {
+          (void) strlcpy(tokens[i],p,q-p+1);
+          Strip(tokens[i]);
+          i++;
+        }
+    }
   tokens[i]=(char *) NULL;
+  *number_tokens=i;
   return(tokens);
 }