Heap buffer overflow in DrawDashPolygon when processing a SVG image (credit Nicolas...

diff --git a/MagickCore/draw.c b/MagickCore/draw.c
index 85a9716f49b6ff84f619b100a978e609a08a4443..24935d924d139db4fb6a7691e8ada65c54ee44f7 100644 (file)
--- a/MagickCore/draw.c
+++ b/MagickCore/draw.c
@@ -337,11 +337,13 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info,
         x;
 
       for (x=0; fabs(draw_info->dash_pattern[x]) >= MagickEpsilon; x++) ;
-      clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+1),
+      clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (2*x+2),
         sizeof(*clone_info->dash_pattern));
       if (clone_info->dash_pattern == (double *) NULL)
         ThrowFatalException(ResourceLimitFatalError,
           "UnableToAllocateDashPattern");
+      (void) memset(clone_info->dash_pattern,0,(size_t) (2*x+2)*
+        sizeof(*clone_info->dash_pattern));
       (void) memcpy(clone_info->dash_pattern,draw_info->dash_pattern,(size_t)
         (x+1)*sizeof(*clone_info->dash_pattern));
     }