From: Cristy Date: Sat, 20 Jan 2018 23:38:22 +0000 (-0500) Subject: Fix heap buffer overflow for malformed XML X-Git-Tag: 7.0.7-22~18 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1f55115e43f7276a6d91bd4408dd4a6ef45d6be5;p=imagemagick Fix heap buffer overflow for malformed XML Credit OSS Fuzz --- diff --git a/ChangeLog b/ChangeLog index 10cc39bf1..55b513d70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ * Support aspect ratio geometry, e.g. -crop 3:2. * Add support for reading the HEIC image format (reference https://github.com/ImageMagick/ImageMagick/issues/507). + * Fixed numerous memory leaks, credit to OSS Fuzz. 2018-01-06 7.0.7-21 Cristy * Release ImageMagick version 7.0.0-21, GIT revision 22168:a91afc45b:20180106. diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c index e35849711..989a520e8 100644 --- a/MagickCore/xml-tree.c +++ b/MagickCore/xml-tree.c @@ -1484,24 +1484,23 @@ static char *ParseEntities(char *xml,char **entities,int state) offset=(ssize_t) (xml-p); extent=(size_t) (offset+length+strlen(entity)); if (p != q) - p=(char *) ResizeQuantumMemory(p,extent,sizeof(*p)); + p=(char *) ResizeQuantumMemory(p,extent+1,sizeof(*p)); else { char *extent_xml; - extent_xml=(char *) AcquireQuantumMemory(extent, + extent_xml=(char *) AcquireQuantumMemory(extent+1, sizeof(*extent_xml)); if (extent_xml != (char *) NULL) - { - (void) CopyMagickString(extent_xml,p,extent* - sizeof(*extent_xml)); - p= extent_xml; - } + (void) CopyMagickString(extent_xml,p,extent* + sizeof(*extent_xml)); + p=extent_xml; } if (p == (char *) NULL) ThrowFatalException(ResourceLimitFatalError, "MemoryAllocationFailed"); + p[extent]='\0'; xml=p+offset; entity=strchr(xml,';'); }