From: Cristy <mikayla-grace@urban-warrior.org>
Date: Tue, 12 Feb 2019 00:51:34 +0000 (-0500)
Subject: Heap buffer overflow in DrawDashPolygon when processing a SVG image (credit Nicolas... 
X-Git-Tag: 7.0.8-28~17
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=260d766a4a8f3cbb7bd18f66bc2dc9489c8c5fe3;p=imagemagick

Heap buffer overflow in DrawDashPolygon when processing a SVG image (credit Nicolas Grégoire)
---

diff --git a/MagickCore/draw.c b/MagickCore/draw.c
index 85a9716f4..24935d924 100644
--- a/MagickCore/draw.c
+++ b/MagickCore/draw.c
@@ -337,11 +337,13 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info,
         x;
 
       for (x=0; fabs(draw_info->dash_pattern[x]) >= MagickEpsilon; x++) ;
-      clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+1),
+      clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (2*x+2),
         sizeof(*clone_info->dash_pattern));
       if (clone_info->dash_pattern == (double *) NULL)
         ThrowFatalException(ResourceLimitFatalError,
           "UnableToAllocateDashPattern");
+      (void) memset(clone_info->dash_pattern,0,(size_t) (2*x+2)*
+        sizeof(*clone_info->dash_pattern));
       (void) memcpy(clone_info->dash_pattern,draw_info->dash_pattern,(size_t)
         (x+1)*sizeof(*clone_info->dash_pattern));
     }