From: Cristy Date: Sun, 10 Jun 2018 12:04:07 +0000 (-0400) Subject: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8813 X-Git-Tag: 7.0.7-39~11 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=93918585eb9b831de4d00814de6a05c0120fc259;p=imagemagick https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8813 --- diff --git a/MagickCore/draw.c b/MagickCore/draw.c index f71ad89f1..9684132b6 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -4156,7 +4156,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, } if (*token != ',') GetNextToken(q,&q,extent,token); - primitive_info[j].text=AcquireString(token); + (void) CloneString(&primitive_info[j].text,token); /* Compute text cursor offset. */ @@ -4228,9 +4228,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, status&=DrawPrimitive(image,graphic_context[n],primitive_info, exception); } - if (primitive_info->text != (char *) NULL) - primitive_info->text=(char *) RelinquishMagickMemory( - primitive_info->text); proceed=SetImageProgress(image,RenderImageTag,q-primitive,(MagickSizeType) primitive_extent); if (proceed == MagickFalse) @@ -4246,7 +4243,13 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, macros=DestroySplayTree(macros); token=DestroyString(token); if (primitive_info != (PrimitiveInfo *) NULL) - primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(primitive_info); + { + for (i=0; primitive_info[i].primitive != UndefinedPrimitive; i++) + if (primitive_info[i].text != (char *) NULL) + primitive_info[i].text=(char *) RelinquishMagickMemory( + primitive_info[i].text); + primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(primitive_info); + } primitive=DestroyString(primitive); if (stops != (StopInfo *) NULL) stops=(StopInfo *) RelinquishMagickMemory(stops);