From 1f55115e43f7276a6d91bd4408dd4a6ef45d6be5 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sat, 20 Jan 2018 18:38:22 -0500 Subject: [PATCH] Fix heap buffer overflow for malformed XML Credit OSS Fuzz --- ChangeLog | 1 + MagickCore/xml-tree.c | 13 ++++++------- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 10cc39bf1..55b513d70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ * Support aspect ratio geometry, e.g. -crop 3:2. * Add support for reading the HEIC image format (reference https://github.com/ImageMagick/ImageMagick/issues/507). + * Fixed numerous memory leaks, credit to OSS Fuzz. 2018-01-06 7.0.7-21 Cristy * Release ImageMagick version 7.0.0-21, GIT revision 22168:a91afc45b:20180106. diff --git a/MagickCore/xml-tree.c b/MagickCore/xml-tree.c index e35849711..989a520e8 100644 --- a/MagickCore/xml-tree.c +++ b/MagickCore/xml-tree.c @@ -1484,24 +1484,23 @@ static char *ParseEntities(char *xml,char **entities,int state) offset=(ssize_t) (xml-p); extent=(size_t) (offset+length+strlen(entity)); if (p != q) - p=(char *) ResizeQuantumMemory(p,extent,sizeof(*p)); + p=(char *) ResizeQuantumMemory(p,extent+1,sizeof(*p)); else { char *extent_xml; - extent_xml=(char *) AcquireQuantumMemory(extent, + extent_xml=(char *) AcquireQuantumMemory(extent+1, sizeof(*extent_xml)); if (extent_xml != (char *) NULL) - { - (void) CopyMagickString(extent_xml,p,extent* - sizeof(*extent_xml)); - p= extent_xml; - } + (void) CopyMagickString(extent_xml,p,extent* + sizeof(*extent_xml)); + p=extent_xml; } if (p == (char *) NULL) ThrowFatalException(ResourceLimitFatalError, "MemoryAllocationFailed"); + p[extent]='\0'; xml=p+offset; entity=strchr(xml,';'); } -- 2.40.0