From 260d766a4a8f3cbb7bd18f66bc2dc9489c8c5fe3 Mon Sep 17 00:00:00 2001 From: Cristy Date: Mon, 11 Feb 2019 19:51:34 -0500 Subject: [PATCH] =?utf8?q?Heap=20buffer=20overflow=20in=20DrawDashPolygon?= =?utf8?q?=20when=20processing=20a=20SVG=20image=20(credit=20Nicolas=20Gr?= =?utf8?q?=C3=A9goire)?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- MagickCore/draw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/MagickCore/draw.c b/MagickCore/draw.c index 85a9716f4..24935d924 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -337,11 +337,13 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info, x; for (x=0; fabs(draw_info->dash_pattern[x]) >= MagickEpsilon; x++) ; - clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+1), + clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (2*x+2), sizeof(*clone_info->dash_pattern)); if (clone_info->dash_pattern == (double *) NULL) ThrowFatalException(ResourceLimitFatalError, "UnableToAllocateDashPattern"); + (void) memset(clone_info->dash_pattern,0,(size_t) (2*x+2)* + sizeof(*clone_info->dash_pattern)); (void) memcpy(clone_info->dash_pattern,draw_info->dash_pattern,(size_t) (x+1)*sizeof(*clone_info->dash_pattern)); } -- 2.40.0