From 93918585eb9b831de4d00814de6a05c0120fc259 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sun, 10 Jun 2018 08:04:07 -0400 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8813 --- MagickCore/draw.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/MagickCore/draw.c b/MagickCore/draw.c index f71ad89f1..9684132b6 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -4156,7 +4156,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, } if (*token != ',') GetNextToken(q,&q,extent,token); - primitive_info[j].text=AcquireString(token); + (void) CloneString(&primitive_info[j].text,token); /* Compute text cursor offset. */ @@ -4228,9 +4228,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, status&=DrawPrimitive(image,graphic_context[n],primitive_info, exception); } - if (primitive_info->text != (char *) NULL) - primitive_info->text=(char *) RelinquishMagickMemory( - primitive_info->text); proceed=SetImageProgress(image,RenderImageTag,q-primitive,(MagickSizeType) primitive_extent); if (proceed == MagickFalse) @@ -4246,7 +4243,13 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, macros=DestroySplayTree(macros); token=DestroyString(token); if (primitive_info != (PrimitiveInfo *) NULL) - primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(primitive_info); + { + for (i=0; primitive_info[i].primitive != UndefinedPrimitive; i++) + if (primitive_info[i].text != (char *) NULL) + primitive_info[i].text=(char *) RelinquishMagickMemory( + primitive_info[i].text); + primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(primitive_info); + } primitive=DestroyString(primitive); if (stops != (StopInfo *) NULL) stops=(StopInfo *) RelinquishMagickMemory(stops); -- 2.40.0