From 9db0506ffeb85be80ce66fe84a7f296fc80129fb Mon Sep 17 00:00:00 2001 From: Cristy Date: Sun, 10 Jun 2018 09:43:46 -0400 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8817 --- MagickCore/draw.c | 67 ++++++++++++++++++----------------------------- 1 file changed, 25 insertions(+), 42 deletions(-) diff --git a/MagickCore/draw.c b/MagickCore/draw.c index 9684132b6..48852af3a 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -2206,9 +2206,6 @@ MagickExport MagickBooleanType DrawGradientImage(Image *image, static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info, const size_t pad) { - PrimitiveInfo - *primitive_info; - size_t extent; @@ -2218,18 +2215,21 @@ static MagickBooleanType CheckPrimitiveExtent(MVGInfo *mvg_info, extent=(size_t) mvg_info->offset+pad+4096; if (extent <= *mvg_info->extent) return(MagickTrue); - primitive_info=AcquireQuantumMemory(extent,sizeof(*primitive_info)); - if (primitive_info == (PrimitiveInfo *) NULL) - { - (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), - ResourceLimitError,"MemoryAllocationFailed","`%s'",""); - return(MagickFalse); - } - (void) memcpy(primitive_info,*mvg_info->primitive_info,*mvg_info->extent); - (void) RelinquishMagickMemory(*mvg_info->primitive_info); - *mvg_info->primitive_info=primitive_info; + *mvg_info->primitive_info=ResizeQuantumMemory(*mvg_info->primitive_info, + extent,sizeof(*mvg_info->primitive_info)); *mvg_info->extent=extent; - return(MagickTrue); + if (*mvg_info->primitive_info != (PrimitiveInfo *) NULL) + return(MagickTrue); + /* + Reallocation failed, allocate 1 point to facilitate unwinding. + */ + (void) ThrowMagickException(mvg_info->exception,GetMagickModule(), + ResourceLimitError,"MemoryAllocationFailed","`%s'",""); + *mvg_info->primitive_info=AcquireCriticalMemory( + sizeof(*mvg_info->primitive_info)); + *mvg_info->extent=1; + mvg_info->offset=0; + return(MagickFalse); } static SplayTreeInfo *GetMVGMacros(const char *primitive) @@ -2367,7 +2367,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, double angle, coordinates, - cursor, factor, primitive_extent; @@ -2492,7 +2491,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, } token=AcquireString(primitive); extent=strlen(token)+MagickPathExtent; - cursor=0.0; defsDepth=0; symbolDepth=0; macros=GetMVGMacros(primitive); @@ -3615,7 +3613,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, if (LocaleCompare("text",keyword) == 0) { primitive_type=TextPrimitive; - affine.tx+=cursor; break; } if (LocaleCompare("text-align",keyword) == 0) @@ -3655,6 +3652,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, MagickTrue : MagickFalse; break; } + if (LocaleCompare("text-span",keyword) == 0) + { + primitive_type=TextPrimitive; + break; + } if (LocaleCompare("text-undercolor",keyword) == 0) { GetNextToken(q,&q,extent,token); @@ -4143,12 +4145,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, } case TextPrimitive: { - DrawInfo - *clone_info; - - TypeMetric - metrics; - if (primitive_info[j].coordinates != 1) { status=MagickFalse; @@ -4157,18 +4153,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, if (*token != ',') GetNextToken(q,&q,extent,token); (void) CloneString(&primitive_info[j].text,token); - /* - Compute text cursor offset. - */ - clone_info=CloneDrawInfo((ImageInfo *) NULL,graphic_context[n]); - if (clone_info->density != (char *) NULL) - clone_info->density=DestroyString(clone_info->density); - clone_info->render=MagickFalse; - clone_info->text=AcquireString(token); - (void) ConcatenateString(&clone_info->text," "); - status&=GetTypeMetrics(image,clone_info,&metrics,exception); - clone_info=DestroyDrawInfo(clone_info); - cursor+=metrics.width; break; } case ImagePrimitive: @@ -4228,6 +4212,9 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, status&=DrawPrimitive(image,graphic_context[n],primitive_info, exception); } + if (primitive_info->text != (char *) NULL) + primitive_info->text=(char *) RelinquishMagickMemory( + primitive_info->text); proceed=SetImageProgress(image,RenderImageTag,q-primitive,(MagickSizeType) primitive_extent); if (proceed == MagickFalse) @@ -4243,13 +4230,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, macros=DestroySplayTree(macros); token=DestroyString(token); if (primitive_info != (PrimitiveInfo *) NULL) - { - for (i=0; primitive_info[i].primitive != UndefinedPrimitive; i++) - if (primitive_info[i].text != (char *) NULL) - primitive_info[i].text=(char *) RelinquishMagickMemory( - primitive_info[i].text); - primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(primitive_info); - } + primitive_info=(PrimitiveInfo *) RelinquishMagickMemory(primitive_info); primitive=DestroyString(primitive); if (stops != (StopInfo *) NULL) stops=(StopInfo *) RelinquishMagickMemory(stops); @@ -6745,6 +6726,8 @@ static void TraceRoundRectangle(MVGInfo *mvg_info,const PointInfo start, TraceEllipse(mvg_info,point,arc,degrees); p=(*mvg_info->primitive_info)+mvg_info->offset; mvg_info->offset+=p->coordinates; + if (CheckPrimitiveExtent(mvg_info,4096) == MagickFalse) + return; p=(*mvg_info->primitive_info)+mvg_info->offset; TracePoint(p,(*mvg_info->primitive_info+offset)->point); p+=p->coordinates; -- 2.40.0