From c51bbad4e0c5b51f70b68dda6053121e1dcc3e85 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 26 Dec 2018 11:59:07 -0500
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/1420

---
 MagickCore/cache.c  | 54 +++++++++++++++++++--------------------------
 MagickCore/memory.c | 27 ++++++++++++++---------
 2 files changed, 40 insertions(+), 41 deletions(-)

diff --git a/MagickCore/cache.c b/MagickCore/cache.c
index e5787ee45..de9e9d925 100644
--- a/MagickCore/cache.c
+++ b/MagickCore/cache.c
@@ -1112,6 +1112,7 @@ static inline void RelinquishCacheNexusPixels(NexusInfo *nexus_info)
   nexus_info->metacontent=(void *) NULL;
   nexus_info->length=0;
   nexus_info->mapped=MagickFalse;
+  nexus_info->authentic_pixel_cache=MagickFalse;
 }
 
 MagickPrivate NexusInfo **DestroyPixelCacheNexus(NexusInfo **nexus_info,
@@ -2796,11 +2797,11 @@ MagickPrivate const Quantum *GetVirtualPixelCacheNexus(const Image *image,
         MagickBooleanType
           status;
 
+        if (nexus_info->authentic_pixel_cache != MagickFalse)
+          return(q);
         /*
           Pixel request is inside cache extents.
         */
-        if (nexus_info->authentic_pixel_cache != MagickFalse)
-          return(q);
         status=ReadPixelCachePixels(cache_info,nexus_info,exception);
         if (status == MagickFalse)
           return((const Quantum *) NULL);
@@ -4963,24 +4964,25 @@ MagickPrivate void SetPixelCacheMethods(Cache cache,CacheMethods *cache_methods)
 */
 
 static inline MagickBooleanType AcquireCacheNexusPixels(
-  const CacheInfo *magick_restrict cache_info,NexusInfo *nexus_info,
-  ExceptionInfo *exception)
+  const CacheInfo *magick_restrict cache_info,const MagickOffsetType length,
+  NexusInfo *nexus_info,ExceptionInfo *exception)
 {
-  if (nexus_info->length != (MagickSizeType) ((size_t) nexus_info->length))
+  if (nexus_info->cache != (Quantum *) NULL)
+    RelinquishCacheNexusPixels(nexus_info);
+  if (length != (MagickSizeType) ((size_t) length))
     return(MagickFalse);
   if (cache_anonymous_memory <= 0)
     {
-      nexus_info->mapped=MagickFalse;
       nexus_info->cache=(Quantum *) MagickAssumeAligned(AcquireAlignedMemory(1,
-        (size_t) nexus_info->length));
+        (size_t) length));
       if (nexus_info->cache != (Quantum *) NULL)
-        (void) memset(nexus_info->cache,0,(size_t) nexus_info->length);
+        (void) memset(nexus_info->cache,0,(size_t) length);
     }
-  else
+  if (nexus_info->cache == (Quantum *) NULL)
     {
-      nexus_info->mapped=MagickTrue;
-      nexus_info->cache=(Quantum *) MapBlob(-1,IOMode,0,(size_t)
-        nexus_info->length);
+      nexus_info->cache=(Quantum *) MapBlob(-1,IOMode,0,(size_t) length);
+      if (nexus_info->cache != (Quantum *) NULL)
+        nexus_info->mapped=MagickTrue;
     }
   if (nexus_info->cache == (Quantum *) NULL)
     {
@@ -4989,6 +4991,8 @@ static inline MagickBooleanType AcquireCacheNexusPixels(
         cache_info->filename);
       return(MagickFalse);
     }
+  nexus_info->length=length;
+  nexus_info->authentic_pixel_cache=MagickFalse;
   return(MagickTrue);
 }
 
@@ -5078,9 +5082,8 @@ static Quantum *SetPixelCacheNexusPixels(const CacheInfo *cache_info,
           if (cache_info->metacontent_extent != 0)
             nexus_info->metacontent=(unsigned char *) cache_info->metacontent+
               offset*cache_info->metacontent_extent;
+          nexus_info->authentic_pixel_cache=MagickTrue;
           PrefetchPixelCacheNexusPixels(nexus_info,mode);
-          nexus_info->authentic_pixel_cache=IsPixelCacheAuthentic(cache_info,
-            nexus_info);
           return(nexus_info->pixels);
         }
     }
@@ -5092,34 +5095,23 @@ static Quantum *SetPixelCacheNexusPixels(const CacheInfo *cache_info,
     length+=number_pixels*cache_info->metacontent_extent;
   if (nexus_info->cache == (Quantum *) NULL)
     {
-      nexus_info->length=length;
-      status=AcquireCacheNexusPixels(cache_info,nexus_info,exception);
+      status=AcquireCacheNexusPixels(cache_info,length,nexus_info,exception);
       if (status == MagickFalse)
-        {
-          nexus_info->length=0;
-          return((Quantum *) NULL);
-        }
+        return((Quantum *) NULL);
     }
   else
     if (nexus_info->length < length)
       {
-        RelinquishCacheNexusPixels(nexus_info);
-        nexus_info->length=length;
-        status=AcquireCacheNexusPixels(cache_info,nexus_info,exception);
+        status=AcquireCacheNexusPixels(cache_info,length,nexus_info,exception);
         if (status == MagickFalse)
-          {
-            nexus_info->length=0;
-            return((Quantum *) NULL);
-          }
+          return((Quantum *) NULL);
       }
   nexus_info->pixels=nexus_info->cache;
   nexus_info->metacontent=(void *) NULL;
   if (cache_info->metacontent_extent != 0)
     nexus_info->metacontent=(void *) (nexus_info->pixels+
-      (cache_info->number_channels*number_pixels));
+      cache_info->number_channels*number_pixels);
   PrefetchPixelCacheNexusPixels(nexus_info,mode);
-  nexus_info->authentic_pixel_cache=IsPixelCacheAuthentic(cache_info,
-    nexus_info);
   return(nexus_info->pixels);
 }
 
@@ -5768,7 +5760,7 @@ static MagickBooleanType WritePixelCachePixels(
           length=extent;
           rows=1UL;
         }
-      q=cache_info->pixels+offset*cache_info->number_channels;
+      q=cache_info->pixels+cache_info->number_channels*offset;
       for (y=0; y < (ssize_t) rows; y++)
       {
         (void) memcpy(q,p,(size_t) length);
diff --git a/MagickCore/memory.c b/MagickCore/memory.c
index 2b64e9e0a..6181367b5 100644
--- a/MagickCore/memory.c
+++ b/MagickCore/memory.c
@@ -243,6 +243,7 @@ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum)
 {
 #define AlignedExtent(size,alignment) \
   (((size)+((alignment)-1)) & ~((alignment)-1))
+#define AlignedPowerOf2(x)  ((((x) - 1) & (x)) == 0)
 
   size_t
     alignment,
@@ -255,11 +256,9 @@ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum)
   if (HeapOverflowSanityCheck(count,quantum) != MagickFalse)
     return((void *) NULL);
   memory=NULL;
-  size=count*quantum;
   alignment=CACHE_LINE_SIZE;
+  size=count*quantum;
   extent=AlignedExtent(size,alignment);
-  if ((size == 0) || (alignment < sizeof(void *)) || (extent < size))
-    return((void *) NULL);
 #if defined(MAGICKCORE_HAVE_POSIX_MEMALIGN)
   if (posix_memalign(&memory,alignment,extent) != 0)
     memory=NULL;
@@ -270,15 +269,23 @@ MagickExport void *AcquireAlignedMemory(const size_t count,const size_t quantum)
     void
       *p;
 
+    if ((alignment == 0) || (alignment % sizeof (void *) != 0) ||
+        (AlignedPowerOf2(alignment/sizeof (void *)) == 0))
+      {
+        errno=EINVAL;
+        return((void *) NULL);
+      }
+    if (size > (SIZE_MAX-alignment-sizeof(void *)-1))
+      {
+        errno=ENOMEM;
+        return((void *) NULL);
+      }
     extent=(size+alignment-1)+sizeof(void *);
-    if (extent > size)
+    p=malloc(extent);
+    if (p != NULL)
       {
-        p=malloc(extent);
-        if (p != NULL)
-          {
-            memory=(void *) AlignedExtent((size_t) p+sizeof(void *),alignment);
-            *((void **) memory-1)=p;
-          }
+        memory=(void *) AlignedExtent((size_t) p+sizeof(void *),alignment);
+        *((void **) memory-1)=p;
       }
   }
 #endif
-- 
2.49.0