From 1abaabbbf9269f7dfb3c57eac6f4e63cfe62cbb1 Mon Sep 17 00:00:00 2001 From: Cristy Date: Sun, 23 Feb 2020 08:22:32 -0500 Subject: [PATCH] Prevent possible buffer overrun --- MagickWand/mogrify.c | 6 +++++- MagickWand/operation.c | 6 +++++- coders/gradient.c | 6 +++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/MagickWand/mogrify.c b/MagickWand/mogrify.c index 1b1cf52af7..d2244bb6eb 100644 --- a/MagickWand/mogrify.c +++ b/MagickWand/mogrify.c @@ -1217,7 +1217,11 @@ WandExport MagickBooleanType MogrifyImage(ImageInfo *image_info,const int argc, } for (p=start_color; (*p != '-') && (*p != '\0'); p++) if (*p == '(') - for (p++; (*p != ')') && (*p != '\0'); p++); + { + for (p++; (*p != ')') && (*p != '\0'); p++); + if (*p == '\0') + break; + } if (*p == '-') (void) CopyMagickString(stop_color,p+1,MagickPathExtent); *p='\0'; diff --git a/MagickWand/operation.c b/MagickWand/operation.c index 74f2f98ba5..fbee9d8693 100644 --- a/MagickWand/operation.c +++ b/MagickWand/operation.c @@ -2088,7 +2088,11 @@ static MagickBooleanType CLISimpleOperatorImage(MagickCLI *cli_wand, } for (p=start_color; (*p != '-') && (*p != '\0'); p++) if (*p == '(') - for (p++; (*p != ')') && (*p != '\0'); p++); + { + for (p++; (*p != ')') && (*p != '\0'); p++); + if (*p == '\0') + break; + } if (*p == '-') (void) CopyMagickString(stop_color,p+1,MagickPathExtent); *p='\0'; diff --git a/coders/gradient.c b/coders/gradient.c index 70a3ca04c4..28a35afcc1 100644 --- a/coders/gradient.c +++ b/coders/gradient.c @@ -203,7 +203,11 @@ static Image *ReadGRADIENTImage(const ImageInfo *image_info, MagickPathExtent); for (p=start_color; (*p != '-') && (*p != '\0'); p++) if (*p == '(') - for (p++; (*p != ')') && (*p != '\0'); p++); + { + for (p++; (*p != ')') && (*p != '\0'); p++); + if (*p == '\0') + break; + } if (*p == '-') (void) CopyMagickString(stop_color,p+1,MagickPathExtent); *p='\0';