From c0ecd189efaff43d0b7f2a37db4f503162acedf7 Mon Sep 17 00:00:00 2001
From: 007bsd <22483432+007bsd@users.noreply.github.com>
Date: Mon, 11 May 2026 03:23:05 +0300
Subject: [PATCH] Fix unsound free of uninitialized pointers in
 GetImageFeatures error path (#8724)

The first error branch in GetImageFeatures freed Q[i] and cooccurrence[i]
before those array elements had been initialized (they are populated by
the subsequent for loop). Remove the inner free loops. The outer Q and
cooccurrence arrays are still released; the second error branch already
handles partially-initialized arrays correctly and is unchanged.
---
 MagickCore/feature.c | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/MagickCore/feature.c b/MagickCore/feature.c
index 66ae1931c0..2a56e47772 100644
--- a/MagickCore/feature.c
+++ b/MagickCore/feature.c
@@ -790,11 +790,7 @@ MagickExport ChannelFeatures *GetImageFeatures(const Image *image,
       (sum == (ChannelStatistics *) NULL))
     {
       if (Q != (ChannelStatistics **) NULL)
-        {
-          for (i=0; i < (ssize_t) number_grays; i++)
-            Q[i]=(ChannelStatistics *) RelinquishMagickMemory(Q[i]);
-          Q=(ChannelStatistics **) RelinquishMagickMemory(Q);
-        }
+        Q=(ChannelStatistics **) RelinquishMagickMemory(Q);
       if (sum != (ChannelStatistics *) NULL)
         sum=(ChannelStatistics *) RelinquishMagickMemory(sum);
       if (density_y != (ChannelStatistics *) NULL)
@@ -804,13 +800,8 @@ MagickExport ChannelFeatures *GetImageFeatures(const Image *image,
       if (density_x != (ChannelStatistics *) NULL)
         density_x=(ChannelStatistics *) RelinquishMagickMemory(density_x);
       if (cooccurrence != (ChannelStatistics **) NULL)
-        {
-          for (i=0; i < (ssize_t) number_grays; i++)
-            cooccurrence[i]=(ChannelStatistics *)
-              RelinquishMagickMemory(cooccurrence[i]);
-          cooccurrence=(ChannelStatistics **) RelinquishMagickMemory(
-            cooccurrence);
-        }
+        cooccurrence=(ChannelStatistics **) RelinquishMagickMemory(
+          cooccurrence);
       grays=(PixelPacket *) RelinquishMagickMemory(grays);
       channel_features=(ChannelFeatures *) RelinquishMagickMemory(
         channel_features);