mirror of
https://github.com/ImageMagick/ImageMagick.git
synced 2026-05-25 11:24:54 +02:00
Ryan Williams
bd4a469adb
In `SVGStartElement`, the `gradientTransform` and `transform` attribute handlers reassign `value` to `tokens[j+1]` inside the inner token-parsing loop. After the loop, all tokens are freed via `DestroyString()`. The outer attribute loop then calls `DestroyString(value)`, which double-frees the already-destroyed token string, causing SIGABRT. Use a separate `token_value` local variable inside each inner loop instead of reassigning `value`, so the outer loop's `DestroyString(value)` frees the original `SVGEscapeString()`-allocated string exactly once. Add regression test for SVG `gradientTransform` (#8582). Fixes ImageMagick/ImageMagick#8582 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
26 lines
881 B
Bash
Executable File
26 lines
881 B
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Copyright 1999 ImageMagick Studio LLC, a non-profit organization
|
|
# dedicated to making software imaging solutions freely available.
|
|
#
|
|
# You may not use this file except in compliance with the License. You may
|
|
# obtain a copy of the License at
|
|
#
|
|
# https://imagemagick.org/license/
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
# Regression tests for SVG coder.
|
|
#
|
|
. ./common.shi
|
|
. ${srcdir}/tests/common.shi
|
|
echo "1..1"
|
|
|
|
# gradientTransform should not cause a double-free / SIGABRT (#8582)
|
|
${MAGICK} ${SRCDIR}/input_svg_gradient_transform.svg null: && echo "ok" || echo "not ok"
|
|
:
|