Commit 9acf93f66 for imagemagick.org
commit 9acf93f66b0f8495fa222e1a27c3db534cd78864
Author: Dirk Lemstra <dirk@lemstra.org>
Date: Sun Jun 21 10:03:27 2026 +0200
Added extra checks when acquiring the values of a kernel (GHSA-f5m7-cqgw-8hm7)
diff --git a/MagickCore/morphology.c b/MagickCore/morphology.c
index 95589fd93..6fdee5709 100644
--- a/MagickCore/morphology.c
+++ b/MagickCore/morphology.c
@@ -200,6 +200,19 @@ static inline KernelInfo *LastKernelInfo(KernelInfo *kernel)
%
*/
+static inline MagickBooleanType AcquireKernelValues(KernelInfo *kernel)
+{
+ size_t
+ elements;
+
+ kernel->values=(MagickRealType *) NULL;
+ if (HeapOverflowSanityCheckGetSize(kernel->width,kernel->height,&elements) != MagickFalse)
+ return(MagickFalse);
+ kernel->values=(MagickRealType *) MagickAssumeAligned(AcquireAlignedMemory(
+ elements,sizeof(*kernel->values)));
+ return(kernel->values == (MagickRealType *) NULL ? MagickFalse : MagickTrue);
+}
+
/* This was separated so that it could be used as a separate
** array input handling function, such as for -color-matrix
*/
@@ -307,9 +320,7 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
}
/* Read in the kernel values from rest of input string argument */
- kernel->values=(MagickRealType *) MagickAssumeAligned(AcquireAlignedMemory(
- kernel->width,kernel->height*sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
kernel->minimum=MagickMaximumValue;
kernel->maximum=(-MagickMaximumValue);
@@ -1059,10 +1070,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = GetOptimalKernelWidth2D(args->rho,sigma2);
kernel->height = kernel->width;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* WARNING: The following generates a 'sampled gaussian' kernel.
@@ -1151,10 +1159,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->x = (ssize_t) (kernel->width-1)/2;
kernel->y = 0;
kernel->negative_range = kernel->positive_range = 0.0;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
#if 1
@@ -1238,10 +1243,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->x = kernel->y = 0;
kernel->height = 1;
kernel->negative_range = kernel->positive_range = 0.0;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* A comet blur is half a 1D gaussian curve, so that the object is
@@ -1315,10 +1317,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
order_f = fact(kernel->width-1);
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* set all kernel values within diamond area to scale given */
@@ -1552,10 +1551,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* set all kernel values within diamond area to scale given */
@@ -1594,10 +1590,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->y = (ssize_t) args->psi;
scale = 1.0;
}
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* set all kernel values to scale given */
@@ -1616,10 +1609,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
for ( i=0, v=-kernel->y; v <= (ssize_t)kernel->y; v++)
@@ -1643,10 +1633,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(fabs(args->rho))*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
for ( i=0, v=-kernel->y; v <= (ssize_t)kernel->y; v++)
@@ -1666,10 +1653,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* set all kernel values along axises to given scale */
@@ -1688,10 +1672,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* set all kernel values along axises to given scale */
@@ -1730,10 +1711,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->height = kernel->width;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
/* set a ring of points of 'scale' ( 0.0 for PeaksKernel ) */
@@ -2105,10 +2083,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
for ( i=0, v=-kernel->y; v <= (ssize_t)kernel->y; v++)
@@ -2126,10 +2101,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
for ( i=0, v=-kernel->y; v <= (ssize_t)kernel->y; v++)
@@ -2147,10 +2119,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
for ( i=0, v=-kernel->y; v <= (ssize_t)kernel->y; v++)
@@ -2173,10 +2142,7 @@ MagickExport KernelInfo *AcquireKernelBuiltIn(const KernelInfoType type,
kernel->width = kernel->height = CastDoubleToSizeT(args->rho)*2+1;
kernel->x = kernel->y = (ssize_t) (kernel->width-1)/2;
- kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*
- sizeof(*kernel->values)));
- if (kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(kernel) == MagickFalse)
return(DestroyKernelInfo(kernel));
for ( i=0, v=-kernel->y; v <= (ssize_t)kernel->y; v++)
@@ -2239,9 +2205,7 @@ MagickExport KernelInfo *CloneKernelInfo(const KernelInfo *kernel)
*new_kernel=(*kernel); /* copy values in structure */
/* replace the values with a copy of the values */
- new_kernel->values=(MagickRealType *) MagickAssumeAligned(
- AcquireAlignedMemory(kernel->width,kernel->height*sizeof(*kernel->values)));
- if (new_kernel->values == (MagickRealType *) NULL)
+ if (AcquireKernelValues(new_kernel) == MagickFalse)
return(DestroyKernelInfo(new_kernel));
for (i=0; i < (ssize_t) (kernel->width*kernel->height); i++)
new_kernel->values[i]=kernel->values[i];