Commit c0ecd189e for imagemagick.org
commit c0ecd189efaff43d0b7f2a37db4f503162acedf7
Author: 007bsd <22483432+007bsd@users.noreply.github.com>
Date: Mon May 11 03:23:05 2026 +0300
Fix unsound free of uninitialized pointers in GetImageFeatures error path (#8724)
The first error branch in GetImageFeatures freed Q[i] and cooccurrence[i]
before those array elements had been initialized (they are populated by
the subsequent for loop). Remove the inner free loops. The outer Q and
cooccurrence arrays are still released; the second error branch already
handles partially-initialized arrays correctly and is unchanged.
diff --git a/MagickCore/feature.c b/MagickCore/feature.c
index 66ae1931c..2a56e4777 100644
--- a/MagickCore/feature.c
+++ b/MagickCore/feature.c
@@ -790,11 +790,7 @@ MagickExport ChannelFeatures *GetImageFeatures(const Image *image,
(sum == (ChannelStatistics *) NULL))
{
if (Q != (ChannelStatistics **) NULL)
- {
- for (i=0; i < (ssize_t) number_grays; i++)
- Q[i]=(ChannelStatistics *) RelinquishMagickMemory(Q[i]);
- Q=(ChannelStatistics **) RelinquishMagickMemory(Q);
- }
+ Q=(ChannelStatistics **) RelinquishMagickMemory(Q);
if (sum != (ChannelStatistics *) NULL)
sum=(ChannelStatistics *) RelinquishMagickMemory(sum);
if (density_y != (ChannelStatistics *) NULL)
@@ -804,13 +800,8 @@ MagickExport ChannelFeatures *GetImageFeatures(const Image *image,
if (density_x != (ChannelStatistics *) NULL)
density_x=(ChannelStatistics *) RelinquishMagickMemory(density_x);
if (cooccurrence != (ChannelStatistics **) NULL)
- {
- for (i=0; i < (ssize_t) number_grays; i++)
- cooccurrence[i]=(ChannelStatistics *)
- RelinquishMagickMemory(cooccurrence[i]);
- cooccurrence=(ChannelStatistics **) RelinquishMagickMemory(
- cooccurrence);
- }
+ cooccurrence=(ChannelStatistics **) RelinquishMagickMemory(
+ cooccurrence);
grays=(PixelPacket *) RelinquishMagickMemory(grays);
channel_features=(ChannelFeatures *) RelinquishMagickMemory(
channel_features);