From 7f07d9a269c3c875dc0587614441b2d40a96bf78 Mon Sep 17 00:00:00 2001
From: cristy <cristy@aa41f4f7-0bf4-0310-aa73-e5a19afd5a74>
Date: Sun, 16 Feb 2014 21:48:05 +0000
Subject: [PATCH] Prevent buffer overflow in messaging system (CVE: 2014-1947)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1067276
Bug-debian: http://bugs.debian.org/740250
git-svn-id: https://subversion.imagemagick.org/subversion/ImageMagick/branches/ImageMagick-6@14900 aa41f4f7-0bf4-0310-aa73-e5a19afd5a74
Signed-off-by: Bastien ROUCARIÈS <roucaries.bastien@gmail.com>
---
 magick/locale.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/magick/locale.c b/magick/locale.c
index 799e412..670f28b 100644
--- a/magick/locale.c
+++ b/magick/locale.c
@@ -738,6 +738,13 @@ static void LocaleFatalErrorHandler(
   exit(1);
 }
 
+static inline size_t MagickMin(const unsigned int x,
+  const unsigned int y)
+{
+  if (x < y)
+    return(x);
+  return(y);
+}
 
 static MagickBooleanType LoadLocaleList(const char *xml,const char *filename,
   const char *locale,const unsigned long depth,ExceptionInfo *exception)
@@ -917,8 +924,9 @@ static MagickBooleanType LoadLocaleList(const char *xml,const char *filename,
         q--;
         while ((isspace((int) ((unsigned char) *q)) != 0) && (q > p))
           q--;
-        (void) CopyMagickString(message,p,(size_t) (q-p+2));
-        locale_info=(LocaleInfo *) AcquireAlignedMemory(1,sizeof(*locale_info));
+        (void) CopyMagickString(message,p,MagickMin(q-p+2,sizeof(message)-
+          strlen(message)));
+        locale_info=(LocaleInfo *) AcquireMagickMemory(sizeof(*locale_info));
         if (locale_info == (LocaleInfo *) NULL)
           ThrowFatalException(ResourceLimitFatalError,"MemoryAllocationFailed");
         (void) ResetMagickMemory(locale_info,0,sizeof(*locale_info));
-- 
2.1.4