From 7edcc45dffb68a799ea9b6bbb8c236146101b4c2 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Sun, 7 May 2017 12:17:18 +0200
Subject: [PATCH] CVE-2017-9261: Memory leak in the ReadMNGImage function

In ImageMagic, the ReadMNGImage function in coders/png.c
allows attackers to cause a denial of service (memory leak) via a
crafted file.

bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863833
bug: https://github.com/ImageMagick/ImageMagick/issues/476
origin: https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199

(cherry picked from commit 01d522e990aa57cbe67d222dd5e8f7196cc6d199)
---
 coders/png.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/coders/png.c b/coders/png.c
index 3f7fbcadd..1cdbe3025 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5125,7 +5125,10 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
 
             if ((mng_info->mng_width > 65535L) ||
                 (mng_info->mng_height > 65535L))
-              ThrowReaderException(ImageError,"WidthOrHeightExceedsLimit");
+              {
+                chunk=(unsigned char *) RelinquishMagickMemory(chunk);
+                ThrowReaderException(ImageError,"WidthOrHeightExceedsLimit");
+              }
 
             (void) FormatLocaleString(page_geometry,MaxTextExtent,
               "%.20gx%.20g+0+0",(double) mng_info->mng_width,(double)