ImageMagick/ImageMagick#8583 Fix double-free in SVG gradientTransform / transform parsing
Fixes #8582.
In SVGStartElement, the gradientTransform and transform attribute handlers reassign value to tokens[j+1] inside the inner token-parsing loop. After the loop, all tokens (including tokens[j+1]) are freed via DestroyString(). The outer attribute loop then calls DestroyString(value) at line 2524, which double-frees the already-destroyed token string, causing SIGABRT.
- Use a separate
token_valuelocal variable inside each inner loop instead of reassigningvalue - The outer loop's
DestroyString(value)now correctly frees the originalSVGEscapeString()-allocated string exactly once - Add
tests/cli-svg.tapregression test
Introduced in 9db96365e (2026-02-15, tag 7.1.2-14) — the GHSA-xpg8-7m6m-jf56 security fix. That commit changed value from a non-owned const char * alias to a heap-allocated char * (via SVGEscapeString()) with DestroyString(value) cleanup, but didn't update the gradientTransform/transform inner loops that have reassigned value to tokens[j+1] since 2009 (3ed852eea).
Any SVG with gradientTransform on a <linearGradient> element triggers the crash:
<linearGradient id="g" gradientTransform="rotate(45)">
<stop offset="0" stop-color="red"/>
<stop offset="1" stop-color="blue"/>
</linearGradient>magick crash.svg crash.png
# SIGABRT (double-free)-
magick crash.svg crash.pngno longer crashes (exit 0) -
magick ok.svg ok.pngstill works (SVG withoutgradientTransform) -
make TESTS="tests/cli-svg.tap" checkpasses