]> granicus.if.org Git - imagemagick/commitdiff
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6833
authorCristy <urban-warrior@imagemagick.org>
Sun, 11 Mar 2018 11:08:57 +0000 (07:08 -0400)
committerCristy <urban-warrior@imagemagick.org>
Sun, 11 Mar 2018 11:09:23 +0000 (07:09 -0400)
MagickCore/draw.c

index b733a6ebc93a77bd05937f19284605a3f2de2b4d..0ec1ec1898cedcc9731fd091534ea22a774758df 100644 (file)
@@ -3021,13 +3021,22 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
         double
           alpha,
           beta,
+          coordinates,
           radius;
 
         alpha=bounds.x2-bounds.x1;
         beta=bounds.y2-bounds.y1;
         radius=hypot((double) alpha,(double) beta);
+        coordinates=ceil(MagickPI*MagickPI*radius)+6*BezierQuantum+360;
+        if (coordinates > 21438)
+          {
+            (void) ThrowMagickException(exception,GetMagickModule(),DrawError,
+              "TooManyBezierCoordinates","`%s'",token);
+            status=MagickFalse;
+            break;
+          }
         points_extent*=5;
-        points_extent+=2*ceil((double) MagickPI*radius)+6*BezierQuantum+360;
+        points_extent+=2*coordinates;
         break;
       }
       case BezierPrimitive:
@@ -3088,7 +3097,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
             status=MagickFalse;
             break;
           }
-        points_extent=coordinates;
+        points_extent=2*coordinates;
         break;
       }
       case EllipsePrimitive: