...

diff --git a/MagickCore/draw.c b/MagickCore/draw.c
index a31976117a8e9ec42905b7e039dda2927d44f1b8..c3604f3533d2740d6bfa8d8f84e8eb74dd255a8a 100644 (file)
--- a/MagickCore/draw.c
+++ b/MagickCore/draw.c
@@ -2322,6 +2322,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
                     continue;
                   break;
                 }
+                if (p > (q-5))
+                  {
+                    status=MagickFalse;
+                    break;
+                  }
                 (void) CopyMagickString(token,p,(size_t) (q-p-4+1));
                 (void) SetImageArtifact(image,name,token);
                 GetNextToken(q,&q,extent,token);
@@ -2379,6 +2384,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
                     continue;
                   break;
                 }
+                if (p > (q-5))
+                  {
+                    status=MagickFalse;
+                    break;
+                  }
                 (void) CopyMagickString(token,p,(size_t) (q-p-4+1));
                 bounds.x1=graphic_context[n]->affine.sx*segment.x1+
                   graphic_context[n]->affine.ry*segment.y1+
@@ -2454,6 +2464,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
                     continue;
                   break;
                 }
+                if (p > (q-5))
+                  {
+                    status=MagickFalse;
+                    break;
+                  }
                 (void) CopyMagickString(token,p,(size_t) (q-p-4+1));
                 (void) FormatLocaleString(key,MagickPathExtent,"%s",name);
                 (void) SetImageArtifact(image,key,token);