https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7064

diff --git a/MagickCore/draw.c b/MagickCore/draw.c
index 24bf95b5fcc026f0d6aa52a55b41c9d6d7e94182..dd2941e6128bb64c364a0cdcee39a643e4e90b53 100644 (file)
--- a/MagickCore/draw.c
+++ b/MagickCore/draw.c
@@ -3105,6 +3105,23 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
       }
       case EllipsePrimitive:
       {
+        double
+          alpha,
+          beta,
+          coordinates,
+          radius;
+
+        alpha=bounds.x2-bounds.x1;
+        beta=bounds.y2-bounds.y1;
+        radius=hypot(alpha,beta);
+        coordinates=2.0*ceil(MagickPI*MagickPI*radius)+6*BezierQuantum+360;
+        if (coordinates > 1.0e+06)
+          { 
+            (void) ThrowMagickException(exception,GetMagickModule(),DrawError,
+              "TooManyBezierCoordinates","`%s'",token);
+            status=MagickFalse;
+            break;
+          }
         points_extent=(double) EllipsePoints(primitive_info+j,
           primitive_info[j].point,primitive_info[j+1].point,
           primitive_info[j+2].point);