From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 29 Oct 2017 14:47:12 +0000 (-0400)
Subject: ...
X-Git-Tag: 7.0.7-9~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=246163d7893cac8973dce68b1d63e25d600095e9;p=imagemagick

...
---

diff --git a/MagickCore/draw.c b/MagickCore/draw.c
index a31976117..c3604f353 100644
--- a/MagickCore/draw.c
+++ b/MagickCore/draw.c
@@ -2322,6 +2322,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
                     continue;
                   break;
                 }
+                if (p > (q-5))
+                  {
+                    status=MagickFalse;
+                    break;
+                  }
                 (void) CopyMagickString(token,p,(size_t) (q-p-4+1));
                 (void) SetImageArtifact(image,name,token);
                 GetNextToken(q,&q,extent,token);
@@ -2379,6 +2384,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
                     continue;
                   break;
                 }
+                if (p > (q-5))
+                  {
+                    status=MagickFalse;
+                    break;
+                  }
                 (void) CopyMagickString(token,p,(size_t) (q-p-4+1));
                 bounds.x1=graphic_context[n]->affine.sx*segment.x1+
                   graphic_context[n]->affine.ry*segment.y1+
@@ -2454,6 +2464,11 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info,
                     continue;
                   break;
                 }
+                if (p > (q-5))
+                  {
+                    status=MagickFalse;
+                    break;
+                  }
                 (void) CopyMagickString(token,p,(size_t) (q-p-4+1));
                 (void) FormatLocaleString(key,MagickPathExtent,"%s",name);
                 (void) SetImageArtifact(image,key,token);