From: Cristy Date: Thu, 30 Aug 2018 23:43:20 +0000 (-0400) Subject: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10115 X-Git-Tag: 7.0.8-12~108 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9bd3e4c89ccb78974d3b7ec63ba7680ac78882af;p=imagemagick https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10115 --- diff --git a/MagickCore/draw.c b/MagickCore/draw.c index b6e5a8fd4..d3d603c89 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -338,13 +338,13 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info, x; for (x=0; fabs(draw_info->dash_pattern[x]) >= MagickEpsilon; x++) ; - clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+2), + clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+4), sizeof(*clone_info->dash_pattern)); if (clone_info->dash_pattern == (double *) NULL) ThrowFatalException(ResourceLimitFatalError, "UnableToAllocateDashPattern"); (void) memcpy(clone_info->dash_pattern,draw_info->dash_pattern,(size_t) - (x+2)*sizeof(*clone_info->dash_pattern)); + (x+4)*sizeof(*clone_info->dash_pattern)); } clone_info->gradient=draw_info->gradient; if (draw_info->gradient.stops != (StopInfo *) NULL) @@ -3547,7 +3547,7 @@ static MagickBooleanType RenderMVGContent(Image *image, GetNextToken(r,&r,extent,token); } graphic_context[n]->dash_pattern=(double *) - AcquireQuantumMemory((size_t) (2*x+2), + AcquireQuantumMemory((size_t) (2*x+4), sizeof(*graphic_context[n]->dash_pattern)); if (graphic_context[n]->dash_pattern == (double *) NULL) { @@ -3558,7 +3558,7 @@ static MagickBooleanType RenderMVGContent(Image *image, break; } (void) memset(graphic_context[n]->dash_pattern,0,(size_t) - (2*x+2)*sizeof(*graphic_context[n]->dash_pattern)); + (2*x+4)*sizeof(*graphic_context[n]->dash_pattern)); for (j=0; j < x; j++) { GetNextToken(q,&q,extent,token);