From 9bd3e4c89ccb78974d3b7ec63ba7680ac78882af Mon Sep 17 00:00:00 2001 From: Cristy Date: Thu, 30 Aug 2018 19:43:20 -0400 Subject: [PATCH] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10115 --- MagickCore/draw.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/MagickCore/draw.c b/MagickCore/draw.c index b6e5a8fd4..d3d603c89 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -338,13 +338,13 @@ MagickExport DrawInfo *CloneDrawInfo(const ImageInfo *image_info, x; for (x=0; fabs(draw_info->dash_pattern[x]) >= MagickEpsilon; x++) ; - clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+2), + clone_info->dash_pattern=(double *) AcquireQuantumMemory((size_t) (x+4), sizeof(*clone_info->dash_pattern)); if (clone_info->dash_pattern == (double *) NULL) ThrowFatalException(ResourceLimitFatalError, "UnableToAllocateDashPattern"); (void) memcpy(clone_info->dash_pattern,draw_info->dash_pattern,(size_t) - (x+2)*sizeof(*clone_info->dash_pattern)); + (x+4)*sizeof(*clone_info->dash_pattern)); } clone_info->gradient=draw_info->gradient; if (draw_info->gradient.stops != (StopInfo *) NULL) @@ -3547,7 +3547,7 @@ static MagickBooleanType RenderMVGContent(Image *image, GetNextToken(r,&r,extent,token); } graphic_context[n]->dash_pattern=(double *) - AcquireQuantumMemory((size_t) (2*x+2), + AcquireQuantumMemory((size_t) (2*x+4), sizeof(*graphic_context[n]->dash_pattern)); if (graphic_context[n]->dash_pattern == (double *) NULL) { @@ -3558,7 +3558,7 @@ static MagickBooleanType RenderMVGContent(Image *image, break; } (void) memset(graphic_context[n]->dash_pattern,0,(size_t) - (2*x+2)*sizeof(*graphic_context[n]->dash_pattern)); + (2*x+4)*sizeof(*graphic_context[n]->dash_pattern)); for (j=0; j < x; j++) { GetNextToken(q,&q,extent,token); -- 2.40.0