From ef6cee1bcf144b7c9285787920361a53296e7907 Mon Sep 17 00:00:00 2001 From: Cristy Date: Mon, 28 Aug 2017 08:12:45 -0400 Subject: [PATCH] https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32583 --- MagickCore/draw.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/MagickCore/draw.c b/MagickCore/draw.c index 12a5695f7..aaa899a06 100644 --- a/MagickCore/draw.c +++ b/MagickCore/draw.c @@ -1691,6 +1691,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, double angle, factor, + points_extent, primitive_extent; DrawInfo @@ -1700,7 +1701,6 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, proceed; MagickSizeType - length, number_points; MagickStatusType @@ -2953,12 +2953,12 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, /* Speculate how many points our primitive might consume. */ - length=primitive_info[j].coordinates; + points_extent=primitive_info[j].coordinates; switch (primitive_type) { case RectanglePrimitive: { - length*=5; + points_extent*=5; break; } case RoundRectanglePrimitive: @@ -2971,8 +2971,8 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, alpha=bounds.x2-bounds.x1; beta=bounds.y2-bounds.y1; radius=hypot((double) alpha,(double) beta); - length*=5; - length+=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; + points_extent*=5; + points_extent+=2*ceil((double) MagickPI*radius)+6*BezierQuantum+360; break; } case BezierPrimitive: @@ -2980,7 +2980,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, if (primitive_info[j].coordinates > 107) (void) ThrowMagickException(exception,GetMagickModule(),DrawError, "TooManyBezierCoordinates","`%s'",token); - length=BezierQuantum*primitive_info[j].coordinates; + points_extent=BezierQuantum*primitive_info[j].coordinates; break; } case PathPrimitive: @@ -2990,7 +2990,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, *t; GetNextToken(q,&q,extent,token); - length=1; + points_extent=1; t=token; for (s=token; *s != '\0'; s=t) { @@ -3004,9 +3004,9 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, t++; continue; } - length++; + points_extent++; } - length=length*BezierQuantum; + points_extent=points_extent*BezierQuantum; break; } case CirclePrimitive: @@ -3021,18 +3021,24 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info, alpha=bounds.x2-bounds.x1; beta=bounds.y2-bounds.y1; radius=hypot((double) alpha,(double) beta); - length=2*((size_t) ceil((double) MagickPI*radius))+6*BezierQuantum+360; + points_extent=2*ceil((double) MagickPI*radius)+6*BezierQuantum+360; break; } default: break; } - if ((i+length) >= number_points) + if (((size_t) points_extent) < points_extent) + { + (void) ThrowMagickException(exception,GetMagickModule(), + ResourceLimitError,"MemoryAllocationFailed","`%s'",image->filename); + break; + } + if ((i+points_extent) >= number_points) { /* Resize based on speculative points required by primitive. */ - number_points+=length+1; + number_points+=points_extent+1; primitive_info=(PrimitiveInfo *) ResizeQuantumMemory(primitive_info, (size_t) number_points,sizeof(*primitive_info)); if ((primitive_info == (PrimitiveInfo *) NULL) || -- 2.40.0