https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6833

ImageMagick · Mar 11, 2018 · 3b8a1a8 · 3b8a1a8
1 parent 6f7fc24
commit 3b8a1a8
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/magick/draw.c b/magick/draw.c
@@ -3012,13 +3012,22 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info)
         double
           alpha,
           beta,
+          coordinates,
           radius;
 
         alpha=bounds.x2-bounds.x1;
         beta=bounds.y2-bounds.y1;
         radius=hypot((double) alpha,(double) beta);
+        coordinates=ceil(MagickPI*MagickPI*radius)+6*BezierQuantum+360;
+        if (coordinates > 21438)
+          {
+            (void) ThrowMagickException(&image->exception,GetMagickModule(),
+              DrawError,"TooManyBezierCoordinates","`%s'",token);
+            status=MagickFalse;
+            break;
+          }
         points_extent*=5;
-        points_extent+=2*ceil((double) MagickPI*radius)+6*BezierQuantum+360;
+        points_extent+=2*coordinates;
         break;
       }
       case BezierPrimitive:
@@ -3079,7 +3088,7 @@ MagickExport MagickBooleanType DrawImage(Image *image,const DrawInfo *draw_info)
             status=MagickFalse;
             break;
           }
-        points_extent=coordinates;
+        points_extent=2*coordinates;
         break;
       }
       case EllipsePrimitive: