From 98eaee68fb91ffdbea8edae3935bbfe34b4e2740 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 25 Mar 2016 10:12:38 -0400
Subject: [PATCH] Ensure token does not overflow

This prepare fix for CVE-2017-10928

origin; https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4
bug: https://github.com/ImageMagick/ImageMagick/issues/539
bug-debian: https://bugs.debian.org/867367

(cherry picked from commit 4b85d29608d5bc0ab641f49e80b6cf8965928fb4)
---
 magick/token.c | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/magick/token.c b/magick/token.c
index 755f18de9..d2c0982cd 100644
--- a/magick/token.c
+++ b/magick/token.c
@@ -176,6 +176,10 @@ MagickExport void GetMagickToken(const char *start,const char **end,char *token)
   register ssize_t
     i;
 
+  size_t
+    extent = MaxTextExtent-1;
+
+
   assert(start != (const char *) NULL);
   assert(token != (char *) NULL);
   i=0;
@@ -212,15 +216,18 @@ MagickExport void GetMagickToken(const char *start,const char **end,char *token)
               p++;
               break;
             }
-        token[i++]=(*p);
+        if (i < extent)
+          token[i++]=(*p);
       }
       break;
     }
     case '/':
     {
-      token[i++]=(*p++);
-      if ((*p == '>') || (*p == '/'))
+      if (i < extent)
         token[i++]=(*p++);
+      if ((*p == '>') || (*p == '/'))
+        if (i < extent)
+          token[i++]=(*p++);
       break;
     }
     default:
@@ -233,15 +240,18 @@ MagickExport void GetMagickToken(const char *start,const char **end,char *token)
       if ((p != q) && (*p != ','))
         {
           for ( ; (p < q) && (*p != ','); p++)
-            token[i++]=(*p);
+            if (i < extent)
+              token[i++]=(*p);
           if (*p == '%')
-            token[i++]=(*p++);
+            if (i < extent)
+              token[i++]=(*p++);
           break;
         }
       if ((*p != '\0') && (isalpha((int) ((unsigned char) *p)) == 0) &&
           (*p != *DirectorySeparator) && (*p != '#') && (*p != '<'))
         {
-          token[i++]=(*p++);
+          if (i < extent)
+            token[i++]=(*p++);
           break;
         }
       for ( ; *p != '\0'; p++)
@@ -251,13 +261,15 @@ MagickExport void GetMagickToken(const char *start,const char **end,char *token)
           break;
         if ((i > 0) && (*p == '<'))
           break;
-        token[i++]=(*p);
+        if (i < extent)
+          token[i++]=(*p);
         if (*p == '>')
           break;
         if (*p == '(')
           for (p++; *p != '\0'; p++)
           {
-            token[i++]=(*p);
+            if (i < extent)
+              token[i++]=(*p);
             if ((*p == ')') && (*(p-1) != '\\'))
               break;
           }