https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qh3h-j545-h8c9

Author: Cristy

MagickCore/image.c

@@ -1663,7 +1663,6 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
     canonical;
 
   ssize_t
-    field_width,
     offset;
 
   canonical=MagickFalse;
@@ -1679,21 +1678,23 @@ MagickExport size_t InterpretImageFilename(const ImageInfo *image_info,
         p++;
         continue;
       }
-    field_width=0;
-    if (*q == '0')
-      field_width=(ssize_t) strtol(q,&q,10);
     switch (*q)
     {
       case 'd':
       case 'o':
       case 'x':
       {
+        ssize_t
+          count;
+
         q++;
         c=(*q);
         *q='\0';
-        (void) FormatLocaleString(filename+(p-format-offset),(size_t)
+        count=FormatLocaleString(filename+(p-format-offset),(size_t)
           (MagickPathExtent-(p-format-offset)),p,value);
-        offset+=(4-field_width);
+        if ((count <= 0) || (count > (MagickPathExtent-(p-format-offset))))
+          return(0);
+        offset+=(ssize_t) ((q-p)-count);
         *q=(char) c;
         (void) ConcatenateMagickString(filename,q,MagickPathExtent);
         canonical=MagickTrue;