Also include the size of the offset value in the length check.

author Dirk Lemstra <dirk@lemstra.org>

Fri, 28 Jun 2019 07:15:41 +0000 (09:15 +0200)

committer Dirk Lemstra <dirk@lemstra.org>

Fri, 28 Jun 2019 07:16:17 +0000 (09:16 +0200)
author Dirk Lemstra <dirk@lemstra.org>
Fri, 28 Jun 2019 07:15:41 +0000 (09:15 +0200)
committer Dirk Lemstra <dirk@lemstra.org>
Fri, 28 Jun 2019 07:16:17 +0000 (09:16 +0200)
diff --git a/MagickCore/property.c b/MagickCore/property.c

index bd0d98744025347658cf3046f75867d734248cd8..af81d3fda4f9f37441e013fa3bf827649153837c 100644 (file)
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -1642,7 +1642,7 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
                  directory_stack[level].offset=tag_offset2;
                  directory_stack[level].entry=0;
                  level++;
-                if ((directory+2+(12*number_entries)) > (exif+length))
+                if ((directory+2+(12*number_entries)+4) > (exif+length))
                    break;
                  tag_offset1=(ssize_t) ReadPropertySignedLong(endian,directory+
                    2+(12*number_entries));
author	Dirk Lemstra <dirk@lemstra.org>
	Fri, 28 Jun 2019 07:15:41 +0000 (09:15 +0200)
committer	Dirk Lemstra <dirk@lemstra.org>
	Fri, 28 Jun 2019 07:16:17 +0000 (09:16 +0200)