]> granicus.if.org Git - imagemagick/commitdiff
projects / imagemagick / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e61a22d)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7246
authorCristy <urban-warrior@imagemagick.org>
Sun, 1 Apr 2018 10:54:04 +0000 (06:54 -0400)
committerCristy <urban-warrior@imagemagick.org>
Sun, 1 Apr 2018 10:54:04 +0000 (06:54 -0400)
coders/heic.c patch | blob | history

diff --git a/coders/heic.c b/coders/heic.c
index 491eee7811ba46a5af6e9eaf9a8027c53f897679..ae54dd67b7a44b1a9dfb055c8a7ebd30b62faaa4 100644 (file)
--- a/coders/heic.c
+++ b/coders/heic.c
@@ -399,8 +399,6 @@ static MagickBooleanType ParseIpcoAtom(Image *image, DataBuffer *db,
       propDb;
 
     length = DBReadUInt(db);
-    if (length >= DBGetSize(db))
-      ThrowAndReturn("insufficient data");
     atom = DBReadUInt(db);
 
     if (ctx->itemPropsCount == MAX_ITEM_PROPS) {
@@ -410,6 +408,8 @@ static MagickBooleanType ParseIpcoAtom(Image *image, DataBuffer *db,
     prop = &(ctx->itemProps[ctx->itemPropsCount]);
     prop->type = atom;
     prop->size = length - 8;
+    if (prop->size > DBGetSize(db))
+      ThrowAndReturn("insufficient data");
     if (prop->data != (uint8_t *) NULL)
       prop->data=(uint8_t *) RelinquishMagickMemory(prop->data);
     prop->data = (uint8_t *) AcquireCriticalMemory(prop->size);
Unnamed repository; edit this file 'description' to name the repository.