https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6307

diff --git a/coders/miff.c b/coders/miff.c
index 37b63eececc536e22dc5b75f301b79ef8d219c9e..329e96a9751e2ebfc8b570f4cfdfa9ffcd003bd5 100644 (file)
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1147,6 +1147,8 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
         while (name != (const char *) NULL)
         {
           length=ReadBlobMSBLong(image);
+          if ((MagickSizeType) length > GetBlobSize(image))
+            break;
           profile=AcquireStringInfo(length);
           if (profile == (StringInfo *) NULL)
             break;

diff --git a/coders/mpc.c b/coders/mpc.c
index d1777525e684e30f90fee9cfb95df89530d6b815..b5449989c5a30fa21bd9b6d8b03e15a95a3bd9f4 100644 (file)
--- a/coders/mpc.c
+++ b/coders/mpc.c
@@ -844,6 +844,8 @@ static Image *ReadMPCImage(const ImageInfo *image_info,ExceptionInfo *exception)
         while (name != (const char *) NULL)
         {
           length=ReadBlobMSBLong(image);
+          if ((MagickSizeType) length > GetBlobSize(image))
+            break;
           profile=AcquireStringInfo(length);
           if (profile == (StringInfo *) NULL)
             break;