https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12180

diff --git a/coders/cube.c b/coders/cube.c
index aa119bc486e9b1ab86396546d7710f6aae0d0963..3e2a54e3e8877959b691f81dc6fd1344d98a7ca8 100644 (file)
--- a/coders/cube.c
+++ b/coders/cube.c
@@ -175,7 +175,9 @@ static Image *ReadCUBEImage(const ImageInfo *image_info,
           cube_info=RelinquishVirtualMemory(cube_info);
         GetNextToken(q,&q,MagickPathExtent,value);
         cube_level=(size_t) StringToLong(value);
-        if ((cube_level < 2) || (cube_level > 65536))
+        if (LocaleCompare(token,"LUT_1D_SIZE") == 0)
+          cube_level=(size_t) ceil(pow((double) cube_level,1.0/3.0));
+        if ((cube_level < 2) || (cube_level > 256))
           {
             buffer=DestroyString(buffer);
             ThrowReaderException(CorruptImageError,"ImproperImageHeader");
@@ -207,6 +209,8 @@ static Image *ReadCUBEImage(const ImageInfo *image_info,
             cube[n].g=StringToDouble(q,&q);
             cube[n].b=StringToDouble(q,&q);
             n++;
+            if (n >= (cube_level*cube_level*cube_level))
+              break;
           }
         else
           if (('+' < *buffer) && (*buffer < ':'))