https://github.com/ImageMagick/ImageMagick/issues/872

diff --git a/coders/png.c b/coders/png.c
index 6609030f0806ab2c502a3066635c9f292f668a7a..4f440bf6e251fa32e25fe855cb5fc5efea960222 100644 (file)
--- a/coders/png.c
+++ b/coders/png.c
@@ -1800,14 +1800,21 @@ Magick_png_read_raw_profile(png_struct *ping,Image *image,
                  13,14,15};
 
   sp=text[ii].text+1;
+  length=text[ii].text_length;
   /* look for newline */
-  while (*sp != '\n')
-     sp++;
+  while ((*sp != '\n') && length--)
+    sp++;
 
   /* look for length */
-  while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+  while (((*sp == '\0' || *sp == ' ' || *sp == '\n')) && length--)
      sp++;
 
+  if (length == 0)
+    {
+      png_warning(ping,"invalid profile length");
+      return(MagickFalse);
+    }
+
   length=(png_uint_32) StringToLong(sp);
 
   (void) LogMagickEvent(CoderEvent,GetMagickModule(),