https://github.com/ImageMagick/ImageMagick/issues/354

author Cristy <urban-warrior@imagemagick.org>

Thu, 12 Jan 2017 17:51:57 +0000 (12:51 -0500)

committer Cristy <urban-warrior@imagemagick.org>

Thu, 12 Jan 2017 17:51:57 +0000 (12:51 -0500)
author Cristy <urban-warrior@imagemagick.org>
Thu, 12 Jan 2017 17:51:57 +0000 (12:51 -0500)
committer Cristy <urban-warrior@imagemagick.org>
Thu, 12 Jan 2017 17:51:57 +0000 (12:51 -0500)
diff --git a/MagickCore/profile.c b/MagickCore/profile.c

index 91cbf4fbe93f14441df07a6b26feedc577092c91..66e742fc9b7bfaef2d1c0c4a41f4d4800bf6afe8 100644 (file)
--- a/MagickCore/profile.c
+++ b/MagickCore/profile.c
@@ -2043,7 +2043,7 @@ MagickBooleanType SyncExifProfile(Image *image,StringInfo *profile)
              The directory entry contains an offset.
            */
            offset=(ssize_t)  ReadProfileLong(endian,q+8);
-          if ((size_t) (offset+number_bytes) > length)
+          if ((offset < 0) || ((size_t) (offset+number_bytes) > length))
              continue;
            if (~length < number_bytes)
              continue;  /* prevent overflow */
author	Cristy <urban-warrior@imagemagick.org>
	Thu, 12 Jan 2017 17:51:57 +0000 (12:51 -0500)
committer	Cristy <urban-warrior@imagemagick.org>
	Thu, 12 Jan 2017 17:51:57 +0000 (12:51 -0500)