Lowered max map_length to prevent an overflow (#271).

diff --git a/coders/rle.c b/coders/rle.c
index 05a65ec226e351eb03ceba648866b05b089dc97c..49638a4b8c933943c72b566732cca897ec0c63be 100644 (file)
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -224,7 +224,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     bits_per_pixel=(size_t) ReadBlobByte(image);
     number_colormaps=(size_t) ReadBlobByte(image);
     map_length=(unsigned char) ReadBlobByte(image);
-    if (map_length >= 32)
+    if (map_length >= 22)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     one=1;
     map_length=one << map_length;