Prevent buffer overflow (bug report from Ibrahim el-sayed)

author Cristy <urban-warrior@imagemagick.org>

Mon, 25 Jul 2016 00:07:03 +0000 (20:07 -0400)

committer Cristy <urban-warrior@imagemagick.org>

Mon, 25 Jul 2016 00:09:04 +0000 (20:09 -0400)
author Cristy <urban-warrior@imagemagick.org>
Mon, 25 Jul 2016 00:07:03 +0000 (20:07 -0400)
committer Cristy <urban-warrior@imagemagick.org>
Mon, 25 Jul 2016 00:09:04 +0000 (20:09 -0400)
diff --git a/MagickCore/property.c b/MagickCore/property.c

index 772f3d59fe14ab87ed211549c64beefe01eef4f6..0b4b75c4941eea2d9d09b40d2fbbacb6c9f32094 100644 (file)
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -665,6 +665,11 @@ static MagickBooleanType Get8BIMProperty(const Image *image,const char *key,
      if ((count & 0x01) == 0)
        (void) ReadPropertyByte(&info,&length);
      count=(ssize_t) ReadPropertyMSBLong(&info,&length);
+    if ((count < 0) || ((size_t) count > length))
+      {
+        length=0; 
+        continue;
+      }
      if ((*name != '\0') && (*name != '#'))
        if ((resource == (char *) NULL) || (LocaleCompare(name,resource) != 0))
          {
author	Cristy <urban-warrior@imagemagick.org>
	Mon, 25 Jul 2016 00:07:03 +0000 (20:07 -0400)
committer	Cristy <urban-warrior@imagemagick.org>
	Mon, 25 Jul 2016 00:09:04 +0000 (20:09 -0400)