From: Dirk Lemstra <dirk@lemstra.org>
Date: Fri, 28 Jun 2019 07:15:41 +0000 (+0200)
Subject: Also include the size of the offset value in the length check.
X-Git-Tag: 7.0.8-51~21
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=00763cec8def49fb851a82cbfc6ea40c30f58896;p=imagemagick

Also include the size of the offset value in the length check.
---

diff --git a/MagickCore/property.c b/MagickCore/property.c
index bd0d98744..af81d3fda 100644
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -1642,7 +1642,7 @@ static MagickBooleanType GetEXIFProperty(const Image *image,
                 directory_stack[level].offset=tag_offset2;
                 directory_stack[level].entry=0;
                 level++;
-                if ((directory+2+(12*number_entries)) > (exif+length))
+                if ((directory+2+(12*number_entries)+4) > (exif+length))
                   break;
                 tag_offset1=(ssize_t) ReadPropertySignedLong(endian,directory+
                   2+(12*number_entries));