From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 1 Apr 2018 10:54:04 +0000 (-0400)
Subject: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7246
X-Git-Tag: 7.0.7-29~234
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=12545f0b52a272383388b037647a4b2209408dee;p=imagemagick

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7246
---

diff --git a/coders/heic.c b/coders/heic.c
index 491eee781..ae54dd67b 100644
--- a/coders/heic.c
+++ b/coders/heic.c
@@ -399,8 +399,6 @@ static MagickBooleanType ParseIpcoAtom(Image *image, DataBuffer *db,
       propDb;
 
     length = DBReadUInt(db);
-    if (length >= DBGetSize(db))
-      ThrowAndReturn("insufficient data");
     atom = DBReadUInt(db);
 
     if (ctx->itemPropsCount == MAX_ITEM_PROPS) {
@@ -410,6 +408,8 @@ static MagickBooleanType ParseIpcoAtom(Image *image, DataBuffer *db,
     prop = &(ctx->itemProps[ctx->itemPropsCount]);
     prop->type = atom;
     prop->size = length - 8;
+    if (prop->size > DBGetSize(db))
+      ThrowAndReturn("insufficient data");
     if (prop->data != (uint8_t *) NULL)
       prop->data=(uint8_t *) RelinquishMagickMemory(prop->data);
     prop->data = (uint8_t *) AcquireCriticalMemory(prop->size);