From: Dirk Lemstra <dirk@lemstra.org>
Date: Mon, 8 Jul 2019 19:23:50 +0000 (+0200)
Subject: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11480
X-Git-Tag: 7.0.8-54~75
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1b8cb09a7f04fec05ef70bd85e635ea48abb9b41;p=imagemagick

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11480
---

diff --git a/coders/icon.c b/coders/icon.c
index 80822e535..5f422798a 100644
--- a/coders/icon.c
+++ b/coders/icon.c
@@ -359,7 +359,7 @@ static Image *ReadICONImage(const ImageInfo *image_info,
         length=icon_file.directory[i].size;
         if ((length < 16) || (~length < 16))
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
-        png=(unsigned char *) AcquireQuantumMemory(length+16,sizeof(*png));
+        png=(unsigned char *) AcquireQuantumMemory(length,sizeof(*png));
         if (png == (unsigned char *) NULL)
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
         (void) memcpy(png,"\211PNG\r\n\032\n\000\000\000\015",12);
@@ -376,7 +376,7 @@ static Image *ReadICONImage(const ImageInfo *image_info,
           }
         read_info=CloneImageInfo(image_info);
         (void) CopyMagickString(read_info->magick,"PNG",MagickPathExtent);
-        icon_image=BlobToImage(read_info,png,length+16,exception);
+        icon_image=BlobToImage(read_info,png,length,exception);
         read_info=DestroyImageInfo(read_info);
         png=(unsigned char *) RelinquishMagickMemory(png);
         if (icon_image == (Image *) NULL)