From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Sun, 4 Mar 2018 22:41:59 +0000 (+0100)
Subject: Added check for the layer size (https://bugs.chromium.org/p/oss-fuzz/issues/detail... 
X-Git-Tag: 7.0.7-26~88
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=47831fd57d236a351fdbef3fa6618dfeafbe7d4f;p=imagemagick

Added check for the layer size (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6198).
---

diff --git a/coders/xcf.c b/coders/xcf.c
index c471609cb..c29b1fff0 100644
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -815,6 +815,10 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
   if (EOFBlob(image) != MagickFalse)
     ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
       image->filename);
+  if ((outLayer->width < 1) || (outLayer->width > image->columns) ||
+      (outLayer->height < 1) || (outLayer->height > image->rows))
+    ThrowBinaryException(CorruptImageError,"ImproperImageHeader",
+      image->filename);
   /* read the layer properties! */
   foundPropEnd = 0;
   while ( (foundPropEnd == MagickFalse) && (EOFBlob(image) == MagickFalse) ) {
@@ -927,6 +931,7 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
     exception);
   if (outLayer->image == (Image *) NULL)
     return(MagickFalse);
+  outLayer->width=outLayer->image->columns;
   status=SetImageExtent(outLayer->image,outLayer->image->columns,
     outLayer->image->rows,exception);
   if (status == MagickFalse)