From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 22 Nov 2017 14:58:02 +0000 (-0500)
Subject: https://github.com/ImageMagick/ImageMagick/issues/872
X-Git-Tag: 7.0.7-12~46
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59c49559e302e06bfba46cb6feb4e39adbe675b6;p=imagemagick

https://github.com/ImageMagick/ImageMagick/issues/872
---

diff --git a/coders/png.c b/coders/png.c
index 6609030f0..4f440bf6e 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -1800,14 +1800,21 @@ Magick_png_read_raw_profile(png_struct *ping,Image *image,
                  13,14,15};
 
   sp=text[ii].text+1;
+  length=text[ii].text_length;
   /* look for newline */
-  while (*sp != '\n')
-     sp++;
+  while ((*sp != '\n') && length--)
+    sp++;
 
   /* look for length */
-  while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+  while (((*sp == '\0' || *sp == ' ' || *sp == '\n')) && length--)
      sp++;
 
+  if (length == 0)
+    {
+      png_warning(ping,"invalid profile length");
+      return(MagickFalse);
+    }
+
   length=(png_uint_32) StringToLong(sp);
 
   (void) LogMagickEvent(CoderEvent,GetMagickModule(),