From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 31 Mar 2018 18:27:22 +0000 (-0400)
Subject: ...
X-Git-Tag: 7.0.7-29~249
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=954df3bc1dc2f8da055f9d1a0f541bcdcd70e71f;p=imagemagick

...
---

diff --git a/coders/xcf.c b/coders/xcf.c
index f10d6d240..562eefd23 100644
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -643,8 +643,8 @@ static MagickBooleanType load_level(Image *image,XCFDocInfo *inDocInfo,
     saved_pos=TellBlob(image);
     /* read in the offset of the next tile so we can calculate the amount
        of data needed for this tile*/
-    offset2=(MagickOffsetType)ReadBlobMSBLong(image);
-    if ((MagickSizeType) offset2 > GetBlobSize(image))
+    offset2=(MagickOffsetType) ReadBlobMSBLong(image);
+    if ((MagickSizeType) offset2 >= inDocInfo->file_size)
       ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
         image->filename);
     /* if the offset is 0 then we need to read in the maximum possible
@@ -748,6 +748,9 @@ static MagickBooleanType load_hierarchy(Image *image,XCFDocInfo *inDocInfo,
    *  as the number of levels found in the file.
    */
   offset=(MagickOffsetType) ReadBlobMSBLong(image);  /* top level */
+  if ((MagickSizeType) offset >= GetBlobSize(image))
+    ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
+      image->filename);
 
   /* discard offsets for layers below first, if any.
    */