From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 12 Jan 2017 17:51:57 +0000 (-0500)
Subject: https://github.com/ImageMagick/ImageMagick/issues/354
X-Git-Tag: 7.0.4-4~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9a069e0f2e027ec5138f998023cf9cb62c04889f;p=imagemagick

https://github.com/ImageMagick/ImageMagick/issues/354
---

diff --git a/MagickCore/profile.c b/MagickCore/profile.c
index 91cbf4fbe..66e742fc9 100644
--- a/MagickCore/profile.c
+++ b/MagickCore/profile.c
@@ -2043,7 +2043,7 @@ MagickBooleanType SyncExifProfile(Image *image,StringInfo *profile)
             The directory entry contains an offset.
           */
           offset=(ssize_t)  ReadProfileLong(endian,q+8);
-          if ((size_t) (offset+number_bytes) > length)
+          if ((offset < 0) || ((size_t) (offset+number_bytes) > length))
             continue;
           if (~length < number_bytes)
             continue;  /* prevent overflow */