From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 22 Mar 2018 11:10:29 +0000 (-0400)
Subject: ...
X-Git-Tag: 7.0.7-28~51
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b009e0efc006840af86da1c3d3bc8302d0a667cc;p=imagemagick

...
---

diff --git a/coders/dpx.c b/coders/dpx.c
index 4a925f849..1f1549948 100644
--- a/coders/dpx.c
+++ b/coders/dpx.c
@@ -726,6 +726,8 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception)
     dpx.file.version);
   (void) FormatImageProperty(image,"dpx:file.version","%.8s",dpx.file.version);
   dpx.file.file_size=ReadBlobLong(image);
+  if (dpx.file.file_size >= GetBlobSize(image))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   offset+=4;
   dpx.file.ditto_key=ReadBlobLong(image);
   offset+=4;
@@ -733,10 +735,16 @@ static Image *ReadDPXImage(const ImageInfo *image_info,ExceptionInfo *exception)
     (void) FormatImageProperty(image,"dpx:file.ditto.key","%u",
       dpx.file.ditto_key);
   dpx.file.generic_size=ReadBlobLong(image);
+  if (dpx.file.generic_size >= GetBlobSize(image))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   offset+=4;
   dpx.file.industry_size=ReadBlobLong(image);
+  if (dpx.file.industry_size >= GetBlobSize(image))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   offset+=4;
   dpx.file.user_size=ReadBlobLong(image);
+  if (dpx.file.user_size >= GetBlobSize(image))
+    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
   offset+=4;
   offset+=ReadBlob(image,sizeof(dpx.file.filename),(unsigned char *)
     dpx.file.filename);