From: Cristy <urban-warrior@imagemagick.org>
Date: Wed, 22 Nov 2017 15:04:23 +0000 (-0500)
Subject: https://github.com/ImageMagick/ImageMagick/issues/872
X-Git-Tag: 7.0.7-12~45
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fb89192c4ca1600741af79dd22166a7d91e76924;p=imagemagick

https://github.com/ImageMagick/ImageMagick/issues/872
---

diff --git a/coders/png.c b/coders/png.c
index 4f440bf6e..f6a7c3109 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -1785,6 +1785,7 @@ Magick_png_read_raw_profile(png_struct *ping,Image *image,
     sp;
 
   png_uint_32
+    extent,
     length,
     nibbles;
 
@@ -1800,16 +1801,16 @@ Magick_png_read_raw_profile(png_struct *ping,Image *image,
                  13,14,15};
 
   sp=text[ii].text+1;
-  length=text[ii].text_length;
+  extent=text[ii].text_length;
   /* look for newline */
-  while ((*sp != '\n') && length--)
+  while ((*sp != '\n') && extent--)
     sp++;
 
   /* look for length */
-  while (((*sp == '\0' || *sp == ' ' || *sp == '\n')) && length--)
+  while (((*sp == '\0' || *sp == ' ' || *sp == '\n')) && extent--)
      sp++;
 
-  if (length == 0)
+  if (extent == 0)
     {
       png_warning(ping,"invalid profile length");
       return(MagickFalse);
@@ -1820,8 +1821,14 @@ Magick_png_read_raw_profile(png_struct *ping,Image *image,
   (void) LogMagickEvent(CoderEvent,GetMagickModule(),
        "      length: %lu",(unsigned long) length);
 
-  while (*sp != ' ' && *sp != '\n')
-     sp++;
+  while ((*sp != ' ' && *sp != '\n') && extent--)
+    sp++;
+
+  if (extent == 0)
+    {
+      png_warning(ping,"invalid profile length");
+      return(MagickFalse);
+    }
 
   /* allocate space */
   if (length == 0)