From 00763cec8def49fb851a82cbfc6ea40c30f58896 Mon Sep 17 00:00:00 2001 From: Dirk Lemstra Date: Fri, 28 Jun 2019 09:15:41 +0200 Subject: [PATCH] Also include the size of the offset value in the length check. --- MagickCore/property.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MagickCore/property.c b/MagickCore/property.c index bd0d98744..af81d3fda 100644 --- a/MagickCore/property.c +++ b/MagickCore/property.c @@ -1642,7 +1642,7 @@ static MagickBooleanType GetEXIFProperty(const Image *image, directory_stack[level].offset=tag_offset2; directory_stack[level].entry=0; level++; - if ((directory+2+(12*number_entries)) > (exif+length)) + if ((directory+2+(12*number_entries)+4) > (exif+length)) break; tag_offset1=(ssize_t) ReadPropertySignedLong(endian,directory+ 2+(12*number_entries)); -- 2.40.0