From 47831fd57d236a351fdbef3fa6618dfeafbe7d4f Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Sun, 4 Mar 2018 23:41:59 +0100
Subject: [PATCH] Added check for the layer size
 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6198).

---
 coders/xcf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/coders/xcf.c b/coders/xcf.c
index c471609cb..c29b1fff0 100644
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -815,6 +815,10 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
   if (EOFBlob(image) != MagickFalse)
     ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
       image->filename);
+  if ((outLayer->width < 1) || (outLayer->width > image->columns) ||
+      (outLayer->height < 1) || (outLayer->height > image->rows))
+    ThrowBinaryException(CorruptImageError,"ImproperImageHeader",
+      image->filename);
   /* read the layer properties! */
   foundPropEnd = 0;
   while ( (foundPropEnd == MagickFalse) && (EOFBlob(image) == MagickFalse) ) {
@@ -927,6 +931,7 @@ static MagickBooleanType ReadOneLayer(const ImageInfo *image_info,Image* image,
     exception);
   if (outLayer->image == (Image *) NULL)
     return(MagickFalse);
+  outLayer->width=outLayer->image->columns;
   status=SetImageExtent(outLayer->image,outLayer->image->columns,
     outLayer->image->rows,exception);
   if (status == MagickFalse)
-- 
2.40.0