From 7f35202dce6b97b36ea3903f48608fc40e99ce4b Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Fri, 1 Jun 2018 18:39:26 -0400
Subject: [PATCH] ...

---
 coders/png.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/coders/png.c b/coders/png.c
index 8b78bdf7c..647fbfa8a 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5439,23 +5439,18 @@ static Image *ReadOneMNGImage(MngInfo* mng_info, const ImageInfo *image_info,
            "  Reading MNG chunk type %c%c%c%c, length: %.20g",
            type[0],type[1],type[2],type[3],(double) length);
 
-        if (length > PNG_UINT_31_MAX)
+        if ((length > PNG_UINT_31_MAX) || (length > GetBlobSize(image)) ||
+            (count < 4))
           {
-            status=MagickFalse;
-            break;
+            mng_info=MngInfoFreeStruct(mng_info);
+            ThrowReaderException(CorruptImageError,"CorruptImage");
           }
 
-        if (count == 0)
-          ThrowReaderException(CorruptImageError,"CorruptImage");
-
         p=NULL;
         chunk=(unsigned char *) NULL;
 
         if (length != 0)
           {
-            if (length > GetBlobSize(image))
-              ThrowReaderException(CorruptImageError,
-                "InsufficientImageDataInFile");
             chunk=(unsigned char *) AcquireQuantumMemory(length,sizeof(*chunk));
 
             if (chunk == (unsigned char *) NULL)
-- 
2.50.1