From 954df3bc1dc2f8da055f9d1a0f541bcdcd70e71f Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 31 Mar 2018 14:27:22 -0400
Subject: [PATCH] ...

---
 coders/xcf.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/coders/xcf.c b/coders/xcf.c
index f10d6d240..562eefd23 100644
--- a/coders/xcf.c
+++ b/coders/xcf.c
@@ -643,8 +643,8 @@ static MagickBooleanType load_level(Image *image,XCFDocInfo *inDocInfo,
     saved_pos=TellBlob(image);
     /* read in the offset of the next tile so we can calculate the amount
        of data needed for this tile*/
-    offset2=(MagickOffsetType)ReadBlobMSBLong(image);
-    if ((MagickSizeType) offset2 > GetBlobSize(image))
+    offset2=(MagickOffsetType) ReadBlobMSBLong(image);
+    if ((MagickSizeType) offset2 >= inDocInfo->file_size)
       ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
         image->filename);
     /* if the offset is 0 then we need to read in the maximum possible
@@ -748,6 +748,9 @@ static MagickBooleanType load_hierarchy(Image *image,XCFDocInfo *inDocInfo,
    *  as the number of levels found in the file.
    */
   offset=(MagickOffsetType) ReadBlobMSBLong(image);  /* top level */
+  if ((MagickSizeType) offset >= GetBlobSize(image))
+    ThrowBinaryException(CorruptImageError,"InsufficientImageDataInFile",
+      image->filename);
 
   /* discard offsets for layers below first, if any.
    */
-- 
2.40.0