From 9a069e0f2e027ec5138f998023cf9cb62c04889f Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 12 Jan 2017 12:51:57 -0500
Subject: [PATCH] https://github.com/ImageMagick/ImageMagick/issues/354

---
 MagickCore/profile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MagickCore/profile.c b/MagickCore/profile.c
index 91cbf4fbe..66e742fc9 100644
--- a/MagickCore/profile.c
+++ b/MagickCore/profile.c
@@ -2043,7 +2043,7 @@ MagickBooleanType SyncExifProfile(Image *image,StringInfo *profile)
             The directory entry contains an offset.
           */
           offset=(ssize_t)  ReadProfileLong(endian,q+8);
-          if ((size_t) (offset+number_bytes) > length)
+          if ((offset < 0) || ((size_t) (offset+number_bytes) > length))
             continue;
           if (~length < number_bytes)
             continue;  /* prevent overflow */
-- 
2.40.0