From c1009dba130a858cdeaa1c18b2520d40d681c46d Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Sat, 3 Feb 2018 10:13:02 +0100
Subject: [PATCH] Added extra checks for the list length to exit earlier.
 Credit to OSS-Fuzz

---
 coders/dds.c |  3 +++
 coders/gif.c | 16 ++++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/coders/dds.c b/coders/dds.c
index 92e3a80d0..872668d7c 100644
--- a/coders/dds.c
+++ b/coders/dds.c
@@ -1795,6 +1795,9 @@ static Image *ReadDDSImage(const ImageInfo *image_info,ExceptionInfo *exception)
   if ((num_images == 0) || (num_images > GetBlobSize(image)))
     ThrowReaderException(CorruptImageError,"ImproperImageHeader");
 
+  if (GetMagickResourceLimit(ListLengthResource) < (MagickSizeType) num_images)
+    ThrowReaderException(ImageError,"ListLengthExceedsLimit");
+
   option=GetImageOption(image_info,"dds:skip-mipmaps");
   if (IsStringFalse(option) != MagickFalse)
     read_mipmaps=MagickTrue;
diff --git a/coders/gif.c b/coders/gif.c
index a778a142d..69d479879 100644
--- a/coders/gif.c
+++ b/coders/gif.c
@@ -66,6 +66,7 @@
 #include "MagickCore/property.h"
 #include "MagickCore/quantize.h"
 #include "MagickCore/quantum-private.h"
+#include "MagickCore/resource_.h"
 #include "MagickCore/static.h"
 #include "MagickCore/string_.h"
 #include "MagickCore/string-private.h"
@@ -958,6 +959,9 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
   MagickBooleanType
     status;
 
+  MagickSizeType
+    max_image_count;
+
   register ssize_t
     i;
 
@@ -1038,6 +1042,7 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
   duration=0;
   opacity=(-1);
   image_count=0;
+  max_image_count=GetMagickResourceLimit(ListLengthResource);
   for ( ; ; )
   {
     count=ReadBlob(image,1,&c);
@@ -1228,8 +1233,16 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
       }
     if (c != (unsigned char) ',')
       continue;
-    if (image_count != 0)
+    image_count++;
+    if (image_count != 1)
       {
+        if ((MagickSizeType) image_count == max_image_count)
+          {
+            image=DestroyImageList(image);
+            global_colormap=(unsigned char *) RelinquishMagickMemory(
+              global_colormap);
+            ThrowReaderException(CorruptImageError,"ListLengthExceedsLimit");
+          }
         /*
           Allocate next image structure.
         */
@@ -1243,7 +1256,6 @@ static Image *ReadGIFImage(const ImageInfo *image_info,ExceptionInfo *exception)
           }
         image=SyncNextImageInList(image);
       }
-    image_count++;
     /*
       Read image attributes.
     */
-- 
2.40.0