From d949a3258bdb9b7f363f7739761352d222c840be Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Mon, 9 Apr 2018 23:41:41 +0200
Subject: [PATCH] Corrected checking if the profile starts with Exif\0\0
 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7499).

---
 coders/png.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/coders/png.c b/coders/png.c
index 2d49cd232..f9be58a46 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -1945,32 +1945,32 @@ static int read_user_chunk_callback(png_struct *ping, png_unknown_chunkp chunk)
         }
       p=GetStringInfoDatum(profile);
 
-      if (*p != 'E')
+      /* Initialize profile with "Exif\0\0" */
+      *p++ ='E';
+      *p++ ='x';
+      *p++ ='i';
+      *p++ ='f';
+      *p++ ='\0';
+      *p++ ='\0';
+
+      s=chunk->data;
+      i=0;
+      if (chunk->size > 6)
         {
-          /* Initialize profile with "Exif\0\0" if it is not
+          /* Skip first 6 bytes if "Exif\0\0" is
              already present by accident
           */
-          *p++ ='E';
-          *p++ ='x';
-          *p++ ='i';
-          *p++ ='f';
-          *p++ ='\0';
-          *p++ ='\0';
+          if (s[0] == 'E' && s[1] == 'x'  && s[2] == 'i' &&
+              s[3] == 'f' && s[4] == '\0' && s[5] == '\0')
+          {
+            s+=6;
+            i=6;
+            SetStringInfoLength(profile,chunk->size);
+          }
         }
-      else
-        {
-          if (p[1] != 'x' || p[2] != 'i' || p[3] != 'f' ||
-              p[4] != '\0' || p[5] != '\0')
-            {
-              /* Chunk is malformed */
-              profile=DestroyStringInfo(profile);
-              return(-1);
-            }
-         }
 
       /* copy chunk->data to profile */
-      s=chunk->data;
-      for (i=0; i<chunk->size; i++)
+      for (; i<chunk->size; i++)
         *p++ = *s++;
 
       error_info=(PNGErrorInfo *) png_get_error_ptr(ping);
-- 
2.40.0