diff -uNr ImageMagick-6.6.6-10-dos//magick/profile.c ImageMagick-6.6.6-10//magick/profile.c --- ImageMagick-6.6.6-10-dos//magick/profile.c 2012-04-13 22:26:16.519542438 -0400 +++ ImageMagick-6.6.6-10//magick/profile.c 2012-04-13 22:26:31.297191247 -0400 @@ -1827,9 +1827,12 @@ EndianType endian; - int + size_t offset; + SplayTreeInfo + *exif_resources; + ssize_t id, level; @@ -1889,12 +1892,14 @@ /* This the offset to the first IFD. */ - offset=(int) ReadProfileLong(endian,exif+4); + offset=(size_t) ((int) ReadProfileLong(endian,exif+4)); if ((size_t) offset >= length) return(MagickFalse); directory=exif+offset; level=0; entry=0; + exif_resources=NewSplayTree((int (*)(const void *,const void *)) NULL, + (void *(*)(void *)) NULL,(void *(*)(void *)) NULL); do { if (level > 0) @@ -1924,6 +1929,9 @@ number_bytes; q=(unsigned char *) (directory+2+(12*entry)); + if (GetValueFromSplayTree(exif_resources,q) == q) + break; + (void) AddValueToSplayTree(exif_resources,q,q); tag_value=(ssize_t) ReadProfileShort(endian,q); format=(ssize_t) ReadProfileShort(endian,q+2); if ((format-1) >= EXIF_NUM_FORMATS) @@ -1934,13 +1942,15 @@ p=q+8; else { - int + size_t offset; /* The directory entry contains an offset. */ - offset=(int) ReadProfileLong(endian,q+8); + offset=(size_t) ((int) ReadProfileLong(endian,q+8)); + if ((offset+number_bytes) < offset) + continue; /* prevent overflow */ if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset); @@ -2007,5 +2017,6 @@ } } } while (level > 0); + exif_resources=DestroySplayTree(exif_resources); return(MagickTrue); } diff -uNr ImageMagick-6.6.6-10-dos//magick/property.c ImageMagick-6.6.6-10//magick/property.c --- ImageMagick-6.6.6-10-dos//magick/property.c 2012-04-13 22:26:16.518542462 -0400 +++ ImageMagick-6.6.6-10//magick/property.c 2012-04-13 22:26:31.298191223 -0400 @@ -1313,6 +1313,8 @@ The directory entry contains an offset. */ offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8)); + if ((offset+number_bytes) < offset) + continue; /* prevent overflow */ if ((size_t) (offset+number_bytes) > length) continue; p=(unsigned char *) (exif+offset);