--- ImageMagick-6.2.4/coders/sgi.c.cve-2006-5868 2006-12-01 12:22:07.000000000 -0700 +++ ImageMagick-6.2.4/coders/sgi.c 2006-12-01 12:24:04.000000000 -0700 @@ -171,13 +171,13 @@ static void SGIDecode(const unsigned lon q=pixels; if (bytes_per_pixel == 2) { - for (i=0; i < (long) width; ) + for ( i=0 ; ; ) { pixel=(unsigned long) (*p++) << 8; pixel|=(*p++); count=(ssize_t) (pixel & 0x7f); i+=count; - if (count == 0) + if (count == 0 || i > (long) width) break; if ((pixel & 0x80) != 0) for ( ; count != 0; count--) @@ -200,13 +200,13 @@ static void SGIDecode(const unsigned lon } return; } - for (i=0; i < (long) width; ) + for ( i=0 ; ; ) { pixel=(unsigned long) (*p++); count=(ssize_t) (pixel & 0x7f); - if (count == 0) - break; i+=count; + if (count == 0 || i > (long) width) + break; if ((pixel & 0x80) != 0) for ( ; count != 0; count--) { @@ -304,6 +304,8 @@ static Image *ReadSGIImage(const ImageIn image->columns=iris_info.columns; image->rows=iris_info.rows; image->depth=(unsigned long) (iris_info.depth <= 8 ? 8 : QuantumDepth); + if (iris_info.depth > 4 || iris_info.depth == 0) + ThrowReaderException(CorruptImageError,"ImproperImageHeader"); if (iris_info.depth < 3) { image->storage_class=PseudoClass;