# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1648301533 18000
# Node ID 94f4bcf448ad29d6d8470e444038402d34fbba12
# Parent  07c1e6eeffb8cb2abb9ede843a45ba7e5435b3b0
ReadMIFFImage(): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer.

--- graphicsmagick-1.4+really1.3.36+hg16481.orig/coders/miff.c
+++ graphicsmagick-1.4+really1.3.36+hg16481/coders/miff.c
@@ -1862,9 +1862,20 @@ static Image *ReadMIFFImage(const ImageI
                       else
                         {
                           length=ReadBlobMSBLong(image);
+                          if (image->logging)
+                            (void) LogMagickEvent(CoderEvent,GetMagickModule(),
+                                                  "length = %"MAGICK_SIZE_T_F"u",
+                                                  (MAGICK_SIZE_T) length);
+                          if ((length == 0) || (length > compressed_length))
+                            {
+                              (void) BZ2_bzDecompressEnd(&bzip_info);
+                              ThrowMIFFReaderException(CorruptImageError,UnableToUncompressImage,
+                                                       image);
+                            }
                           bzip_info.avail_in=(unsigned int) ReadBlob(image,length,bzip_info.next_in);
                           if ((size_t) bzip_info.avail_in != length)
                             {
+                              (void) BZ2_bzDecompressEnd(&bzip_info);
                               ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
                                                    image);
                             }