From a404f04f6114057b9b64eab8436a0668f6aa16f7 Mon Sep 17 00:00:00 2001
From: maminjie <maminjie1@huawei.com>
Date: Sat, 19 Sep 2020 15:35:05 +0800
Subject: [PATCH] ReadMIFFImage(): Detect end of file while reading RLE
 packets. (CVE-2019-11006)

refers to http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f7610c1281c1
---
 coders/miff.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/coders/miff.c b/coders/miff.c
index 307b10e..60ad6f7 100644
--- a/coders/miff.c
+++ b/coders/miff.c
@@ -1706,7 +1706,13 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
               p=pixels;
               for (length=0; length < image->columns; )
                 {
-                  p+=ReadBlob(image,packet_size,p);
+                  size_t
+                    bytes_read;
+
+                  if ((bytes_read=ReadBlob(image,packet_size,p)) != packet_size)
+                    ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+                                             image);
+                  p+=bytes_read;
                   length+=*(p-1)+1;
                 }
 
@@ -1731,7 +1737,10 @@ static Image *ReadMIFFImage(const ImageInfo *image_info,
               if (q == (PixelPacket *) NULL)
                 break;
               pixels_p=pixels;
-              (void) ReadBlobZC(image,packet_size*image->columns,&pixels_p);
+              if (ReadBlobZC(image,packet_size*image->columns,&pixels_p)
+                   != (size_t) packet_size*image->columns)
+                ThrowMIFFReaderException(CorruptImageError,UnexpectedEndOfFile,
+                                         image);
               (void) ImportImagePixelArea(image,quantum_type,quantum_size,(const unsigned char*) pixels_p,0,0);
               if (!SyncImagePixels(image))
                 break;
-- 
2.23.0