File ImageMagick-CVE-2016-10050.patch of Package ImageMagick.8212

From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 5 Jun 2016 14:19:46 -0400
Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report
 from Craig Young).

---
 ChangeLog    |  2 ++
 coders/rle.c | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/coders/rle.c b/coders/rle.c
index c885b1f..09b99f6 100644
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -178,11 +178,11 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     number_planes,
     number_planes_filled,
     one,
-    offset,
     pixel_info_length;
 
   ssize_t
     count,
+    offset,
     y;
 
   unsigned char
@@ -395,7 +395,8 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
           offset=((image->rows-y-1)*image->columns*number_planes)+x*
             number_planes+plane;
           operand++;
-          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+          if ((offset < 0) ||
+              (offset+((size_t) operand*number_planes) > pixel_info_length))
             {
               if (number_colormaps != 0)
                 colormap=(unsigned char *) RelinquishMagickMemory(colormap);
@@ -426,14 +427,15 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
           operand++;
           offset=((image->rows-y-1)*image->columns*number_planes)+x*
             number_planes+plane;
-          p=pixels+offset;
-          if (offset+((size_t) operand*number_planes) > pixel_info_length)
+          if ((offset < 0) ||
+              (offset+((size_t) operand*number_planes) > pixel_info_length))
             {
               if (number_colormaps != 0)
                 colormap=(unsigned char *) RelinquishMagickMemory(colormap);
               pixel_info=RelinquishVirtualMemory(pixel_info);
               ThrowReaderException(CorruptImageError,"UnableToReadImageData");
             }
+          p=pixels+offset;
           for (i=0; i < (ssize_t) operand; i++)
           {
             if ((y < (ssize_t) image->rows) &&