File GraphicsMagick-CVE-2016-10050.patch of Package GraphicsMagick.6323

From 73fb0aac5b958521e1511e179ecc0ad49f70ebaf Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sun, 5 Jun 2016 14:19:46 -0400
Subject: [PATCH] RLE check for pixel offset less than 0 (heap overflow report
 from Craig Young).

---
 ChangeLog    |  2 ++
 coders/rle.c | 10 ++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

Index: GraphicsMagick-1.3.21/coders/rle.c
===================================================================
--- GraphicsMagick-1.3.21.orig/coders/rle.c	2017-01-17 15:18:15.278257915 +0100
+++ GraphicsMagick-1.3.21/coders/rle.c	2017-01-17 15:18:15.286258045 +0100
@@ -163,6 +163,7 @@ static Image *ReadRLEImage(const ImageIn
     index;
 
   long
+    offset,
     y;
 
   register IndexPacket
@@ -203,7 +204,6 @@ static Image *ReadRLEImage(const ImageIn
     number_pixels,
     number_planes,
     number_planes_filled,
-    offset,
     rle_pixels_length;
 
   magick_off_t
@@ -428,7 +428,7 @@ static Image *ReadRLEImage(const ImageIn
           offset=((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
           operand++;
-          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+          if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length)
             {
               if (number_colormaps != 0)
                 MagickFreeMemory(colormap);
@@ -460,7 +460,7 @@ static Image *ReadRLEImage(const ImageIn
           offset=((image->rows-y-1)*image->columns*number_planes)+
             x*number_planes+plane;
           p=rle_pixels+offset;
-          if (offset+((size_t) operand*number_planes) > rle_pixels_length)
+          if (offset < 0 || offset+((size_t) operand*number_planes) > rle_pixels_length)
             {
               if (number_colormaps != 0)
                 MagickFreeMemory(colormap);