From bca606e7527f18f95f65023a2f04e6db7d1a2a5f Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@git.imagemagick.org>
Date: Mon, 21 Nov 2016 20:53:03 +0100
Subject: [PATCH] Lowered max map_length to prevent an overflow (#271).

Prevent CVE-2016-8862

bug: https://github.com/ImageMagick/ImageMagick/issues/271
bug-debian: https://bugs.debian.org/845634
origin: upstream, https://github.com/ImageMagick/ImageMagick/commit/ab2c9d6a8dd6d71b161ec9cc57a588b116b52322
---
 coders/rle.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coders/rle.c b/coders/rle.c
index d4b11dc07..46e30bad4 100644
--- a/coders/rle.c
+++ b/coders/rle.c
@@ -235,7 +235,7 @@ static Image *ReadRLEImage(const ImageInfo *image_info,ExceptionInfo *exception)
     bits_per_pixel=1UL*ReadBlobByte(image);
     number_colormaps=1UL*ReadBlobByte(image);
     map_length=(unsigned char) ReadBlobByte(image);
-    if (map_length >= 32)
+    if (map_length >= 22)
       ThrowReaderException(CorruptImageError,"ImproperImageHeader");
     one=1;
     map_length=one << map_length;