Commit 6dc0130db for imagemagick.org
commit 6dc0130dbbde34b13126bc4fe25789f894b9e0c1
Author: Cristy <urban-warrior@imagemagick.org>
Date: Mon May 11 14:22:13 2026 -0400
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-g5mf-wqq5-vwg6
diff --git a/coders/png.c b/coders/png.c
index b8abe9c8c..027e7b73d 100644
--- a/coders/png.c
+++ b/coders/png.c
@@ -5053,6 +5053,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info,
final_image_delay,
frame_delay,
insert_layers,
+ number_loops=0,
mng_iterations=1,
simplicity=0,
subframe_height=0,
@@ -5854,8 +5855,9 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info,
else
{
- if ((MagickSizeType) loop_iters > GetMagickResourceLimit(ListLengthResource))
- loop_iters=(ssize_t) GetMagickResourceLimit(ListLengthResource);
+ if ((MagickSizeType) number_loops+loop_iters > GetMagickResourceLimit(ListLengthResource))
+ ThrowReaderException(ResourceLimitError,
+ "ListLengthExceedsLimit");
if (loop_iters >= 2147483647L)
loop_iters=2147483647L;
if (image_info->number_scenes != 0)
@@ -5863,6 +5865,7 @@ static Image *ReadOneMNGImage(MngReadInfo* mng_info,
loop_iters=(ssize_t) image_info->number_scenes;
mng_info->loop_jump[loop_level]=TellBlob(image);
mng_info->loop_count[loop_level]=loop_iters;
+ number_loops+=loop_iters;
}
mng_info->loop_iteration[loop_level]=0;