# HG changeset patch
# User Bob Friesenhahn <bfriesen@GraphicsMagick.org>
# Date 1475336055 18000
#      Sat Oct 01 10:34:15 2016 -0500
# Node ID 5c7b6d6094a25e99c57f8b18343914ebfd8213ef
# Parent  623b741873230aaf0aaa767f14f4241f9d56a0f6
Fix unsigned underflow leading to heap overflow when parsing 8BIM chunk.

diff --git a/coders/meta.c b/coders/meta.c
--- a/coders/meta.c
+++ b/coders/meta.c
@@ -396,10 +396,17 @@
             {
               if (brkused && next > 0)
                 {
+                  size_t
+                    codes_len;
+
                   char
                     *s = &token[next-1];
 
-                  len -= convertHTMLcodes(s, strlen(s));
+                  codes_len = convertHTMLcodes(s, strlen(s));
+                  if (codes_len > len)
+                    len = 0;
+                  else
+                    len -= codes_len;
                 }
             }
 
@@ -450,7 +457,7 @@
                     next=0;
                     outputlen += len;
                     while (len--)
-                      (void) WriteBlobByte(ofile,token[next++]); /* boom */
+                      (void) WriteBlobByte(ofile,token[next++]);
 
                     if (outputlen & 1)
                       {
@@ -682,10 +689,17 @@
             {
               if (brkused && next > 0)
                 {
+                  size_t
+                    codes_len;
+
                   char
                     *s = &token[next-1];
 
-                  len -= convertHTMLcodes(s, strlen(s));
+                  codes_len = convertHTMLcodes(s, strlen(s));
+                  if (codes_len > len)
+                    len = 0;
+                  else
+                    len -= codes_len;
                 }
             }