$OpenBSD: patch-coders_bmp_c,v 1.1 2004/09/21 18:39:15 brad Exp $
--- coders/bmp.c.orig	Fri Apr  9 19:13:24 2004
+++ coders/bmp.c	Tue Sep 21 04:05:37 2004
@@ -178,6 +178,7 @@ static unsigned int DecodeImage(Image *i
     x;
 
   register unsigned char
+    *p,
     *q;
 
   unsigned char
@@ -191,9 +192,12 @@ static unsigned int DecodeImage(Image *i
   (void) ResetMagickMemory(pixels,0,(size_t) image->columns*image->rows);
   byte=0;
   x=0;
-  q=pixels;
+  p=pixels;
+  q=pixels+(size_t) image->columns*image->rows;
   for (y=0; y < (long) image->rows; )
   {
+    if ((p < pixels) || (p >= q))
+      break;
     count=ReadBlobByte(image);
     if (count == EOF)
       break;
@@ -202,16 +206,17 @@ static unsigned int DecodeImage(Image *i
         /*
           Encoded mode.
         */
+        count=Min(count,q-p);
         byte=(unsigned char) ReadBlobByte(image);
         if (compression == BI_RLE8)
           {
             for (i=count; i != 0; i--)
-              *q++=(unsigned char) byte;
+              *p++=(unsigned char) byte;
           }
         else
           {
             for (i=0; i < count; i++)
-              *q++=(unsigned char)
+              *p++=(unsigned char)
                 ((i & 0x01) != 0 ? (byte & 0x0f) : ((byte >> 4) & 0x0f));
           }
         x+=count;
@@ -233,7 +238,7 @@ static unsigned int DecodeImage(Image *i
             */
             x=0;
             y++;
-            q=pixels+y*image->columns;
+            p=pixels+y*image->columns;
             break;
           }
           case 0x02:
@@ -243,7 +248,7 @@ static unsigned int DecodeImage(Image *i
             */
             x+=ReadBlobByte(image);
             y+=ReadBlobByte(image);
-            q=pixels+y*image->columns+x;
+            p=pixels+y*image->columns+x;
             break;
           }
           default:
@@ -251,15 +256,16 @@ static unsigned int DecodeImage(Image *i
             /*
               Absolute mode.
             */
+            count=Min(count,q-p);
             if (compression == BI_RLE8)
               for (i=(long) count; i != 0; --i)
-                *q++=(unsigned char) ReadBlobByte(image);
+                *p++=(unsigned char) ReadBlobByte(image);
             else
               for (i=0; i < count; i++)
               {
                 if ((i & 0x01) == 0)
                   byte=(unsigned char) ReadBlobByte(image);
-                *q++=(unsigned char)
+                *p++=(unsigned char)
                   ((i & 0x01) != 0 ? (byte & 0x0f) : ((byte >> 4) & 0x0f));
               }
             x+=count;
