From fcb0502d2b1eb73d08eede3e9e1708a42dc879c7 Mon Sep 17 00:00:00 2001
From: Thomas Bernard <miniupnp@free.fr>
Date: Wed, 7 Feb 2018 12:18:00 +0100
Subject: [PATCH] Load_IFF() fix overflow in ColorCycling parsing CRNG

---
 src/fileformats.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/fileformats.c b/src/fileformats.c
index 1e983f9e..ed11b94e 100644
--- a/src/fileformats.c
+++ b/src/fileformats.c
@@ -932,12 +932,19 @@ void Load_IFF(T_IO_Context * context)
               if (max_col<min_col)
                 SWAP_BYTES(min_col,max_col)
 
-              context->Cycle_range[context->Color_cycles].Start=min_col;
-              context->Cycle_range[context->Color_cycles].End=max_col;
-              context->Cycle_range[context->Color_cycles].Inverse=(flags&2)?1:0;
-              context->Cycle_range[context->Color_cycles].Speed=(flags&1) ? rate/78 : 0;
+              if (context->Color_cycles >= 16)
+              {
+                Warning("Maximum CRNG number is 16");
+              }
+              else
+              {
+                context->Cycle_range[context->Color_cycles].Start=min_col;
+                context->Cycle_range[context->Color_cycles].End=max_col;
+                context->Cycle_range[context->Color_cycles].Inverse=(flags&2)?1:0;
+                context->Cycle_range[context->Color_cycles].Speed=(flags&1) ? rate/78 : 0;
 
-              context->Color_cycles++;
+                context->Color_cycles++;
+              }
             }
           }
           else