Skip to content

Commit 82c9a82

Browse files
lovelllovell
committed
gifload: ensure total height of all pages is sanitised
1 parent e8660a7 commit 82c9a82

File tree

2 files changed

+7
-1
lines changed

2 files changed

+7
-1
lines changed

fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104

933 KB
Binary file not shown.

libvips/foreign/gifload.c

+7-1
Original file line numberDiff line numberDiff line change
@@ -700,8 +700,14 @@ vips_foreign_load_gif_scan_extension( VipsForeignLoadGif *gif )
700700
static int
701701
vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image )
702702
{
703+
const gint64 total_height = (gint64) gif->file->SHeight * gif->n;
704+
if ( total_height <= 0 || total_height > VIPS_MAX_COORD ) {
705+
vips_error( "gifload", "%s",
706+
_( "image size out of bounds" ) );
707+
return( -1 );
708+
}
703709
vips_image_init_fields( image,
704-
gif->file->SWidth, gif->file->SHeight * gif->n,
710+
gif->file->SWidth, (int) total_height,
705711
(gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0),
706712
VIPS_FORMAT_UCHAR, VIPS_CODING_NONE,
707713
gif->has_colour ?

0 commit comments

Comments
 (0)