Skip to content

Commit a7697b4

Browse files
jcupittjcupitt
committed
use size_t for GIF n_pels
fixes an overflow, thanks Kleis
1 parent ebfef68 commit a7697b4

File tree

1 file changed

+14
-21
lines changed

1 file changed

+14
-21
lines changed

libvips/foreign/cgifsave.c

Lines changed: 14 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -99,10 +99,6 @@ typedef struct _VipsForeignSaveCgif {
9999
int *palette;
100100
int n_colours;
101101

102-
/* The palette as RGB (not RGBA).
103-
*/
104-
VipsPel palette_rgb[256 * 3];
105-
106102
/* The current frame coming from libvips, and the y position
107103
* in the input image.
108104
*/
@@ -192,11 +188,11 @@ vips__cgif_write( void *client, const uint8_t *buffer, const size_t length )
192188
*/
193189
static void
194190
vips_foreign_save_cgif_set_transparent( VipsForeignSaveCgif *cgif,
195-
VipsPel *old, VipsPel *new, VipsPel *index, int n_pels, int trans )
191+
VipsPel *old, VipsPel *new, VipsPel *index, size_t n_pels, int trans )
196192
{
197193
int sq_maxerror = cgif->interframe_maxerror * cgif->interframe_maxerror;
198194

199-
int i;
195+
size_t i;
200196

201197
for( i = 0; i < n_pels; i++ ) {
202198
/* Alpha must match
@@ -325,8 +321,6 @@ vips_foreign_save_cgif_pick_quantiser( VipsForeignSaveCgif *cgif,
325321
#endif/*DEBUG_VERBOSE*/
326322

327323
cgif->quantisation_result = this_result;
328-
vips_foreign_save_cgif_get_rgb_palette( cgif,
329-
this_result, cgif->palette_rgb );
330324
cgif->n_palettes_generated += 1;
331325

332326
*result = this_result;
@@ -423,18 +417,19 @@ vips_foreign_save_cgif_write_frame( VipsForeignSaveCgif *cgif )
423417
*/
424418
VipsPel *frame_bytes =
425419
VIPS_REGION_ADDR( cgif->frame, 0, frame_rect->top );
426-
int n_pels = frame_rect->height * frame_rect->width;
420+
size_t n_pels = (size_t) frame_rect->height * frame_rect->width;
427421

428422
gboolean has_transparency;
429423
gboolean has_alpha_constraint;
430424
VipsPel * restrict p;
431-
int i;
425+
size_t i;
432426
VipsQuantiseImage *image;
433427
gboolean use_local;
434428
VipsQuantiseResult *quantisation_result;
435429
const VipsQuantisePalette *lp;
436430
CGIF_FrameConfig frame_config = { 0 };
437431
int n_colours;
432+
VipsPel palette_rgb[256 * 3];
438433

439434
#ifdef DEBUG_VERBOSE
440435
printf( "vips_foreign_save_cgif_write_frame: %d\n", page_index );
@@ -493,11 +488,13 @@ vips_foreign_save_cgif_write_frame( VipsForeignSaveCgif *cgif )
493488
return( -1 );
494489
}
495490

491+
lp = vips__quantise_get_palette( quantisation_result );
496492
/* If there's a transparent pixel, it's always first.
497493
*/
498-
lp = vips__quantise_get_palette( quantisation_result );
499494
has_transparency = lp->entries[0].a == 0;
500495
n_colours = lp->count;
496+
vips_foreign_save_cgif_get_rgb_palette( cgif,
497+
quantisation_result, palette_rgb );
501498

502499
/* Dither frame into @index.
503500
*/
@@ -527,7 +524,7 @@ vips_foreign_save_cgif_write_frame( VipsForeignSaveCgif *cgif )
527524

528525
cgif->cgif_config.width = frame_rect->width;
529526
cgif->cgif_config.height = frame_rect->height;
530-
cgif->cgif_config.pGlobalPalette = cgif->palette_rgb;
527+
cgif->cgif_config.pGlobalPalette = palette_rgb;
531528
cgif->cgif_config.numGlobalPaletteEntries = n_colours;
532529
cgif->cgif_config.pWriteFn = vips__cgif_write;
533530
cgif->cgif_config.pContext = (void *) cgif->target;
@@ -576,10 +573,8 @@ vips_foreign_save_cgif_write_frame( VipsForeignSaveCgif *cgif )
576573
/* Attach a local palette, if we need one.
577574
*/
578575
if( use_local ) {
579-
vips_foreign_save_cgif_get_rgb_palette( cgif,
580-
quantisation_result, cgif->palette_rgb );
581576
frame_config.attrFlags |= CGIF_FRAME_ATTR_USE_LOCAL_TABLE;
582-
frame_config.pLocalPalette = cgif->palette_rgb;
577+
frame_config.pLocalPalette = palette_rgb;
583578
frame_config.numLocalPaletteEntries = n_colours;
584579
}
585580

@@ -719,12 +714,13 @@ vips_foreign_save_cgif_build( VipsObject *object )
719714

720715
/* The previous RGBA frame (for spotting pixels which haven't changed).
721716
*/
722-
cgif->previous_frame =
723-
g_malloc0( 4 * frame_rect.width * frame_rect.height );
717+
cgif->previous_frame = g_malloc0( (size_t) 4 *
718+
frame_rect.width * frame_rect.height );
724719

725720
/* The frame index buffer.
726721
*/
727-
cgif->index = g_malloc0( frame_rect.width * frame_rect.height );
722+
cgif->index = g_malloc0( (size_t) frame_rect.width *
723+
frame_rect.height );
728724

729725
/* Set up libimagequant.
730726
*/
@@ -781,9 +777,6 @@ vips_foreign_save_cgif_build( VipsObject *object )
781777
}
782778

783779
VIPS_FREEF( vips__quantise_image_destroy, image );
784-
785-
vips_foreign_save_cgif_get_rgb_palette( cgif,
786-
cgif->quantisation_result, cgif->palette_rgb );
787780
}
788781

789782
if( vips_sink_disc( cgif->in,

0 commit comments

Comments
 (0)