File tree Expand file tree Collapse file tree 1 file changed +5
-3
lines changed Expand file tree Collapse file tree 1 file changed +5
-3
lines changed Original file line number Diff line number Diff line change @@ -693,9 +693,11 @@ vips_foreign_save_cgif_build( VipsObject *object )
693693 frame_rect .width = cgif -> in -> Xsize ;
694694 frame_rect .height = page_height ;
695695
696- /* GIF has a limit of 64k per axis -- double-check this.
696+ /* Reject images that exceed the pixel limit of libimagequant,
697+ * or that exceed the GIF limit of 64k per axis.
697698 */
698- if ( frame_rect .width > 65535 ||
699+ if ( (guint64 ) frame_rect .width * frame_rect .height > INT_MAX / 4 ||
700+ frame_rect .width > 65535 ||
699701 frame_rect .height > 65535 ) {
700702 vips_error ( class -> nickname , "%s" , _ ( "frame too large" ) );
701703 return ( -1 );
@@ -720,7 +722,7 @@ vips_foreign_save_cgif_build( VipsObject *object )
720722 /* The frame index buffer.
721723 */
722724 cgif -> index = g_malloc0 ( (size_t ) frame_rect .width *
723- frame_rect .height );
725+ frame_rect .height );
724726
725727 /* Set up libimagequant.
726728 */
You can’t perform that action at this time.
0 commit comments