diff --git a/fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104 b/fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104 new file mode 100644 index 00000000..d019aac1 Binary files /dev/null and b/fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104 differ diff --git a/libvips/foreign/gifload.c b/libvips/foreign/gifload.c index 0eec998c..d7cc4975 100644 --- a/libvips/foreign/gifload.c +++ b/libvips/foreign/gifload.c @@ -700,8 +700,14 @@ vips_foreign_load_gif_scan_extension( VipsForeignLoadGif *gif ) static int vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image ) { + const gint64 total_height = (gint64) gif->file->SHeight * gif->n; + if ( total_height <= 0 || total_height > VIPS_MAX_COORD ) { + vips_error( "gifload", "%s", + _( "image size out of bounds" ) ); + return( -1 ); + } vips_image_init_fields( image, - gif->file->SWidth, gif->file->SHeight * gif->n, + gif->file->SWidth, (int) total_height, (gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0), VIPS_FORMAT_UCHAR, VIPS_CODING_NONE, gif->has_colour ?