sergiotarxz/libvips
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #1892 from lovell/gifload-sanitise-total-height

Browse Source 
gifload: ensure total height of all pages is sanitised
This commit is contained in:
John Cupitt 2020-11-21 14:21:43 +00:00 committed by GitHub
commit 0e38b7b342
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104 Normal file
View File

Binary file not shown.

8
libvips/foreign/gifload.c
View File

@ -700,8 +700,14 @@ vips_foreign_load_gif_scan_extension( VipsForeignLoadGif *gif )
static int static int
vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image ) vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image )
{ {
const gint64 total_height = (gint64) gif->file->SHeight * gif->n;
if ( total_height <= 0 || total_height > VIPS_MAX_COORD ) {
vips_error( "gifload", "%s",
_( "image size out of bounds" ) );
return( -1 );
}
vips_image_init_fields( image, vips_image_init_fields( image,
gif->file->SWidth, gif->file->SHeight * gif->n, gif->file->SWidth, (int) total_height,
(gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0), (gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0),
VIPS_FORMAT_UCHAR, VIPS_CODING_NONE, VIPS_FORMAT_UCHAR, VIPS_CODING_NONE,
gif->has_colour ? gif->has_colour ?