From 8d028420d50a983071dfaaf21523459dd3059c28 Mon Sep 17 00:00:00 2001
From: Lovell Fuller <github@lovell.info>
Date: Mon, 19 Aug 2019 19:32:59 +0100
Subject: [PATCH] WebP loader: verify upper limit on dimensions in header

---
 libvips/foreign/webp2vips.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libvips/foreign/webp2vips.c b/libvips/foreign/webp2vips.c
index c12cdc46..90bf3a04 100644
--- a/libvips/foreign/webp2vips.c
+++ b/libvips/foreign/webp2vips.c
@@ -547,7 +547,9 @@ read_header( Read *read, VipsImage *out )
 	}
 
 	if( read->width <= 0 ||
-		read->height <= 0 ) {
+		read->height <= 0 ||
+		read->width > 0x3FFF ||
+		read->height > 0x3FFF ) {
 		vips_error( "webp", "%s", _( "bad image dimensions" ) ); 
 		return( -1 ); 
 	}