check image bounds for GIF load

It seems giflib does no checking of image dimensions at all, not even height == 0.
2019-08-27 13:04:28 +01:00 · 2019-08-27 13:04:28 +01:00 · 5cce83a294
commit 5cce83a294
parent ce684dd008
2 changed files with 14 additions and 0 deletions
--- a/1
+++ b/1
@ -12,6 +12,7 @@
 - make GIF parsing less strict
 - better feof() handling in GIF load
 - clip coding and interpretation on vips image read
+- check image bounds for GIF load

 24/5/19 started 8.8.1
 - improve realpath() use on older libc
--- a/libvips/foreign/gifload.c
+++ b/libvips/foreign/gifload.c
@ -1043,6 +1043,8 @@ vips_foreign_load_gif_load( VipsForeignLoad *load )
 static int
 vips_foreign_load_gif_open( VipsForeignLoadGif *gif )
 {
+	VipsObjectClass *class = VIPS_OBJECT_GET_CLASS( gif );
+
 #ifdef HAVE_GIFLIB_5
 {
 	int error;
@ -1062,6 +1064,17 @@ vips_foreign_load_gif_open( VipsForeignLoadGif *gif )
 	gif->eof = FALSE;
 	gif->current_page = 0;

+	/* giflib does no checking of image dimensions, not even for 0.
+	 */
+	if( gif->file->SWidth <= 0 ||
+		gif->file->SWidth > VIPS_MAX_COORD ||
+		gif->file->SHeight <= 0 ||
+		gif->file->SHeight > VIPS_MAX_COORD ) {
+		vips_error( class->nickname, 
+			"%s", _( "image size out of bounds" ) );
+		return( -1 );
+	}
+
 	/* Allocate a line buffer now that we have the GIF width.
 	 */
 	VIPS_FREE( gif->line )