check image bounds for GIF load
It seems giflib does no checking of image dimensions at all, not even height == 0.
This commit is contained in:
John Cupitt
parent
ce684dd008
commit
5cce83a294
@ -12,6 +12,7 @@
|
|||||||
- make GIF parsing less strict
|
- make GIF parsing less strict
|
||||||
- better feof() handling in GIF load
|
- better feof() handling in GIF load
|
||||||
- clip coding and interpretation on vips image read
|
- clip coding and interpretation on vips image read
|
||||||
|
- check image bounds for GIF load
|
||||||
|
|
||||||
24/5/19 started 8.8.1
|
24/5/19 started 8.8.1
|
||||||
- improve realpath() use on older libc
|
- improve realpath() use on older libc
|
||||||
|
|||||||
@ -1043,6 +1043,8 @@ vips_foreign_load_gif_load( VipsForeignLoad *load )
|
|||||||
static int
|
static int
|
||||||
vips_foreign_load_gif_open( VipsForeignLoadGif *gif )
|
vips_foreign_load_gif_open( VipsForeignLoadGif *gif )
|
||||||
{
|
{
|
||||||
|
VipsObjectClass *class = VIPS_OBJECT_GET_CLASS( gif );
|
||||||
|
|
||||||
#ifdef HAVE_GIFLIB_5
|
#ifdef HAVE_GIFLIB_5
|
||||||
{
|
{
|
||||||
int error;
|
int error;
|
||||||
@ -1062,6 +1064,17 @@ vips_foreign_load_gif_open( VipsForeignLoadGif *gif )
|
|||||||
gif->eof = FALSE;
|
gif->eof = FALSE;
|
||||||
gif->current_page = 0;
|
gif->current_page = 0;
|
||||||
|
|
||||||
|
/* giflib does no checking of image dimensions, not even for 0.
|
||||||
|
*/
|
||||||
|
if( gif->file->SWidth <= 0 ||
|
||||||
|
gif->file->SWidth > VIPS_MAX_COORD ||
|
||||||
|
gif->file->SHeight <= 0 ||
|
||||||
|
gif->file->SHeight > VIPS_MAX_COORD ) {
|
||||||
|
vips_error( class->nickname,
|
||||||
|
"%s", _( "image size out of bounds" ) );
|
||||||
|
return( -1 );
|
||||||
|
}
|
||||||
|
|
||||||
/* Allocate a line buffer now that we have the GIF width.
|
/* Allocate a line buffer now that we have the GIF width.
|
||||||
*/
|
*/
|
||||||
VIPS_FREE( gif->line )
|
VIPS_FREE( gif->line )
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user