From 744e42edd18ae409a81b35096cd189909a131b17 Mon Sep 17 00:00:00 2001
From: Lovell Fuller <github@lovell.info>
Date: Sun, 28 Mar 2021 19:23:06 +0100
Subject: [PATCH] nsgifload: check dimensions before memory allocation

GIF dimensions are 16-bit unsigned
Initialise memory to zero as image may be truncated
---
 libvips/foreign/nsgifload.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/libvips/foreign/nsgifload.c b/libvips/foreign/nsgifload.c
index 26840d52..4b449e80 100644
--- a/libvips/foreign/nsgifload.c
+++ b/libvips/foreign/nsgifload.c
@@ -534,10 +534,17 @@ vips_foreign_load_nsgif_class_init( VipsForeignLoadNsgifClass *class )
 static void *
 vips_foreign_load_nsgif_bitmap_create( int width, int height )
 {
-        /* ensure a stupidly large bitmap is not created 
+	/* Check GIF dimensions fit within 16-bit unsigned.
 	 */
-
-        return calloc( width * height, 4 );
+	if( width <= 0 ||
+		width > 65535 ||
+		height <= 0 ||
+		height > 65535 ) {
+		vips_error( "gifload",
+			"%s", _( "dimensions out of range ") );
+		return( NULL );
+	}
+	return g_malloc0( width * height * 4 );
 }
 
 static void 
@@ -569,7 +576,7 @@ static void
 vips_foreign_load_nsgif_bitmap_destroy( void *bitmap )
 {
         g_assert( bitmap );
-        free( bitmap );
+        g_free( bitmap );
 }
 
 static void