From 9c2accf831b4343bceed38b2cf55fe7cbfb97877 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20L=C3=B6bl?= <daniel.lobl@shopify.com>
Date: Fri, 14 Oct 2022 16:35:07 +0200
Subject: [PATCH] webpsave: switch to g_try_malloc() and limit WebP output
 dimensions (#3094)

* webpsave: switch to g_try_malloc()

* webpsave: add dimensions limit check

* output the amount of memory requested on malloc error
---
 libvips/foreign/webpsave.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/libvips/foreign/webpsave.c b/libvips/foreign/webpsave.c
index 5a8e778b..f39c9a19 100644
--- a/libvips/foreign/webpsave.c
+++ b/libvips/foreign/webpsave.c
@@ -647,6 +647,13 @@ vips_foreign_save_webp_build( VipsObject *object )
 		build( object ) )
 		return( -1 );
 
+	page_height = vips_image_get_page_height( save->ready );
+	if( save->ready->Xsize > 16383 || page_height > 16383 ) {
+		vips_error( "webpsave", _( "image too large" ) );
+		vips_foreign_save_webp_unset( webp );
+		return( -1 );
+	}
+
 	/* We need a copy of the input image in case we change the metadata
 	 * eg. in vips__exif_update().
 	 */
@@ -655,12 +662,15 @@ vips_foreign_save_webp_build( VipsObject *object )
 		return( -1 );
 	}
 
-	page_height = vips_image_get_page_height( webp->image );
-
 	/* RGB(A) frame as a contiguous buffer.
 	 */
-	webp->frame_bytes = g_malloc( (size_t) webp->image->Bands *
-		webp->image->Xsize * page_height );
+	size_t frame_size = (size_t) webp->image->Bands * webp->image->Xsize * page_height;
+	webp->frame_bytes = g_try_malloc( frame_size );
+	if( webp->frame_bytes == NULL ) {
+		vips_error( "webpsave", _( "failed to allocate %zu bytes" ), frame_size );
+		vips_foreign_save_webp_unset( webp );
+		return( -1 );
+	}
 
 	/* Init generic WebP config
 	 */