From 82c9a820d7f9ddc3365fbef80dedabe309b11c9c Mon Sep 17 00:00:00 2001
From: Lovell Fuller <github@lovell.info>
Date: Fri, 20 Nov 2020 21:18:18 +0000
Subject: [PATCH 1/4] gifload: ensure total height of all pages is sanitised

---
 .../sharpen_fuzzer-5806172036399104            | Bin 0 -> 954923 bytes
 libvips/foreign/gifload.c                      |   8 +++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104

diff --git a/fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104 b/fuzz/common_fuzzer_corpus/sharpen_fuzzer-5806172036399104
new file mode 100644
index 0000000000000000000000000000000000000000..d019aac1db610bb932ef3b86c0fcecf30c7c9a7a
GIT binary patch
literal 954923
zcmeI*v5wownucNOPL%4vlWerv2ovmL(=*u#IyIaczJR`gxu*qAJfVS!_ZlYmR*@>I
z)Gar=)GCrCKE}be*5hur$olJjzrTvqfB(;a{pWxD-|0`+b)ULl!vEbJ{&nT`bNc%q
z!#}(Juk!C6za#$C<L>Zu`l-Kv`}*bO5&9qgdEf2Bi*)$(b^2Fwfc(7YuU!M9=%TC@
z+I!}re|F{~)AdE+L^g)m6uA1cf-AUkQ69MR9<KZgSHytVIm>KnHZ_~}esvxQM;(K=
z+Aw+^UGE%b(@-+fs<e6mkW*SUo4%eN@@a#3okxh-G~iZ@6=ScjY?&%d6&Hv#RhTMF
z6_6>2=SH2shD^wOA2NUGu5AhuV&mB}hTb=Z;%LcdpZxW<W+HW?Zob&4(oY*Dm9K8p
zjk*~+=IX|Z(uH@K9Pd6kI;D3%rJAxEXv(S^b;Hwmn%fE&+_MokON2lFKDQ^2kG^3O
zcW?)Ha0ho5<PP4%N%-n|sqnjj@arN^USyue(|8(B<7qrC_9)^m-I{mE;SJv44c_1l
z-r&t?<KekaV^GX7D5_gd`v>4@JdLOEG@b^@b08US@CI-225*+&%^%DC+1|vzy?5Mx
z9QF<-cM?=TMe2qkQbdYK5tmTJ?ajX1d&kug?f}bcRP}41Zg?6`<7qsNr&&6(#pl}N
zDyvI~15BDGPg}jG9bP_}FkZ7^lYY5hD2d6EaEc~Rky&H)vxe|hJ~<lJhPAp;H<}i`
z0}TU#Y3{?>ND`jDUI_TDrwDKG25;~NZzgyXX4}5$arDH*ODOl}t>&W|9AL5;;uI}^
zikK9WVp2?sN%b_klmwIG-6uz<^zNsWMlG*V)vv*Z>*jknxv6`YzTTyaSpA|o!19&3
z;lfcj@#5P+H%^+*{e<+smY}*JY8nF?0~!PQq?x@gnN0g{v)b_12i@Wg-rx=1;7!Ju
zTlYud&1B;NZ}0|h@CI-2Cafk@CnnzD4c_1l-rx=1c&>+K$wPWP!>T&zJdLOEG@i!O
zcp6XRX*`XmMI)MAP^#WRbO6^Ne!%?TX16X4%Qy0kd?VigntUVQ$T#xMs8ssUZ*9;P
zKg5rZ$B*ixNWPJ8<Qw@$zL9U_8~H}Qk#DTu1RBD@95|3~#1HYKJbo0^&C3<gf^R+d
zFILs-^A0x9TGN<924pBFgSx3%H;CBk!$s9a&ARZ!*++eHrn*r#JdB4~Ane-?!$8Qp
z!&)Qbib;N2^4BG&2ygHPZ}0|h@Mew`NW8%tyulm1!5h4>0n!G@G0vC7_Ud~wcp6XR
zX*`Xm@id;s(|8(Bi$=78t+3VI+5wgyMe>b&Bj3n3fF|F_H}Z{qBj3n3frfA}2M(%7
zK>0?#k#FQ1`3BJD02<!l4c_1l-rUTaKhNo_dOT?V0DuEHfCD&yb2D)8CO>t@-Qled
zn7|vn!5h56n|#vDUa#u*mHzkoyzlnm#i7a7ZM?x7yulm1$rzLGPQaT4w!3WFz#F{5
z8@$0Ays=@R$;jA#==BaJ?~LPVJdLOEG@i!Ocp6W0<J#B;TUAGpr|~qN#?yEjPvdDk
zji>RnXhf3@K0Q#U==`~-tKIP+-^e%ejeG-W@{N2W-^e%ejeHYm2nTcEpn6J{Z{!>K
zM!u160BsJS;SJv44c_1l-r$XXntqyontqyo+OQR%db_Lo0puI`M!u16<Qw@$zL9U_
z8~H}Qk#FRiR-aH>Ju*7L2JVE=7tj~b7tj~b7tj~b7tj~b7tj~b7tj~b7tj|7PfLJ<
zb>g6UZ$@80UqD|#UqD|#UqD|#Uw{a%Qv`V$PvdDkji>Q6p2pL78c(x+WBtbZjrAMr
zH~G`xR`u~T)^EgivAsODs~dHrZq$u-mv+}2?Jm5*8@$0Ayulm1vAkk=Wu40_JdLOE
zG@i!Ocp6XRX*`XmMI+k46MU+xuLEpg6uFN;fD)j}1C+W^H|j>+FinkzIT{amgEx4y
zUEYMY&gXr%50h<p)t`p+HT-|WO&@*RBYVBj#`jhIGM;30<AA^$yuq98@+O<bkGsRu
zfE<qnJfD_@==!KY!yCN88@$m^%Y;2oc6f8wz>7C{gEx4CH+W<HX5}sAM-9Dw={3^U
zU+5a}G@i!Ocp6XRX*`Xmxxr^_gRQC~$kTWlPvdDkji>Q6p2pL7S~Q{!+(N61yMc==
z-^e%ejeG-W@{N2W-^e%ejeHYm2nTcEpnArXZ{!>KM!u160BsJS;SJv44c_1l-r$XX
zntqyontqyo+VFs#>g}%T2as>%8~H}Qk#FQ1`9{8xZ{!>KM!u16*8c?ag&uWMJ(D`X
z@;55z3+M~z3+M~z3+M~z3+M~z3+M~z3+M~z3+M}krzOC_I&o0Fb)qkzFQ6}=FQ6}=
zFQ6}=FF*v>DS|wWr|~qN#?yEjPvdDkji*_^d5ra&AM^e>f0lgy5Uo{xs)x3>v?J}5
zryX^pZq$vs(IwC&n4?R8H+X|Lc!M{1gEzX;y3*_HO7k?H#?yEjPvdDkji>Rnje1&j
z5xjPQFyoxpoYOk<Z{Z4j-go;e|EW9f4&Bp0>-<~O>tEx?`-cBz-}<xH&-uRzKQ{c-
zXoB7Ee}8@DL!Wm2&;08&JzPGsrS#u_d;RnKU*+_c)9_1QfBI&A`UW2I0CqXcDX;2M
z-CRyZS1MoKs2g=tp6}I-x=}akMqez?N!jad#gFQyi8pwIH+WOPo9|&#I_OyISf@eI
zl`t7_00(dYrvNy36DLi)!JCMV$<}-I%;*3cxCT6pr|~qNhBrO#hJny!uS-HNVonkh
zZ}0|h@CI)(#^B99oQ;(G)7QIfO~o6$!5h568@vfXsh-gA25;~NZ}0|h@W%Er%lTuR
zUsWfar|~qN#?yEjPvdDkji>RnXhf467^-&=9l$j>Keg!ArD6F-zL9U_8$gq9<Qw@$
zzL9U_n?OT2m;(pZL#%uw-^e%ejeG-Wa{vu*@Mhb*Ic4b4psOpM16T;L5K^vq@2Z=4
zVtpjU_^BKoZ9j)Zy=!Fli}3xwtTgl;planaWv0AsQ$9;e$(DC@qi)nqIrG(xx=}ak
z#!5gIn(}4t5($yeCVOspgEx4CH+X|Lb2Lry25&yjn?IKOv%LYly>~1(Oy&lsXz~=P
z8>ss@>b5tEw)c)rrjwJYQ#5&s)D7O?jaHskUJr|5AXqxuhqH00amzT~;0@m34c_35
zrK1{zZ7%dC&lqp3i;h6Sswr4=17v<*V5uy1{!v%GFb!+N`T>Wvx-qN`>++t0x=}ak
zM&0Pe^)umuYd@jg(KkJgyTe=0<ETDiS3iIR0y&UVjvRHPZq$vsp=wL38c*{%3WxL{
z(C2(K9v@xatEYqZ53pfR`yQ@dDvb2?Vj16(z9s#>&2bGN8!jAm6EFU?LD4=Bs=otu
zqcNZ{pfR8^&`-6eb(HM2h;~;Q#~ZxC8@$1rj4?VJ)jAt^gEx4CH+X|LVKt#Y2{k{o
z3vciSZ}0|h@CI)@pTM%@*gjrWC!MG9G@i!Ocp6XRX*`Xm@w8|}lMlSE-a&K#*Wmo|
z*S9VW%Qy0kd?VigntUVQ$T#whd?Vik8p6RGIH(?C<s11%zL9U_8$g=_Xn2D+c!M{1
zgEx4ipQfKyyPtL%V`ImrdP~6pEWBHIFIPNuqi)pAy6fhAeO7fBhN)w6>d<)7c+z+(
zpIz0Bx=}akM#Hw3tYIMJyI+Xl*ulzAOa8j#6yXit;0@m34c=HFv_NQqaMY_3jjG-e
z<Y_#Or|~qN#?yEjPvdDkEgI3}LTq(2bpY4kyiY?PdfWhd^ufr%RQfq8bGB8b>h|X@
zeF1#|eF1#|BA7AeRtaez2i4yJ-rx=1;0@m3jXtzKv_7;xv_5p8Asozs1Nlb$5I@S}
zhq_TW>PFp&?d$clKhG9feY$S{02<MVhG^wPQ#a~H-KZNTxLy-{BoV|Lyulm1!5h4p
zV}%HB@CI-225;~NZ){MrLG6(4NL<yecRY=!@id;s(|8(B<7qsNr$r<3FqMx#Or<Bv
z=Y6*iFVd(=U&CDM0H>2s^AyQ9@{N2W-vAok$T#whd@~xTKJ-(V5uzX(6zd!m0@P#-
zmv7`7`9{8xZ{!>KM!uo4>r`2u#?yEjPvdDkji>Q6p2pMq-g9^K`820Ce7+@SRf`k)
z(E8Biy<Fbajk-}c>So~kD115R^VcQJ*H6<=GqsdYE$T+ys2g>o53LWa53LWa4?V_`
zlK4@*v%%AN8c*YCJdLOEG@i!Oc$)nJfrfA}2M**L@k9J5k00tr-KZONBewH2o+h@7
z?dy!~JdLOEG@i!Ocp6XRX*`XmSzfWcGCY&LdOB$T0QRQ|Py$qWfKoT=M%}0zjR%c~
zIT{amgEw#Tru``59ZWuD#3^!$eB4~%Z9EAzKW@$e6k5xLcKx$(NF<4TQzFBx+DH2I
z^)%BCF+aa$V^#N9SD&oajk-}cnthsm{ZzYk9N-Ncz(F|<)Q!4PH|mB)(Wp7rOz{S9
z+Tl&Ci16p%hf@!30}Xh6H3iyEfv%@8)s4DQH|0S}-KZONqi!@HG$3Nus=bR0Z}0|h
z@CI-225;;w^mLN3hqkH>q&$tM@id;s(|8(B<7qsNr$r;$z!r?^Jx~W&eiX?!^3BKd
z%^%DC+1>!&-a7`0<w4Q@HBdKD_i@y1Zxn6s9k)N%c?ZiAQ{CVV-dH-)E9_}B4211I
zDXKb>@dj`325;~NZ){btRUvFuIE)VrP!e;LM0Lk&{{SqNr9Pmg8rFvO0}kuzyiqsm
zM%`#yXj({Ub0jpp*%)uapo-VLJMIoor`L~p4~LPxv5~!vVJ(3e)&fF#Ku|a8M%}2J
zEvRqxxy}KW4^SJ<H{ZkfJJ`_hn7O_B+_K@qQ8)48tD7`=b|uf2Q#TTn1XZ4()Q!4P
zH|j>`p;!B1Ah_>sUrWaE25;~NZ}0|hY$4Mo*6zBg-PKPXpZ6V4i#io1lK2r|<UO2(
znuDVHsB8ZK@{N2W-^e%e4J6Aq@{N2miurRsBODjL!-uEwG@i!Ocv?OyXRlW^Tlc?L
z)13{x!5h568@$OFleg{hW(-RCX~|!goFcrz8@$0AyullNXnkmX=uxjqG^%>zfv52_
zp2pL78c*YCJdLOEv}i=jKf<TF`Z~Y{F0y<h-)uYIyu2^Pw6}q2ul<W`;x=(_d*VLd
zQdrV4RyQ^4=C*6n{%qX-J5U!j>%tRfAN9$Z>PFr0Fbjk_!o33x1L4+PvF&SA^>=_b
zc!M{1gEx3%Ly8S4Hl!TV3SLPYn5WSw8da`Q>PFqD8+9Xoh#zyr54^z}yulm1!5h5M
z?$YjBXS<81@id;s(|8(B<7qsNr}4CCMD8U#-x6b2<UYVL)kXRmXyFvCP#mi#ItMU0
ze!TMSht_z|cqr$Gx=}akM%_qgH^+}Z!?`<sGnbuoS-=4tzyTb<xfwWklb^cd+aFPj
zH+X|Lc!M|jq?x^b&R%yDlWG4?oBn{;>hAz=@CI-225)k%WUuk&ke*bK+J=!C`RkHX
zgg1DDH+X|L8DnmpOsl7Z_78wJc!M{1gEx3H#~nU+gEx4CH+X|Lc;k*zca)Cp<B~RU
z^~M8F<7qsNr|~qN#?yEjPvdFPh$e3cs&1wZ;2L<qK)IQ!8+D^@)J?GY!12*$^1U_r
z>s585+Mm1h(~LU(wDQ?k-KZONqi!@FdIuT?0#DnAvyl`weGOtO-;~c3?Yp&iuzY8O
zr|~qNRzCZx8+D^@)Qx;|2YDxglOl*Wc!M{1gEx3%U#ESY_H~Z!<5lf=;AuRKr|~qN
z#?yEjPvdDkEgI2egHI3CDf;*}nChcQzL9U_8~Fy%<Qw@$zL9U_8~G;C5Dw<RfqWx=
zh#%$gL*1wwb)#;?cAm!5#CEZLow1##@id;s(|8(B<7qsNr|~q)E0$M=onh6}LHh@=
zKTUuVpvnW3x=}akM%`#UXgti(c)%OH!5h568@$0Ajc$$ZbvC+r8c*YCJdLOEG@i!O
zcp6WOM&w~F4Lq!+{pI}X??AqhZ{!>K2GHai`9{8xZ{(Yr`6is*&-<?0$DrQPm*tzl
zgLo1exn93?*XAzyM!u16<Qw@$zL9U_n`@5HzU8$44tN?*<7qsNr|~qN#?yFO=)9HV
zpt=b1G@i!O$_rE7s2g>oZsZ&JM!u16<Qw@W8j<@5?6V0xu+Jvc!Z;)NFtG^8_6LP`
zFgd;J3+M~z3+M|FL4AQan2$GjgEx4CH+X|L`q28&W7p|9pAn9`!&9h_s7s5SBA&+6
zcp6XRY5A<2y<XL9-Tz+hlTJHUt>0L`>D8%QTBE8LCQsvOJdLOEw9L(N{`0i4!H}Pp
z{B_AG!W+E78@$0Ays>^`{brHHiR!7k{R8kcp2pL78c*YCJdLOEw6P6V((bA*f;^3<
z@id;s(|8(B<7qsNr$r;0ym7m_nL2=L@bPD($T#whd?VigntUVQ$T#whd?Vik8p6RG
zIH(?C<s11%zL9U_8$g=_Xn2D+c!M{1gEx4ipSH$++K+kve0-6zdY7R30casDq=mGQ
z7ScjmNDJ4fg*>gCPu0cI0qpW@pfKed`9{7e=ZCscH|j>+=nLoz=nLoz=nEW9gP`*m
zkVQXWNaI1{p@GK3wP6}Sdj8GRH1b=RSWch7@^XfWpF+`vVvAuc|JL;S*ZB9>|I^EF
zNk{AdKK$6Rg#Z5fO7lPM`k(n%`gJZo45Rele|!D&ubrB4c1`c?-EZI_4-nt|PcPX+
zzGH*Jw0@o(^I4#z4%Cgd)hnKvS|+C!b)#<7jdpJk|2!Np&6I&kBm{3JM-krO4c_2Q
z0dKyCX*G3;($}k9F>{N#<<;C`P#6@i1_e<gY6eBQg{T{Kqi)nq(C^??htwm<7j5#_
zCA|}#cK1_iww|1=+doC>M%_SiIg-_lx=}akrl1iWWFaYU`l=7zpNaN0s`@*?8@$0A
zyuq7(svQQxt<9q9vvvCiz#F{58@$0Aya_3_I?(V2Z}0|h@CI-2=Cm`SZ;nPX=0P`q
z{hSY$V|I7G8*tL*5~t{{qll;RG@i!Ocv_C$>^0utO+>_nvl$e39Ta`Jot}M_esKDF
zao)Sl7A8;QX<t$XN@bvKCU<nJ8+D^@<Qw@WQ>VlaljGedN2m1er<CPPT2A|?NZqI#
zp2pL78c!?RFQ6$B$>AyS_kI3Eb)$04t_n|l^t+XS@l!dj?E5irt`3}dTJ$ycVcrTA
z)O%$5dU0B|dy3SJx{)v?ObJuMEK8W@k0W}{Pu=nD{n>bfH+X|Lc#}_>+3S+YwEs4J
z0eyiy<{K0nSQxH;k$D<V<7qsNr)6$7TbuZg<^F7M;@{pou5J$wumJ~EHx!W~QbdZl
zgd%Ql_TAn)rcoQvsOlG4-S9M?#?yEjPqW3xHsIf{Y@e?#Ar3I9vOI0|o_2V7TV1?n
zv#kmlAgdoB^Lw^IVNlFJ>Z;@1ur{n8a9FDw!`iSe@5QMbb)#<7jUIMC6AlAmk;X%4
zcl1q<<J<RnR-dq|A3y?u9LOn0j=E7d>PFpAwWU>!r&;Pgq!mlg6&O!No}2R5+d4%X
z_O$O|W=^9aeZ5%5-|ncW9;@3wz=jJ)-NcK}D#l5(1exkaW8h2D(L~txaZvpos2g>o
zZZy<1)cUFRwEmdAE|HMxvvvCiz#F{58@$1rj4>&%m>lmuIXb0xKc($Uh<D(AQ4&%v
zA?ilms2g=NY|}oxY_~_(x>aR)8c#E|lus?{M%}0zb)%oApBCh+dP2h+yulm1!5h56
zn^OnmuAPwT2zP+VE^hm$h^O&1p2pL78c*YCJk4!oqol8DM>kL7X*`Xm@id;s(|8(B
z<7v@|HqfGMzsc$yOb%1|M!wm0zInMz+N3c#X*fm8pCS{tiF?}<_wJ@7qHb!|&285N
zPw>QCR^DV+H|j>+sGG1b5wvF1q5K}-{I!Mkr{PR_h%ZlT^&#-`OM7!2PvdDkji>Rn
zekL3S!fMUbY`y$!-TpP;X*><{%bBlk)Q!4PH+EQZWgG5oxVPbcT-ULFWBn$|VVD-J
z-&ntSF%S%jeJG1GS*EWSwc-@Ddy4c0^ab<<^ab<<GWi3vYCyvqyulm1!5h5Mht`MI
zhaOuh&-sjS+#MF}%JMXx#?yEjPs?ZJ?DeW<>;Cupyzi>T_UZ?~8@xI3=Fjs=Z1rK+
z{s9z@!Xauzji~i=`7jW=>@`svI}G`0$zPY8BD}#Hyulm1$ry9%WZHiGsQwP{25;~N
zZ}0|hY#6X%z=nY_&X>e?o<^f+RJlf}8+D^@)Q$Kde#{X+@CI-225;~NZ}3LDOS@~G
z?Jl0i(|8(B<7qsNr|~qN#?zt^`HYA2Gc@gr+y^+Ox=3FGEu5kiievRe=Kv<hk5|6^
z&>9aK59Rz&H|j>+s2d4Q{FtL*hc|eGH+X|Lc!M_<h%69|4RH6ZE&6C*eQ14XeduyC
zRX6HJ-Kd*j^P#yj+KlD=DEHMTNBuOTPCu=D_Ek6PM%}0zeQ14Xo~9424?QL~eQ15?
zD2J!?TJ8wdL$3o&wjAXf`9{7epS#qJx=}akMqfZ*Kwm&#Kwm&#U<kv<g+F>;=$#C`
zPSNBkl5gZ2`9{8xZ{!>KM!u16<Qw_sa;-Dpy1c5zaQQ~QA@Ak#u5Q$gx=}YF@Pz)?
zD115R^VcQJ*H63qDK%S9&erXpB6Xu~Ah{gL>PFqD8+Bv-rgxxWAlxeN?Q2x^cYrr|
zgEx4CH+W;efc*mY3ykgKk~T3<qfs=fT%**Dx=}akM*I*z=7=A7gEx4CH+X|Lc%$8=
z-L=kk7f<79JdLOEG@i!OR^(|x7e4R1eHfKV9MactnLhq8L3iZ-s(zVYI;J@el#+#2
z`_qWvm(%<=&M<eJB_6df)s4DQH{}6J-KZONqi!@F)|KXX+K^|d?*?w3cabMAGEd`a
zJdLOEG@drc0ukQe4c_1l-rx=1tY||*w#<L@2|i(HMpMbRVw9}5x8Hc+X*`Xm@id;s
z(|8(Bv+eSbcF(O!1bG@y<7qsNr|~qN#?yEjPa9g7y0}T$x7)?lhn5bcgYtBsZq$vs
zQ8!YxR6R$k#v8oB8@$0Ayuq7(=iTw`O^DV#5fd@XiK%YXjk-}cOp|HOVVZb@H+X|L
zc!M{1V}F|cX@|5e$$bP*VMd68Xi%(kQ1r-Z<T3RNjUxF*zL9U_8~H}Qk#FQ1D!WdV
z<!L;Pr|~qN#?yEjPvdDkt?xZ|$G10{>VZyvhJ;hJ{3()e<Qw@$zL9U_8~H}Qk#FQ1
z`6kd14(7l?^#~~6$Ty|==EuB$vQJRSCY@F7@>Hg(sI-a<>yt#(+z1PA3R7Wf-)Y}v
z>Xc`<ZD|xwg9A7y$AP+0H|j>+&?p+E?QIp*D(K-f2)b<rDE%}dNCeA8P~E5-byHq9
z)f*4j4sfx#CGq{YK>X86)l2lpTOGRa%$-=|d2cnn{x$yn_5bwpThh_`zYjlle3H-K
zUtbNMPrLqS{*`{6i#sk#|NXbuKmXdP2`Ay_?{j;T-1gqFL9zTjDeYeabwh_<@vQw}
zUHu)X8+D^@%43AOQ8(&F-Gsn=%tE!$o8tUW`wmXgEvIP1y!jp^ICY8A*Q;Hz4WA>Y
zC|>+)i^v8AQ6p+Zji~j#q}OXLMD4Cpfj4-AH+X|LcoR};e-hk}oLU~k`5+-dIcg4y
z>Z7jx1MoDS#?yEjPvdDk?c`^7?S!=N2;RZ+tJ^${r|~qN#?yEjPvdFV_IU6#p2iW%
z9YNiw8+D^@f>(u@-B$BQU!c8fhBtVFH+X|LdO36Sa_|Ok@CI-225;~tCg#V#SzTX1
zUjXyVnXhitjk-}cTW|z@f#pRIZ}0|h@CI-6X3BaqFYhHr^W|yo8cbdT!b5ln58+vt
z@azr=r=9~go{A=(Qi3OVf+u*gE}nQ&^YzCNw;z!325;~NZ}3LLwya@$TgJp2yulm1
z!5h568xMZ*;FqyKy{c9{PvdDkji>Q6p2pL78c*YC(TFBD#I?U9<{fO{BFi`OjeH~D
z0GfOw-^e%ejeH~D1RBD@95|?+G36WiM!u16<QqVn188`IH+X|Lc!M{1qo1aqrk|#t
zrk^(4C04!NRs8_+jeH~D$T#whd?Vk;H}Z{qBj3n3^3Be}!5;PDVAWG~`v=e$&==4b
z&==4b&==4b&==4b&==4b&==4b&=&|#OMruQ;-Grt;c@x`|2RqA1|AAgeN;HW<S2Ta
z!cjMa2x|;z3}_56!F8G--dMn~fMWs20uE2(X*`Xm@iYrK7H}-!SirG>lRpk_Ri95&
zy_2plpf8{=pf8{=pf8{=pf8{=pf8{=pf8{=pf8{=pf6x|*FZz*V2*T9z1>y)0QzbA
zY5HmUY5Hl1IR`QEX5h_nm~wJq&tGqAQLnn?w0{6~!_#;gPvdDkji*`nwC-u$bLjLQ
zcZa7iBSb+oDAqYB+K(UA-+_E1-^e%ejeH~D$T#v0m0hRG@-&{t(|8(B<7qsNr|~qN
zrVkxx2nTcEKp$HC5I@S}hq_TW>PFp&?L3XAiS1(hI%7Le<7qsNr|~qN#?yEjPvdEp
zS1hkQ%Hz%C8~H}Qk#FQ1`9{8xZ{!>KM!u16<eNalcyCR2eEW8O_umLm0#tc`Qa9>G
z-Kd*s!d7olI>4mmw10~525;~NZ}6s{%TM7pd+iC=W9RQ4_YUF>-rx=1;7!Jud}75L
zyorbiefD9oVIXEWDWCV<KKxxeJ?ZPkKfL^=^ADJ6*Z0S|&jGT7Uc7_s?~iY<9o+Gk
z@vPw+uK`cvX<ttJKE@eFVNP}g)s4DQHxHX{UW*y6NjpL^(^!FqE@Xb@|C;mvx!9ib
z(RP$4t`y;_PLaB(Sr@Bs3M@1mw;x#4jk=L19yU*0!S;6Dx&7I?{da&jc!M{1V|~7#
z%ZGsg$@_3N4mEBA#v8oB8@$0Aya{2rdVs<kyulm1!5h56n;MC(I>P5YK$X-x?^~#G
zm3b78;!!+`NAV~gRfDkYJA!vGdAmsUQ^eDF8c*YCJdLOEG@j-`=Bc6AJ?AsRap7Bt
zcp6XRX*`Xm<+F13dR4P^|9jo%aXAa!8HYD`gEx4CHyLAw?T6)qqJ11xe+PJjH+WM%
zwWu3)qi)m<PvdFUZ{ELtbMU<6VbaVqP5xRxEew(Sog$vb(|8(B<7qsNr@i0P&QElm
z@gpi0T63%3WOaba4c9!4r|~qN#?yEjPvdF!Lyv8+Rdob;8c*YCJdLOEG@i!Ocp6WO
zMl{*r(*t#ivPFfAp7PDpX~Tobbe)r_xodLn(ihMd&==4bAcC3M*w?uaXCpB^eGRhn
zaS_BDyulm1!J9iwru~m-`mq_+-vQp>4c_1l-r$XOPwSpq^<$j3eq;S+SOU(_u&O~(
zJsq@v0Qp9~k#FQ1`6h!{zEA;ZqwwXYC4XIVitq++@CI-225<D!^wadyM!hQ0sOpUe
zp2pL78c*YCJdLOEG@i!OhQ+?)!k^4oU40#3@~*G;Pmz2h-^e%ejeOJ3<-<U@by2T<
z98`Y?c!M{1gEx4CH~MM%Y5HmUY5Hk_hHx+k4&)p0L;NU@AL>Tks2g=7w(~TeCbo<1
z>x}I@ji>Q6p2pL78c*YCoAk6F^Zxnx!<?&ITlE9j*26n_XSsK(8+D^@)Q!9*ug#Iy
z@CI-225;~NZ}3KcaFhMP1{!ueji>Q6p2pL78c*YCJne8A1l_704_bX;_1Xc#gm6~a
zbUJ<uC+PGMmM_m#cibJi@EJW(D)VnmuYZkyfBiqb{FZdI{_n$&9Y6W!@2{_P<<qYJ
znSZ5UC;l2Y|NC#Re|~=wd}`--O0S$EF+z-ZRhQ~!^0{v6M%}0z@jD1iE-hCGYch3;
z&N7~ix|AQK|K6xG>OMZ|+8;&ghNtl~o>t&#-@~kT&`{P;PJ^JRp$s^H12}+F035uD
zlP2EaO+<&>F1Mc+p=&PP@-&{t(|8)*^iAGjAl$k-(SDz}`a8fIyulm1!5h4>U*GbI
zcGpeqE}llCXjHjIsT*~pZq$wVA%4seKkx=`@CI-225<02yGy%ko$W53#?yEjPvdDk
zji>Q6p2pLn5!r=r7k=PDJP9>-;kSPP`#J?E0jfMesT*~pZqyCa)OeVq@qjmYgEx4C
zH+WOVn^RNx)D6)T(HzWglg?j1=cRSbKFeT<#{v@`!b5ln&$@)?ysEOQ$+DlgEp+&#
zm`Kfpbc4bw@Oi#UqoUNSO8>o4XViUs)U`i~)Q$WizsN7^$}c_{;8CB{j5m0LH+X|L
zeRdcI!mXjV{rFM+9pDY#;0@m34c?S(NI7>0OV-fv25;~NZ}0|h@W!3~?({#ToxLR*
zr7u9EXjHjIsT*~pZq$wVA%1)`euVFj-K?}Y1uf75Ezklj(DG5V^jtZ*b#rFIR!6u4
zY~Zd6OPoZI2$qYWx=}akM%@Td0@NG<3UBZRZ}0|h@CI*eMY9#{U@O`xI`7)V8)y?(
zzsT~9d?Vk;H}Z{qBj3n3@{N2Gjfh*HZ(UEDce!$VuI!q%cg?DYUI&<*-qnq|(HGDc
zAcFb=`U3g_`U3g_`T~K5a4-iBswXu0M!u16<Qw@0(B=Rd-rx=1;0@m34c_Rd>8I(Z
z>8I(Z4ZDo0x4WtzK)#W0<Qw@$zL9U_8~H}Qk#FQ1`9{9k9nwsYz6L(Jx#V;bKJUAI
zI2-BIq_0j<e<rHO_UZ?Cl)gZ?9E}WBQ_CYvEss(+*=Rg2{HXfsbDaZB-d0xq6sa41
z=r5=C%P5i6M_u~|Xryl9ubHQ(=l;wOZTId7FyZ8E`xG@Yj;~y&7KZiN<`iCAtqOI)
zi+GXsdF%7JF=np;?XEz>8@$0Ayuq7{F)c*AMwepo25;~NZ}0|hLUXl02{kut;0@m3
z4c_1l-r$Y<UEJ?7wvSiUN#|)iji>Q6p2pL78c*YCJS`g0@^>m!Z&5nH1}?IEBj3n3
z@(rNLH}Z{qBj3n3@=c&29L#}(>KRkMk#FQ1`9{70v^ju=H+X|Lc!M{1gE#tV`f2)U
z`f2)U!;`P7x4WtzK)#W0<Qw@$zL9U_8~H}Qk#FQ1`9{9+Aw=P>2sl_L4)g`YcCo!Y
zwyPU;qi)oVc9(Y79PKW=c{gwVacaJ8;3nPbqrw3uN0EikcUPvujHfE#;{0(}`Ri3Z
z->iD&s~dGAL6s*cb)#<7jk?i!piy&l9`FWl@CI-225<1j#!fqV4ylj1s)ij;<7qsN
zr|~qN#?yEjPvdFPh$c5MRA1?J0N3E-J09d4`9{8xZvaick#FQ1`9{8xZvqYBU=AEq
z53%yikZ+EI;u_Ww@zqCN`v*`r`U3g_`U3g_L~ssb;tk&54c_1l-r$Wsv_7;xv_7;x
zv<KaK(5(mE=571uTo8}D!&A_un4TY#nEC?x0{Q~_0{Q~^w4c4+77qG1{(0Z+!;2J<
z($~|v?ocbY5)*Im25;~NZ!*T*I+<3Vt=m5U-rx=1;0@m3jdf4!o{!nZ<!LO3<&;~F
zx=}akM%_pU(!m_*0B`UHZ}0|h@CI+<+DvzRdxxF%8^lD+a$>3*b)#<7%`{=#&!pbL
zq()UgMR<cZc!M{1(@(X-K(MdVeFPB;ce!(-I>H@bd5x-m4R{()<7qsNr}4BoR-o_(
zZ}0|h@CI-2#{D<$zd4)+LHC@`2*<a#!Sw&sb2-wf%Nwit>*p?<-I}NAj@RMipDlUE
zU*=ICZ&v*j$v5(id?Vk;H~my=-LtZQ;0@m34c_1l-sq?4r|G8!;VQ?0z5tD)QR;?9
z(Wp5z3UBZRZ}0|h@CI+hcCme(v7M*!G@i!Ocp6XRX*`Xm@w8|}8@MyPy81f621b$n
zX#$i0RUV+!jk-}c>V|1*Jj~H}z#F{58@$0AyulldZjJ7BHoAElPvdDkji>Q6p2pL7
z8c&Nxw1K5$`vo>|k>wltM!u1608PG;Z{!>KM!u160uA9{4jfd^nDUK$Bj3n3@(rNP
z0W`e98@$0Ayulm1(NEJ)(@)b+(@z^dZLWH|tNH=t8~H}Qk#FQ1`9{8xZ{!>KM!u16
z<eS|g%>?Od;G+*2Kb?d|J`~>PuxCT|IeXn5cZa8NEo1(_#(aGNeF1#|eF1%eeA3Kb
zmrSPpxBZ-$Kj!_zVam&T;tD#Yv~Uym5Ys|hNDIsPp>EWTx=}acR2HG~cIqAD6d5nC
zGx=r%&xUc4CoeKj<7qstoFD2&-KZONBj3n3VJV=xY2ppu;7vJisu$+91DxiA%is35
z!@s)IlK5%Yb(eZTac@!=HYdd*&wE7a^{?^oum7i)-;#c0|M%g?j$5Ao{`zY8eA@Lt
w^RM*lTx^kg&%fVy`~K};zR_2Q{&wZi!`nF@IzNr4-{*gy)BDfgWIPxD4_rnBUH||9

literal 0
HcmV?d00001

diff --git a/libvips/foreign/gifload.c b/libvips/foreign/gifload.c
index 0eec998c..d7cc4975 100644
--- a/libvips/foreign/gifload.c
+++ b/libvips/foreign/gifload.c
@@ -700,8 +700,14 @@ vips_foreign_load_gif_scan_extension( VipsForeignLoadGif *gif )
 static int
 vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image )
 {
+	const gint64 total_height = (gint64) gif->file->SHeight * gif->n;
+	if ( total_height <= 0 || total_height > VIPS_MAX_COORD ) {
+		vips_error( "gifload", "%s",
+			_( "image size out of bounds" ) );
+		return( -1 );
+	}
 	vips_image_init_fields( image,
-		gif->file->SWidth, gif->file->SHeight * gif->n,
+		gif->file->SWidth, (int) total_height,
 		(gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0),
 		VIPS_FORMAT_UCHAR, VIPS_CODING_NONE,
 		gif->has_colour ?

From 414b849aefeb338ceef2dc88dfb8a8f460a22f3b Mon Sep 17 00:00:00 2001
From: John Cupitt <jcupitt@gmail.com>
Date: Sat, 21 Nov 2020 14:23:58 +0000
Subject: [PATCH 2/4] reformat

---
 libvips/foreign/gifload.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libvips/foreign/gifload.c b/libvips/foreign/gifload.c
index d7cc4975..73210a4c 100644
--- a/libvips/foreign/gifload.c
+++ b/libvips/foreign/gifload.c
@@ -701,13 +701,15 @@ static int
 vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image )
 {
 	const gint64 total_height = (gint64) gif->file->SHeight * gif->n;
-	if ( total_height <= 0 || total_height > VIPS_MAX_COORD ) {
-		vips_error( "gifload", "%s",
-			_( "image size out of bounds" ) );
+
+	if( total_height <= 0 || 
+		total_height > VIPS_MAX_COORD ) {
+		vips_error( "gifload", "%s", _( "image size out of bounds" ) );
 		return( -1 );
 	}
+
 	vips_image_init_fields( image,
-		gif->file->SWidth, (int) total_height,
+		gif->file->SWidth, total_height,
 		(gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0),
 		VIPS_FORMAT_UCHAR, VIPS_CODING_NONE,
 		gif->has_colour ?

From c17e69624378e5798dd6fb641ffd25c28c1e9908 Mon Sep 17 00:00:00 2001
From: John Cupitt <jcupitt@gmail.com>
Date: Sat, 21 Nov 2020 14:25:09 +0000
Subject: [PATCH 3/4] backport gifheight check

ensure gifheight can't oevrflow

see https://github.com/libvips/libvips/pull/1892
---
 ChangeLog                 |  1 +
 libvips/foreign/gifload.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index e4af77e7..119d13f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -10,6 +10,7 @@
 - better GraphicsMagick image write [bfriesen]
 - add missing read loops to spng, heif, giflib and ppm load [kleisauke]
 - block zero width or height images from imagemagick load [Koen1999]
+- check for overflow in gifload height [lovell]
 
 6/9/20 started 8.10.2
 - update magicksave/load profile handling [kelilevi]
diff --git a/libvips/foreign/gifload.c b/libvips/foreign/gifload.c
index 0eec998c..73210a4c 100644
--- a/libvips/foreign/gifload.c
+++ b/libvips/foreign/gifload.c
@@ -700,8 +700,16 @@ vips_foreign_load_gif_scan_extension( VipsForeignLoadGif *gif )
 static int
 vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image )
 {
+	const gint64 total_height = (gint64) gif->file->SHeight * gif->n;
+
+	if( total_height <= 0 || 
+		total_height > VIPS_MAX_COORD ) {
+		vips_error( "gifload", "%s", _( "image size out of bounds" ) );
+		return( -1 );
+	}
+
 	vips_image_init_fields( image,
-		gif->file->SWidth, gif->file->SHeight * gif->n,
+		gif->file->SWidth, total_height,
 		(gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0),
 		VIPS_FORMAT_UCHAR, VIPS_CODING_NONE,
 		gif->has_colour ?

From a446f2d6d9410813a3119cb63877d0a86cea45fc Mon Sep 17 00:00:00 2001
From: John Cupitt <jcupitt@gmail.com>
Date: Fri, 20 Nov 2020 13:14:57 +0000
Subject: [PATCH 4/4] oops typo in magick7 load

---
 libvips/foreign/magick7load.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libvips/foreign/magick7load.c b/libvips/foreign/magick7load.c
index ed394888..6362db48 100644
--- a/libvips/foreign/magick7load.c
+++ b/libvips/foreign/magick7load.c
@@ -454,7 +454,7 @@ vips_foreign_load_magick7_parse( VipsForeignLoadMagick7 *magick7,
 		out->Bands <= 0 ||
 		out->Xsize >= VIPS_MAX_COORD ||
 		out->Ysize >= VIPS_MAX_COORD ||
-		out->Bands >= VIPS_MAX_COORD ) ||
+		out->Bands >= VIPS_MAX_COORD ) {
 		vips_error( class->nickname, 
 			_( "bad image dimensions %d x %d pixels, %d bands" ),
 			out->Xsize, out->Ysize, out->Bands );