From c17e69624378e5798dd6fb641ffd25c28c1e9908 Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Sat, 21 Nov 2020 14:25:09 +0000 Subject: [PATCH 1/2] backport gifheight check ensure gifheight can't oevrflow see https://github.com/libvips/libvips/pull/1892 --- ChangeLog | 1 + libvips/foreign/gifload.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e4af77e7..119d13f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,7 @@ - better GraphicsMagick image write [bfriesen] - add missing read loops to spng, heif, giflib and ppm load [kleisauke] - block zero width or height images from imagemagick load [Koen1999] +- check for overflow in gifload height [lovell] 6/9/20 started 8.10.2 - update magicksave/load profile handling [kelilevi] diff --git a/libvips/foreign/gifload.c b/libvips/foreign/gifload.c index 0eec998c..73210a4c 100644 --- a/libvips/foreign/gifload.c +++ b/libvips/foreign/gifload.c @@ -700,8 +700,16 @@ vips_foreign_load_gif_scan_extension( VipsForeignLoadGif *gif ) static int vips_foreign_load_gif_set_header( VipsForeignLoadGif *gif, VipsImage *image ) { + const gint64 total_height = (gint64) gif->file->SHeight * gif->n; + + if( total_height <= 0 || + total_height > VIPS_MAX_COORD ) { + vips_error( "gifload", "%s", _( "image size out of bounds" ) ); + return( -1 ); + } + vips_image_init_fields( image, - gif->file->SWidth, gif->file->SHeight * gif->n, + gif->file->SWidth, total_height, (gif->has_colour ? 3 : 1) + (gif->has_transparency ? 1 : 0), VIPS_FORMAT_UCHAR, VIPS_CODING_NONE, gif->has_colour ? From a446f2d6d9410813a3119cb63877d0a86cea45fc Mon Sep 17 00:00:00 2001 From: John Cupitt Date: Fri, 20 Nov 2020 13:14:57 +0000 Subject: [PATCH 2/2] oops typo in magick7 load --- libvips/foreign/magick7load.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libvips/foreign/magick7load.c b/libvips/foreign/magick7load.c index ed394888..6362db48 100644 --- a/libvips/foreign/magick7load.c +++ b/libvips/foreign/magick7load.c @@ -454,7 +454,7 @@ vips_foreign_load_magick7_parse( VipsForeignLoadMagick7 *magick7, out->Bands <= 0 || out->Xsize >= VIPS_MAX_COORD || out->Ysize >= VIPS_MAX_COORD || - out->Bands >= VIPS_MAX_COORD ) || + out->Bands >= VIPS_MAX_COORD ) { vips_error( class->nickname, _( "bad image dimensions %d x %d pixels, %d bands" ), out->Xsize, out->Ysize, out->Bands );