From 8c7576a5fe26b3e6a24b4191ff62958900ee0b27 Mon Sep 17 00:00:00 2001
From: Kleis Auke Wolthuizen <github@kleisauke.nl>
Date: Tue, 14 Jun 2022 11:23:11 +0200
Subject: [PATCH] cgifsave: reject images that exceed the pixel limit of
 libimagequant (#2865)

---
 libvips/foreign/cgifsave.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libvips/foreign/cgifsave.c b/libvips/foreign/cgifsave.c
index 326da470..f0930219 100644
--- a/libvips/foreign/cgifsave.c
+++ b/libvips/foreign/cgifsave.c
@@ -693,9 +693,11 @@ vips_foreign_save_cgif_build( VipsObject *object )
 	frame_rect.width = cgif->in->Xsize;
 	frame_rect.height = page_height;
 
-	/* GIF has a limit of 64k per axis -- double-check this.
+	/* Reject images that exceed the pixel limit of libimagequant,
+	 * or that exceed the GIF limit of 64k per axis.
 	 */
-	if( frame_rect.width > 65535 || 
+	if( (guint64) frame_rect.width * frame_rect.height > INT_MAX / 4 || 
+		frame_rect.width > 65535 || 
 		frame_rect.height > 65535 ) {
 		vips_error( class->nickname, "%s", _( "frame too large" ) );
 		return( -1 );
@@ -720,7 +722,7 @@ vips_foreign_save_cgif_build( VipsObject *object )
 	/* The frame index buffer.
 	 */
 	cgif->index = g_malloc0( (size_t) frame_rect.width * 
-			frame_rect.height );
+		frame_rect.height );
 
 	/* Set up libimagequant.
 	 */