Bug 697163: gif: Fix integer overflow in image dimensions.

author: Sebastian Rasmussen <sebras@gmail.com> 2016-09-27 13:12:54 +0800
committer: Sebastian Rasmussen <sebras@gmail.com> 2016-09-27 20:04:04 +0800
commit: cf2272c69587196d2274e2f760265f05569e1d4f (patch)
tree: ed0f6f4d14c8a11eaa789b621d46dd163573ab0a /source/fitz/load-gif.c
parent: 1bebb9feb7ffd62d8945790b2426d6cf09027d60 (diff)
download: mupdf-cf2272c69587196d2274e2f760265f05569e1d4f.tar.xz
1 files changed, 7 insertions, 0 deletions
diff --git a/source/fitz/load-gif.c b/source/fitz/load-gif.c
index 6f7a468d..4e71973b 100644
--- a/source/fitz/load-gif.c
+++ b/source/fitz/load-gif.c
@@ -142,6 +142,13 @@ gif_read_lsd(fz_context *ctx, struct info *info, unsigned char *p, unsigned char
 
 	info->width = p[1] << 8 | p[0];
 	info->height = p[3] << 8 | p[2];
+	if (info->width <= 0)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image width must be > 0");
+	if (info->height <= 0)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image height must be > 0");
+	if (info->height > UINT_MAX / info->width / 3 /* components */)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow");
+
 	info->has_gct = (p[4] >> 7) & 0x1;
 	if (info->has_gct)
 	{
author	Sebastian Rasmussen <sebras@gmail.com>	2016-09-27 13:12:54 +0800
committer	Sebastian Rasmussen <sebras@gmail.com>	2016-09-27 20:04:04 +0800
commit	cf2272c69587196d2274e2f760265f05569e1d4f (patch)
tree	ed0f6f4d14c8a11eaa789b621d46dd163573ab0a /source/fitz/load-gif.c
parent	1bebb9feb7ffd62d8945790b2426d6cf09027d60 (diff)
download	mupdf-cf2272c69587196d2274e2f760265f05569e1d4f.tar.xz