diff options
author | Sebastian Rasmussen <sebras@gmail.com> | 2016-09-27 13:12:54 +0800 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2016-09-27 20:04:04 +0800 |
commit | cf2272c69587196d2274e2f760265f05569e1d4f (patch) | |
tree | ed0f6f4d14c8a11eaa789b621d46dd163573ab0a /source/fitz/load-gif.c | |
parent | 1bebb9feb7ffd62d8945790b2426d6cf09027d60 (diff) | |
download | mupdf-cf2272c69587196d2274e2f760265f05569e1d4f.tar.xz |
Bug 697163: gif: Fix integer overflow in image dimensions.
Diffstat (limited to 'source/fitz/load-gif.c')
-rw-r--r-- | source/fitz/load-gif.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/source/fitz/load-gif.c b/source/fitz/load-gif.c index 6f7a468d..4e71973b 100644 --- a/source/fitz/load-gif.c +++ b/source/fitz/load-gif.c @@ -142,6 +142,13 @@ gif_read_lsd(fz_context *ctx, struct info *info, unsigned char *p, unsigned char info->width = p[1] << 8 | p[0]; info->height = p[3] << 8 | p[2]; + if (info->width <= 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "image width must be > 0"); + if (info->height <= 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "image height must be > 0"); + if (info->height > UINT_MAX / info->width / 3 /* components */) + fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow"); + info->has_gct = (p[4] >> 7) & 0x1; if (info->has_gct) { |