Bug 697163: gif: Fix integer overflow in image dimensions.

2 files changed, 8 insertions, 1 deletions

diff --git a/source/fitz/load-gif.c b/source/fitz/load-gif.c
index 6f7a468d..4e71973b 100644
--- a/source/fitz/load-gif.c
+++ b/source/fitz/load-gif.c
@@ -142,6 +142,13 @@ gif_read_lsd(fz_context *ctx, struct info *info, unsigned char *p, unsigned char
 
 	info->width = p[1] << 8 | p[0];
 	info->height = p[3] << 8 | p[2];
+	if (info->width <= 0)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image width must be > 0");
+	if (info->height <= 0)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image height must be > 0");
+	if (info->height > UINT_MAX / info->width / 3 /* components */)
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow");
+
 	info->has_gct = (p[4] >> 7) & 0x1;
 	if (info->has_gct)
 	{
diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c
index fa366a8e..e36914f1 100644
--- a/source/fitz/load-tiff.c
+++ b/source/fitz/load-tiff.c
@@ -336,7 +336,7 @@ fz_expand_tiff_colormap(fz_context *ctx, struct tiff *tiff)
 		fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient colormap data");
 
 	if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2))
-		fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow");
+		fz_throw(ctx, FZ_ERROR_GENERIC, "image too large");
 
 	stride = tiff->imagewidth * (tiff->samplesperpixel + 2);