From cf2272c69587196d2274e2f760265f05569e1d4f Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Tue, 27 Sep 2016 13:12:54 +0800 Subject: Bug 697163: gif: Fix integer overflow in image dimensions. --- source/fitz/load-gif.c | 7 +++++++ source/fitz/load-tiff.c | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'source') diff --git a/source/fitz/load-gif.c b/source/fitz/load-gif.c index 6f7a468d..4e71973b 100644 --- a/source/fitz/load-gif.c +++ b/source/fitz/load-gif.c @@ -142,6 +142,13 @@ gif_read_lsd(fz_context *ctx, struct info *info, unsigned char *p, unsigned char info->width = p[1] << 8 | p[0]; info->height = p[3] << 8 | p[2]; + if (info->width <= 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "image width must be > 0"); + if (info->height <= 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "image height must be > 0"); + if (info->height > UINT_MAX / info->width / 3 /* components */) + fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow"); + info->has_gct = (p[4] >> 7) & 0x1; if (info->has_gct) { diff --git a/source/fitz/load-tiff.c b/source/fitz/load-tiff.c index fa366a8e..e36914f1 100644 --- a/source/fitz/load-tiff.c +++ b/source/fitz/load-tiff.c @@ -336,7 +336,7 @@ fz_expand_tiff_colormap(fz_context *ctx, struct tiff *tiff) fz_throw(ctx, FZ_ERROR_GENERIC, "insufficient colormap data"); if (tiff->imagelength > UINT_MAX / tiff->imagewidth / (tiff->samplesperpixel + 2)) - fz_throw(ctx, FZ_ERROR_GENERIC, "image dimensions might overflow"); + fz_throw(ctx, FZ_ERROR_GENERIC, "image too large"); stride = tiff->imagewidth * (tiff->samplesperpixel + 2); -- cgit v1.2.3