From 0012e066ba37439d402ce46afbc1311530a4ec61 Mon Sep 17 00:00:00 2001 From: Bastien Nocera <hadess@hadess.net> Date: Wed, 23 Aug 2017 18:02:41 +0200 Subject: io-gif: Fail quickly when image dimensions are too big Fail quickly when the dimensions would create an image that's bigger than MAXINT bytes long. See https://bugzilla.gnome.org/show_bug.cgi?id=765094 https://bugzilla.gnome.org/show_bug.cgi?id=785973 --- gdk-pixbuf/io-gif.c | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index 057960c..ef10017 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -851,13 +851,29 @@ gif_get_lzw (GifContext *context) pixels[2] = 0; pixels[3] = 0; } - } else - context->frame->pixbuf = - gdk_pixbuf_new (GDK_COLORSPACE_RGB, - TRUE, - 8, - context->frame_len, - context->frame_height); + } else { + int rowstride; + guint64 len; + + rowstride = gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB, + TRUE, + 8, + context->frame_len, + context->frame_height); + if (rowstride > 0 && + g_uint64_checked_mul (&len, rowstride, context->frame_height) && + len <= G_MAXINT) { + context->frame->pixbuf = + gdk_pixbuf_new (GDK_COLORSPACE_RGB, + TRUE, + 8, + context->frame_len, + context->frame_height); + } else { + context->frame->pixbuf = NULL; + } + } + if (!context->frame->pixbuf) { g_free (context->frame); g_set_error_literal (context->error, -- cgit v0.12