File gdk-pixbuf-bgo785973-large-gif.patch of Package gdk-pixbuf.33887
From 0012e066ba37439d402ce46afbc1311530a4ec61 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 23 Aug 2017 18:02:41 +0200
Subject: [PATCH] io-gif: Fail quickly when image dimensions are too big
Fail quickly when the dimensions would create an image that's bigger
than MAXINT bytes long.
See https://bugzilla.gnome.org/show_bug.cgi?id=765094
https://bugzilla.gnome.org/show_bug.cgi?id=785973
---
gdk-pixbuf/io-gif.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index 057960c42..ef1001779 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -851,13 +851,29 @@ gif_get_lzw (GifContext *context)
pixels[2] = 0;
pixels[3] = 0;
}
- } else
- context->frame->pixbuf =
- gdk_pixbuf_new (GDK_COLORSPACE_RGB,
- TRUE,
- 8,
- context->frame_len,
- context->frame_height);
+ } else {
+ int rowstride;
+ guint64 len;
+
+ rowstride = gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB,
+ TRUE,
+ 8,
+ context->frame_len,
+ context->frame_height);
+ if (rowstride > 0 &&
+ g_uint64_checked_mul (&len, rowstride, context->frame_height) &&
+ len <= G_MAXINT) {
+ context->frame->pixbuf =
+ gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+ TRUE,
+ 8,
+ context->frame_len,
+ context->frame_height);
+ } else {
+ context->frame->pixbuf = NULL;
+ }
+ }
+
if (!context->frame->pixbuf) {
g_free (context->frame);
g_set_error_literal (context->error,
--
2.15.1
