file-gif-load: limit len and height (CVE-2012-3481)

Ensure values of len and height can't overflow g_malloc() argument type.
2012-08-14 12:18:22 +02:00 · 2012-08-14 12:18:22 +02:00 · d95c2f0bcb
commit d95c2f0bcb
parent 86f4cd39bd
1 changed files with 7 additions and 0 deletions
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@ -1057,6 +1057,13 @@ ReadImage (FILE        *fd,
  cur_progress = 0;
  max_progress = height;

+  if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
+  {
+    g_message ("'%s' has a larger image size than GIMP can handle.",
+               gimp_filename_to_utf8 (filename));
+    return -1;
+  }
+
  if (alpha_frame)
    dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
  else