From 14d45771a9820dd14cb1533505098225624d7250 Mon Sep 17 00:00:00 2001
From: Jonathan Behrens <fintelia@gmail.com>
Date: Sat, 13 Jan 2024 20:33:24 -0500
Subject: [PATCH] Avoid overflow in gif::Decoder::buffer_size (#2103)

---
 src/codecs/gif.rs | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/codecs/gif.rs b/src/codecs/gif.rs
index 6f3f87d09c..8b6f5ee26f 100644
--- a/src/codecs/gif.rs
+++ b/src/codecs/gif.rs
@@ -37,6 +37,8 @@ use gif::{DisposalMethod, Frame};
 
 use crate::animation::{self, Ratio};
 use crate::color::{ColorType, Rgba};
+use crate::error::LimitError;
+use crate::error::LimitErrorKind;
 use crate::error::{
     DecodingError, EncodingError, ImageError, ImageResult, ParameterError, ParameterErrorKind,
     UnsupportedError, UnsupportedErrorKind,
@@ -177,12 +179,15 @@ impl<'a, R: 'a + Read> ImageDecoder<'a> for GifDecoder<R> {
         } else {
             // If the frame does not match the logical screen, read into an extra buffer
             // and 'insert' the frame from left/top to logical screen width/height.
-            let buffer_size = self.reader.buffer_size();
+            let buffer_size = (frame.width as usize)
+                .checked_mul(frame.height as usize)
+                .and_then(|s| s.checked_mul(4))
+                .ok_or(ImageError::Limits(LimitError::from_kind(
+                    LimitErrorKind::InsufficientMemory,
+                )))?;
 
             self.limits.reserve_usize(buffer_size)?;
-
             let mut frame_buffer = vec![0; buffer_size];
-
             self.limits.free_usize(buffer_size);
 
             self.reader