You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 lines
1.6 KiB
42 lines
1.6 KiB
From 14d45771a9820dd14cb1533505098225624d7250 Mon Sep 17 00:00:00 2001
|
|
From: Jonathan Behrens <fintelia@gmail.com>
|
|
Date: Sat, 13 Jan 2024 20:33:24 -0500
|
|
Subject: [PATCH] Avoid overflow in gif::Decoder::buffer_size (#2103)
|
|
|
|
---
|
|
src/codecs/gif.rs | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/codecs/gif.rs b/src/codecs/gif.rs
|
|
index 6f3f87d09c..8b6f5ee26f 100644
|
|
--- a/src/codecs/gif.rs
|
|
+++ b/src/codecs/gif.rs
|
|
@@ -37,6 +37,8 @@ use gif::{DisposalMethod, Frame};
|
|
|
|
use crate::animation::{self, Ratio};
|
|
use crate::color::{ColorType, Rgba};
|
|
+use crate::error::LimitError;
|
|
+use crate::error::LimitErrorKind;
|
|
use crate::error::{
|
|
DecodingError, EncodingError, ImageError, ImageResult, ParameterError, ParameterErrorKind,
|
|
UnsupportedError, UnsupportedErrorKind,
|
|
@@ -177,12 +179,15 @@ impl<'a, R: 'a + Read> ImageDecoder<'a> for GifDecoder<R> {
|
|
} else {
|
|
// If the frame does not match the logical screen, read into an extra buffer
|
|
// and 'insert' the frame from left/top to logical screen width/height.
|
|
- let buffer_size = self.reader.buffer_size();
|
|
+ let buffer_size = (frame.width as usize)
|
|
+ .checked_mul(frame.height as usize)
|
|
+ .and_then(|s| s.checked_mul(4))
|
|
+ .ok_or(ImageError::Limits(LimitError::from_kind(
|
|
+ LimitErrorKind::InsufficientMemory,
|
|
+ )))?;
|
|
|
|
self.limits.reserve_usize(buffer_size)?;
|
|
-
|
|
let mut frame_buffer = vec![0; buffer_size];
|
|
-
|
|
self.limits.free_usize(buffer_size);
|
|
|
|
self.reader
|