From: Paul Eggert Date: Sun, 12 May 2013 19:17:04 +0000 (-0700) Subject: * image.c (gif_load): Check that subimages fit. X-Git-Tag: emacs-24.3.90~173^2^2~42^2~45^2~387^2~2026^2~229^2~106 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=44aa9ee6d2c451df9bffa7ff302c624b88d701b4;p=emacs.git * image.c (gif_load): Check that subimages fit. Fixes: debbugs:14345 --- diff --git a/src/ChangeLog b/src/ChangeLog index f6685824933..836f6d4b7b8 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2013-05-12 Paul Eggert + + * image.c (gif_load): Check that subimages fit (Bug#14345). + 2013-05-09 Stefan Monnier * lread.c (skip_dyn_eof): New function. diff --git a/src/image.c b/src/image.c index 2dae63a294f..f9f6ce70040 100644 --- a/src/image.c +++ b/src/image.c @@ -7263,6 +7263,25 @@ gif_load (struct frame *f, struct image *img) return 0; } + /* Check that the selected subimages fit. It's not clear whether + the GIF spec requires this, but Emacs can crash if they don't fit. */ + for (j = 0; j <= idx; ++j) + { + struct SavedImage *subimage = gif->SavedImages + j; + int subimg_width = subimage->ImageDesc.Width; + int subimg_height = subimage->ImageDesc.Height; + int subimg_top = subimage->ImageDesc.Top; + int subimg_left = subimage->ImageDesc.Left; + if (! (0 <= subimg_width && 0 <= subimg_height + && 0 <= subimg_top && subimg_top <= height - subimg_height + && 0 <= subimg_left && subimg_left <= width - subimg_width)) + { + image_error ("Subimage does not fit in image", Qnil, Qnil); + fn_DGifCloseFile (gif); + return 0; + } + } + /* Create the X image and pixmap. */ if (!x_create_x_image_and_pixmap (f, width, height, 0, &ximg, &img->pixmap)) {