[MPlayer-cvslog] r37857 - trunk/libmpdemux/demux_gif.c

Thu Apr 28 23:32:40 CEST 2016

Author: rtogni
Date: Thu Apr 28 23:32:40 2016
New Revision: 37857

Log:
Validate image size in demux_gif

Fixes crash with -vo null and overflow.gif
Reported by Gustavo Grieco

Closes trac #2295

Modified:
   trunk/libmpdemux/demux_gif.c

Modified: trunk/libmpdemux/demux_gif.c
==============================================================================

--- trunk/libmpdemux/demux_gif.c	Sat Apr 16 11:43:19 2016	(r37856)
+++ trunk/libmpdemux/demux_gif.c	Thu Apr 28 23:32:40 2016	(r37857)
@@ -304,6 +304,17 @@ static demuxer_t* demux_open_gif(demuxer
     return NULL;
   }
 
+  // Validate image size, most code in this demuxer assumes w*h <= INT_MAX
+  if ((int64_t)gif->SWidth * gif->SHeight > INT_MAX) {
+    mp_msg(MSGT_DEMUX, MSGL_ERR,
+           "[demux_gif] Unsupported picture size %dx%d.\n", gif->SWidth,
+           gif->SHeight);
+    if (DGifCloseFile(gif) == GIF_ERROR)
+      print_gif_error(NULL);
+    free(priv);
+    return NULL;
+  }
+
   // create a new video stream header
   sh_video = new_sh_video(demuxer, 0);
 
