X-Git-Url: https://git.saurik.com/wxWidgets.git/blobdiff_plain/8907154c1a8a6882c6797d1f16393ddfb23e7f3a..4e1ed07b52acd24f667354df5e9dc00cfde2a132:/src/common/gifdecod.cpp?ds=inline

diff --git a/src/common/gifdecod.cpp b/src/common/gifdecod.cpp
index 5d9b295a6e..db8ac994df 100644
--- a/src/common/gifdecod.cpp
+++ b/src/common/gifdecod.cpp
@@ -675,6 +675,11 @@ int wxGIFDecoder::ReadGIF()
     m_screenw = buf[0] + 256 * buf[1];
     m_screenh = buf[2] + 256 * buf[3];
 
+    if ((m_screenw == 0) || (m_screenh == 0))
+    {
+        return wxGIF_INVFORMAT;
+    }
+
     /* load global color map if available */
     if ((buf[4] & 0x80) == 0x80)
     {
@@ -701,7 +706,7 @@ int wxGIFDecoder::ReadGIF()
 
     bool done = false;
 
-    while(!done)
+    while (!done)
     {
         type = (unsigned char)m_f->GetC();
 
@@ -797,7 +802,7 @@ int wxGIFDecoder::ReadGIF()
             pimg->w = buf[4] + 256 * buf[5];
             pimg->h = buf[6] + 256 * buf[7];
 
-            if (pimg->w == 0 || pimg->h == 0)
+            if ((pimg->w == 0) || (pimg->w > m_screenw) || (pimg->h == 0) || (pimg->h > m_screenh))
             {
                 Destroy();
                 return wxGIF_INVFORMAT;
@@ -843,6 +848,11 @@ int wxGIFDecoder::ReadGIF()
 
             /* get initial code size from first byte in raster data */
             bits = (unsigned char)m_f->GetC();
+            if (bits == 0)
+            {
+                Destroy();
+                return wxGIF_INVFORMAT;
+            }
 
             /* decode image */
             int result = dgif(pimg, interl, bits);
@@ -859,7 +869,7 @@ int wxGIFDecoder::ReadGIF()
         }
     }
 
-    if (m_nimages == 0)
+    if (m_nimages <= 0)
     {
         Destroy();
         return wxGIF_INVFORMAT;