From 44aa9ee6d2c451df9bffa7ff302c624b88d701b4 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Sun, 12 May 2013 12:17:04 -0700
Subject: [PATCH] * image.c (gif_load): Check that subimages fit.

Fixes: debbugs:14345
---
 src/ChangeLog |  4 ++++
 src/image.c   | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index f668582493..836f6d4b7b 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2013-05-12  Paul Eggert  <eggert@cs.ucla.edu>
+
+	* image.c (gif_load): Check that subimages fit (Bug#14345).
+
 2013-05-09  Stefan Monnier  <monnier@iro.umontreal.ca>
 
 	* lread.c (skip_dyn_eof): New function.
diff --git a/src/image.c b/src/image.c
index 2dae63a294..f9f6ce7004 100644
--- a/src/image.c
+++ b/src/image.c
@@ -7263,6 +7263,25 @@ gif_load (struct frame *f, struct image *img)
       return 0;
     }
 
+  /* Check that the selected subimages fit.  It's not clear whether
+     the GIF spec requires this, but Emacs can crash if they don't fit.  */
+  for (j = 0; j <= idx; ++j)
+    {
+      struct SavedImage *subimage = gif->SavedImages + j;
+      int subimg_width = subimage->ImageDesc.Width;
+      int subimg_height = subimage->ImageDesc.Height;
+      int subimg_top = subimage->ImageDesc.Top;
+      int subimg_left = subimage->ImageDesc.Left;
+      if (! (0 <= subimg_width && 0 <= subimg_height
+	     && 0 <= subimg_top && subimg_top <= height - subimg_height
+	     && 0 <= subimg_left && subimg_left <= width - subimg_width))
+	{
+	  image_error ("Subimage does not fit in image", Qnil, Qnil);
+	  fn_DGifCloseFile (gif);
+	  return 0;
+	}
+    }
+
   /* Create the X image and pixmap.  */
   if (!x_create_x_image_and_pixmap (f, width, height, 0, &ximg, &img->pixmap))
     {
-- 
2.20.1