$NetBSD: patch-CVE-2013-4243,v 1.1 2013/09/21 18:47:05 dholland Exp $

Upstream candidate patch for CVE 2013-4243.
taken from http://bugzilla.maptools.org/attachment.cgi?id=518
(via http://bugzilla.maptools.org/show_bug.cgi?id=2451)

Despite looking suspect with respect to integer overflows, this
appears to be ok, as long as you aren't on a 16-bit platform, because
the largest image size the input can encode is apparently 65535*65535.

--- tools/gif2tiff.c.orig	2013-09-21 18:45:13.000000000 +0000
+++ tools/gif2tiff.c
@@ -280,6 +280,10 @@ readgifimage(char* mode)
         fprintf(stderr, "no colormap present for image\n");
         return (0);
     }
+    if (width == 0 || height == 0) {
+        fprintf(stderr, "Invalid value of width or height\n");
+        return(0);
+    }
     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
         fprintf(stderr, "not enough memory for image\n");
         return (0);
@@ -406,6 +410,10 @@ process(register int code, unsigned char
 	    fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
 	    return 0;
 	}
+	if (*fill >= raster + width*height) {
+	    fprintf(stderr, "raster full before eoi code\n");
+	    return 0;
+	}
 	*(*fill)++ = suffix[code];
 	firstchar = oldcode = code;
 	return 1;
@@ -436,6 +444,10 @@ process(register int code, unsigned char
     }
     oldcode = incode;
     do {
+        if (*fill >= raster + width*height) {
+            fprintf(stderr, "raster full before eoi code\n");
+            return 0;
+        }
 	*(*fill)++ = *--stackp;
     } while (stackp > stack);
     return 1;
