From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 31 Mar 2021 20:18:00 -0400
Subject: Fix crash bug with bad GIFs (Issue #423)

CVE-2021-20308

Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6a8322a718b2ba5c440bd33e6f26d9e281c39654
Bug: https://github.com/michaelrsweet/htmldoc/issues/423
Bug-Debian: https://bugs.debian.org/#984765
---
 htmldoc/image.cxx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 68d6b92..8f53050 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -1245,6 +1245,9 @@ image_load_gif(image_t *img,	/* I - Image pointer */
   img->height = (buf[9] << 8) | buf[8];
   ncolors     = 2 << (buf[10] & 0x07);
 
+  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
+    return (-1);
+
   // If we are writing an encrypted PDF file, bump the use count so we create
   // an image object (Acrobat 6 bug workaround)
   if (Encryption)