From 755efe08da01ccccfe6dd73570141371125e229d Mon Sep 17 00:00:00 2001
From: Michael R Sweet <msweet@msweet.org>
Date: Sat, 12 Apr 2025 14:33:13 -0400
Subject: [PATCH] Range check dictionary values in pdfioImageGetBytesPerLine
 (Issue #121)

---
 CHANGES.md      |  1 +
 pdfio-content.c | 22 ++++++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 52f8511..92b025f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -11,6 +11,7 @@ v1.5.2 - YYYY-MM-DD
 - Fixed form detection in `pdfioinfo` example code (Issue #114)
 - Fixed parsing of certain date/time values (Issue #115)
 - Fixed support for empty name values (Issue #116)
+- Fixed range checking in `pdfioImageGetBytesPerLine` (Issue #121)
 
 
 v1.5.1 - 2025-03-28
diff --git a/pdfio-content.c b/pdfio-content.c
index 8149cc1..29566f9 100644
--- a/pdfio-content.c
+++ b/pdfio-content.c
@@ -2233,7 +2233,7 @@ pdfioFileCreateImageObjFromFile(
 // 'pdfioImageGetBytesPerLine()' - Get the number of bytes to read for each line.
 //
 
-size_t					// O - Number of bytes per line
+size_t					// O - Number of bytes per line or `0` on error
 pdfioImageGetBytesPerLine(
     pdfio_obj_t *obj)			// I - Image object
 {
@@ -2279,7 +2279,25 @@ pdfioImageGetBytesPerLine(
       colors = 1;
   }
 
-  return ((size_t)((width * colors * bpc + 7) / 8));
+  if (width < 0)
+  {
+    _pdfioFileError(obj->pdf, "Invalid image width %d.", width);
+    return (0);
+  }
+  else if (bpc != 1 && bpc != 2 && bpc != 4 && bpc != 8 && bpc != 16)
+  {
+    _pdfioFileError(obj->pdf, "Invalid image bits per component %d.", bpc);
+    return (0);
+  }
+  else if (colors < 1 || colors > 4)
+  {
+    _pdfioFileError(obj->pdf, "Invalid image number of colors %d.", colors);
+    return (0);
+  }
+  else
+  {
+    return ((size_t)((width * colors * bpc + 7) / 8));
+  }
 }