Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
gd.11952
gd-CVE-2016-6161.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gd-CVE-2016-6161.patch of Package gd.11952
From 82b80dcb70a7ca8986125ff412bceddafc896842 Mon Sep 17 00:00:00 2001 From: Mike Frysinger <vapier@gentoo.org> Date: Sat, 14 May 2016 02:13:15 -0400 Subject: [PATCH] gif: avoid out-of-bound reads of masks array #209 When given invalid inputs, we might be fed the EOF marker before it is actually the EOF. The gif logic assumes once it sees the EOF marker, there won't be any more data, so it leaves the cur_bits index possibly negative. So when we get more data, we underflow the masks array. Flag it so we don't try to output anything more. The image is invalid, so we shouldn't be truncating any valid inputs. This fixes #209. --- src/gd_gif_out.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c index 51ceb75..3099d49 100644 --- a/src/gd_gif_out.c +++ b/src/gd_gif_out.c @@ -1442,15 +1442,23 @@ static void compress(int init_bits, gdIOCtxPtr outfile, gdImagePtr im, GifCtx *c * code in turn. When the buffer fills up empty it and start over. */ -static unsigned long masks[] = { +static const unsigned long masks[] = { 0x0000, 0x0001, 0x0003, 0x0007, 0x000F, 0x001F, 0x003F, 0x007F, 0x00FF, 0x01FF, 0x03FF, 0x07FF, 0x0FFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF }; +/* Arbitrary value to mark output is done. When we see EOFCode, then we don't + * expect to see any more data. If we do (e.g. corrupt image inputs), cur_bits + * might be negative, so flag it to return early. + */ +#define CUR_BITS_FINISHED -1000 + static void output(code_int code, GifCtx *ctx) { + if (ctx->cur_bits == CUR_BITS_FINISHED) + return; ctx->cur_accum &= masks[ctx->cur_bits]; if(ctx->cur_bits > 0) { @@ -1492,6 +1500,8 @@ static void output(code_int code, GifCtx *ctx) ctx->cur_accum >>= 8; ctx->cur_bits -= 8; } + /* Flag that it's done to prevent re-entry. */ + ctx->cur_bits = CUR_BITS_FINISHED; flush_char(ctx); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor