From ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88 Mon Sep 17 00:00:00 2001 From: "Eric S. Raymond" Date: Sat, 2 Apr 2016 13:03:47 -0400 Subject: [PATCH] Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb). --- NEWS | 8 ++++++++ lib/dgif_lib.c | 5 +++++ util/gif2rgb.c | 10 ++++++++-- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 7209705..ce44959 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,13 @@ GIFLIB NEWS +Repository head +=============== + +Code Fixes +---------- + +* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb). + Version 5.1.4 ============= diff --git a/lib/dgif_lib.c b/lib/dgif_lib.c index 66a1d6a..3b650b8 100644 --- a/lib/dgif_lib.c +++ b/lib/dgif_lib.c @@ -289,6 +289,11 @@ DGifGetScreenDesc(GifFileType *GifFile) GifFile->SColorMap = NULL; } + /* + * No check here for whether the background color is in range for the + * screen color map. Possibly there should be. + */ + return GIF_OK; } diff --git a/util/gif2rgb.c b/util/gif2rgb.c index e39f37b..da791a2 100644 --- a/util/gif2rgb.c +++ b/util/gif2rgb.c @@ -15,7 +15,7 @@ Toshio Kuratomi had written this in a comment about the rgb2gif code: I (ESR) took this off the main to-do list in 2012 because I don't think the GIFLIB project actually needs to be in the converters-and-tools business. -Plenty of hackers do that; our jub is to supply stable library capability +Plenty of hackers do that; our job is to supply stable library capability with our utilities mainly interesting as test tools. ***************************************************************************/ @@ -461,7 +461,7 @@ static void GIF2RGB(int NumFiles, char *FileName, break; } } while (RecordType != TERMINATE_RECORD_TYPE); - + /* Lets dump it - set the global variables required and do it: */ ColorMap = (GifFile->Image.ColorMap ? GifFile->Image.ColorMap @@ -471,6 +471,12 @@ static void GIF2RGB(int NumFiles, char *FileName, exit(EXIT_FAILURE); } + /* check that the background color isn't garbage (SF bug #87) */ + if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) { + fprintf(stderr, "Background color out of range for colormap\n"); + exit(EXIT_FAILURE); + } + DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer, -- 1.9.1