main/giflib/CVE-2016-3977.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

From ea8dbc5786862a3e16a5acfa3d24e2c2f608cd88 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Sat, 2 Apr 2016 13:03:47 -0400
Subject: [PATCH] Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).

---
 NEWS           |  8 ++++++++
 lib/dgif_lib.c |  5 +++++
 util/gif2rgb.c | 10 ++++++++--
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 7209705..ce44959 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,13 @@
 			GIFLIB NEWS
 
+Repository head
+===============
+
+Code Fixes
+----------
+
+* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
+
 
 Version 5.1.4
 =============
diff --git a/lib/dgif_lib.c b/lib/dgif_lib.c
index 66a1d6a..3b650b8 100644
--- a/lib/dgif_lib.c
+++ b/lib/dgif_lib.c
@@ -289,6 +289,11 @@ DGifGetScreenDesc(GifFileType *GifFile)
         GifFile->SColorMap = NULL;
     }
 
+    /*
+     * No check here for whether the background color is in range for the
+     * screen color map.  Possibly there should be.
+     */
+    
     return GIF_OK;
 }
 
diff --git a/util/gif2rgb.c b/util/gif2rgb.c
index e39f37b..da791a2 100644
--- a/util/gif2rgb.c
+++ b/util/gif2rgb.c
@@ -15,7 +15,7 @@ Toshio Kuratomi had written this in a comment about the rgb2gif code:
 
 I (ESR) took this off the main to-do list in 2012 because I don't think
 the GIFLIB project actually needs to be in the converters-and-tools business.
-Plenty of hackers do that; our jub is to supply stable library capability
+Plenty of hackers do that; our job is to supply stable library capability
 with our utilities mainly interesting as test tools.
 
 ***************************************************************************/
@@ -461,7 +461,7 @@ static void GIF2RGB(int NumFiles, char *FileName,
 		break;
 	}
     } while (RecordType != TERMINATE_RECORD_TYPE);
-
+    
     /* Lets dump it - set the global variables required and do it: */
     ColorMap = (GifFile->Image.ColorMap
 		? GifFile->Image.ColorMap
@@ -471,6 +471,12 @@ static void GIF2RGB(int NumFiles, char *FileName,
         exit(EXIT_FAILURE);
     }
 
+    /* check that the background color isn't garbage (SF bug #87) */
+    if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) {
+        fprintf(stderr, "Background color out of range for colormap\n");
+        exit(EXIT_FAILURE);
+    }
+
     DumpScreen2RGB(OutFileName, OneFileFlag,
 		   ColorMap,
 		   ScreenBuffer, 
-- 
1.9.1