From 631856a2021d60d29e96d07872c06246eff25a96 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Fri, 12 Aug 2011 14:44:52 +0200
Subject: [PATCH] patch: gif-load
Squashed commit of the following:
commit 366d6b546e8fb91909550a61abeafc11672667c4
Author: Nils Philippsen <nils@redhat.com>
Date: Thu Aug 4 12:51:42 2011 +0200
file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
(cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
commit 3c5864851ea5fe8f89d273ee8ac4df0c1101b315
Author: Nils Philippsen <nils@redhat.com>
Date: Thu Aug 4 12:47:44 2011 +0200
file-gif-load: ensure return value of LZWReadByte() is <= 255
(cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
---
plug-ins/common/file-gif-load.c | 25 ++++++++++++++-----------
1 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 9a0720b..8460ec0 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
static gint firstcode, oldcode;
static gint clear_code, end_code;
static gint table[2][(1 << MAX_LZW_BITS)];
- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+ static gint stack[STACK_SIZE], *sp;
gint i;
if (just_reset_LZW)
@@ -743,11 +744,11 @@ LZWReadByte (FILE *fd,
}
while (firstcode == clear_code);
- return firstcode;
+ return firstcode & 255;
}
if (sp > stack)
- return *--sp;
+ return (*--sp) & 255;
while ((code = GetCode (fd, code_size, FALSE)) >= 0)
{
@@ -770,9 +771,9 @@ LZWReadByte (FILE *fd,
sp = stack;
firstcode = oldcode = GetCode (fd, code_size, FALSE);
- return firstcode;
+ return firstcode & 255;
}
- else if (code == end_code)
+ else if (code == end_code || code > max_code)
{
gint count;
guchar buf[260];
@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
incode = code;
- if (code >= max_code)
+ if (code == max_code)
{
- *sp++ = firstcode;
+ if (sp < &(stack[STACK_SIZE]))
+ *sp++ = firstcode;
code = oldcode;
}
- while (code >= clear_code)
+ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
{
*sp++ = table[1][code];
if (code == table[0][code])
@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
code = table[0][code];
}
- *sp++ = firstcode = table[1][code];
+ if (sp < &(stack[STACK_SIZE]))
+ *sp++ = firstcode = table[1][code];
if ((code = max_code) < (1 << MAX_LZW_BITS))
{
@@ -826,10 +829,10 @@ LZWReadByte (FILE *fd,
oldcode = incode;
if (sp > stack)
- return *--sp;
+ return (*--sp) & 255;
}
- return code;
+ return code & 255;
}
static gint32
--
1.7.6