From 62718f821b7c79a6860b8b25f0a21a91daa6e22d Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Thu, 4 Aug 2011 12:51:42 +0200 Subject: [PATCH 2/2] file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896) (cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc) --- plug-ins/common/file-gif-load.c | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c index a4d98fc..8460ec0 100644 --- a/plug-ins/common/file-gif-load.c +++ b/plug-ins/common/file-gif-load.c @@ -697,7 +697,8 @@ LZWReadByte (FILE *fd, static gint firstcode, oldcode; static gint clear_code, end_code; static gint table[2][(1 << MAX_LZW_BITS)]; - static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp; +#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) + static gint stack[STACK_SIZE], *sp; gint i; if (just_reset_LZW) @@ -772,7 +773,7 @@ LZWReadByte (FILE *fd, return firstcode & 255; } - else if (code == end_code) + else if (code == end_code || code > max_code) { gint count; guchar buf[260]; @@ -791,13 +792,14 @@ LZWReadByte (FILE *fd, incode = code; - if (code >= max_code) + if (code == max_code) { - *sp++ = firstcode; + if (sp < &(stack[STACK_SIZE])) + *sp++ = firstcode; code = oldcode; } - while (code >= clear_code) + while (code >= clear_code && sp < &(stack[STACK_SIZE])) { *sp++ = table[1][code]; if (code == table[0][code]) @@ -808,7 +810,8 @@ LZWReadByte (FILE *fd, code = table[0][code]; } - *sp++ = firstcode = table[1][code]; + if (sp < &(stack[STACK_SIZE])) + *sp++ = firstcode = table[1][code]; if ((code = max_code) < (1 << MAX_LZW_BITS)) { -- 1.7.6.3