1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 25 Jan 2022 18:11:34 -0500
Subject: CVE-2022-24191
Fix a potential stack overflow bug with GIF images (Issue #470)
---
htmldoc/image.cxx | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 91074a6..a85f1f9 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -453,7 +453,6 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
{
uchar buf[260];
-
if (!gif_eof)
while (gif_get_block(fp, buf) > 0);
@@ -470,17 +469,23 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
while (code >= clear_code)
{
+ if (sp >= (stack + sizeof(stack)))
+ return (255);
+
*sp++ = table[1][code];
+
if (code == table[0][code])
return (255);
code = table[0][code];
}
+ if (sp >= (stack + sizeof(stack)))
+ return (255);
+
*sp++ = firstcode = table[1][code];
- code = max_code;
- if (code < 4096)
+ if ((code = max_code) < 4096)
{
table[0][code] = oldcode;
table[1][code] = firstcode;
|