1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Tue, 25 Jan 2022 18:11:34 -0500
Subject: CVE-2022-24191
Fix a potential stack overflow bug with GIF images (Issue #470)
---
htmldoc/image.cxx | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 91074a6..a85f1f9 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -453,7 +453,6 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
{
uchar buf[260];
-
if (!gif_eof)
while (gif_get_block(fp, buf) > 0);
@@ -470,17 +469,23 @@ gif_read_lzw(FILE *fp, /* I - File to read from */
while (code >= clear_code)
{
+ if (sp >= (stack + sizeof(stack)))
+ return (255);
+
*sp++ = table[1][code];
+
if (code == table[0][code])
return (255);
code = table[0][code];
}
+ if (sp >= (stack + sizeof(stack)))
+ return (255);
+
*sp++ = firstcode = table[1][code];
- code = max_code;
- if (code < 4096)
+ if ((code = max_code) < 4096)
{
table[0][code] = oldcode;
table[1][code] = firstcode;
|
