Package: libgd2 / 2.1.0-5+deb8u11

0013-gif-avoid-out-of-bound-reads-of-masks-array-209.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
From: Mike Frysinger <vapier@gentoo.org>
Date: Sat, 14 May 2016 02:13:15 -0400
Subject: gif: avoid out-of-bound reads of masks array #209

When given invalid inputs, we might be fed the EOF marker before it is
actually the EOF.  The gif logic assumes once it sees the EOF marker,
there won't be any more data, so it leaves the cur_bits index possibly
negative.  So when we get more data, we underflow the masks array.

Flag it so we don't try to output anything more.  The image is invalid,
so we shouldn't be truncating any valid inputs.

This fixes #209.
---
 src/gd_gif_out.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/gd_gif_out.c b/src/gd_gif_out.c
index c863172..6a75094 100644
--- a/src/gd_gif_out.c
+++ b/src/gd_gif_out.c
@@ -1000,15 +1000,23 @@ nomatch:
  * code in turn.  When the buffer fills up empty it and start over.
  */
 
-static unsigned long masks[] = {
+static const unsigned long masks[] = {
 	0x0000, 0x0001, 0x0003, 0x0007, 0x000F,
 	0x001F, 0x003F, 0x007F, 0x00FF,
 	0x01FF, 0x03FF, 0x07FF, 0x0FFF,
 	0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF
 };
 
+/* Arbitrary value to mark output is done.  When we see EOFCode, then we don't
+ * expect to see any more data.  If we do (e.g. corrupt image inputs), cur_bits
+ * might be negative, so flag it to return early.
+ */
+#define CUR_BITS_FINISHED -1000
+
 static void output(code_int code, GifCtx *ctx)
 {
+	if (ctx->cur_bits == CUR_BITS_FINISHED)
+		return;
 	ctx->cur_accum &= masks[ctx->cur_bits];
 
 	if(ctx->cur_bits > 0) {
@@ -1050,6 +1058,8 @@ static void output(code_int code, GifCtx *ctx)
 			ctx->cur_accum >>= 8;
 			ctx->cur_bits -= 8;
 		}
+		/* Flag that it's done to prevent re-entry. */
+		ctx->cur_bits = CUR_BITS_FINISHED;
 
 		flush_char(ctx);
 	}