diff options
| author | Jiyong Min <jiyong.min@samsung.com> | 2016-09-20 17:37:27 +0900 |
|---|---|---|
| committer | Jiyong Min <jiyong.min@samsung.com> | 2016-09-20 17:39:47 +0900 |
| commit | 8236083c901e4740d31e916bccfecf37522f82f2 (patch) | |
| tree | 83fe5ac4eadedb74a9603271e7d1c7e3cadc32ac | |
| parent | 1491cb513376d428780c3dcfa03383f532e06d8a (diff) | |
| download | giflib-8236083c901e4740d31e916bccfecf37522f82f2.tar.gz giflib-8236083c901e4740d31e916bccfecf37522f82f2.tar.bz2 giflib-8236083c901e4740d31e916bccfecf37522f82f2.zip | |
[CVE patch] CVE-2016-3977 in giflib version 5.1.2submit/tizen_unified/20170308.100412submit/tizen_3.0_wearable/20161015.000002submit/tizen_3.0_tv/20161015.000002submit/tizen_3.0_mobile/20161015.000002submit/tizen_3.0_ivi/20161010.000002submit/tizen_3.0_common/20161104.104000submit/tizen_3.0.m2/20170104.093752submit/tizen/20160921.041639accepted/tizen/wearable/20160922.042556accepted/tizen/unified/20170309.035623accepted/tizen/tv/20160922.042511accepted/tizen/mobile/20160922.042418accepted/tizen/ivi/20160922.042639accepted/tizen/common/20160921.162249accepted/tizen/3.0/wearable/20161015.082844accepted/tizen/3.0/tv/20161016.004724accepted/tizen/3.0/mobile/20161015.033231accepted/tizen/3.0/ivi/20161011.044149accepted/tizen/3.0/common/20161114.110602accepted/tizen/3.0.m2/wearable/20170104.143842accepted/tizen/3.0.m2/tv/20170104.143444accepted/tizen/3.0.m2/mobile/20170104.142955tizen_3.0_tvtizen_3.0.m2accepted/tizen_wearableaccepted/tizen_tvaccepted/tizen_mobileaccepted/tizen_iviaccepted/tizen_commonaccepted/tizen_3.0_wearableaccepted/tizen_3.0_tvaccepted/tizen_3.0_mobileaccepted/tizen_3.0_iviaccepted/tizen_3.0_commonaccepted/tizen_3.0.m2_wearableaccepted/tizen_3.0.m2_tvaccepted/tizen_3.0.m2_mobile
- Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.
Change-Id: I8fcf54bb71c5fb55e79a4c4150d348098984977b
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | lib/dgif_lib.c | 5 | ||||
| -rw-r--r-- | util/gif2rgb.c | 8 |
3 files changed, 20 insertions, 1 deletions
@@ -1,5 +1,13 @@ GIFLIB NEWS +Repository head +=============== + +Code Fixes +---------- + +* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb). + Version 5.1.2 ============= diff --git a/lib/dgif_lib.c b/lib/dgif_lib.c index e22925e..09dccc2 100644 --- a/lib/dgif_lib.c +++ b/lib/dgif_lib.c @@ -289,6 +289,11 @@ DGifGetScreenDesc(GifFileType *GifFile) GifFile->SColorMap = NULL; } + /* + * No check here for whether the background color is in range for the + * screen color map. Possibly there should be. + */ + return GIF_OK; } diff --git a/util/gif2rgb.c b/util/gif2rgb.c index c71d4fa..051c5a2 100644 --- a/util/gif2rgb.c +++ b/util/gif2rgb.c @@ -15,7 +15,7 @@ Toshio Kuratomi had written this in a comment about the rgb2gif code: I (ESR) took this off the main to-do list in 2012 because I don't think the GIFLIB project actually needs to be in the converters-and-tools business. -Plenty of hackers do that; our jub is to supply stable library capability +Plenty of hackers do that; our job is to supply stable library capability with our utilities mainly interesting as test tools. ***************************************************************************/ @@ -478,6 +478,12 @@ static void GIF2RGB(int NumFiles, char *FileName, exit(EXIT_FAILURE); } + /* check that the background color isn't garbage (SF bug #87) */ + if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) { + fprintf(stderr, "Background color out of range for colormap\n"); + exit(EXIT_FAILURE); + } + DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer, |