diff options
| author | Tobias Mueller <muelli@cryptobitch.de> | 2017-11-10 18:51:21 +0100 |
|---|---|---|
| committer | Bastien Nocera <hadess@hadess.net> | 2017-12-04 17:27:30 +0100 |
| commit | c1fd9f5d6592c0183c54efc806b3ca6871e1f496 (patch) | |
| tree | 0eafea4f99403caea9e5de13a257ecb817c04082 | |
| parent | ced897e6c5d642341f49cf45f55e7524e04fa122 (diff) | |
| download | gdk-pixbuf-c1fd9f5d6592c0183c54efc806b3ca6871e1f496.tar.gz | |
gif: Initialise code_last_byte to not cause undefined behaviour
Currently, code_last_byte is set only after it has been used, i.e.
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
comes before anything has touched context->code_last_byte yet.
Except for the initialisation.
context->code_last_byte is set a few lines later, though.
And nowhere else, except for the initialisation which sets it
to 0. That will inevitably lead to context->block_buf[-2] which is
undefined behaviour.
We hence set the code_last_byte to 2 in order to not make that
array index invalid.
https://bugzilla.gnome.org/show_bug.cgi?id=778584
| -rw-r--r-- | gdk-pixbuf/io-gif.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index acbd1f3be..61821bdf9 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context) context->lzw_fresh = TRUE; context->code_curbit = 0; context->code_lastbit = 0; - context->code_last_byte = 0; + /* During initialistion (in gif_lzw_fill_buffer) we substract 2 from + * this value to peek into a buffer. + * In order to not get a negative array index later, we set the value + * to that magic 2 now. + */ + context->code_last_byte = 2; context->code_done = FALSE; g_assert (context->lzw_clear_code <= |