gif: Prevent access to negative array indexes

It seems that a pathological gif file can cause a negative array index to be read. UBSAN reported this: io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]' io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]' https://bugzilla.gnome.org/show_bug.cgi?id=778584
author: Tobias Mueller <muelli@cryptobitch.de> 2016-12-14 08:03:16 +0100
committer: Bastien Nocera <hadess@hadess.net> 2017-12-04 17:27:30 +0100
commit: 23e2a7c4b7794220ecd77389b3976c0767fc839d (patch)
tree: 2e32650c14324d7d5c7f2774a8b7e47b14bd9b8d /gdk-pixbuf/io-gif.c
parent: a6303ad765882555cf1b278a09be5f9e4cf3a39d (diff)
download: gdk-pixbuf-23e2a7c4b7794220ecd77389b3976c0767fc839d.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index ef1001779..acbd1f3be 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
 		return -2;
 	}
 
+	if (context->code_last_byte < 2) {
+		g_set_error_literal (context->error,
+				     GDK_PIXBUF_ERROR,
+				     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+				     _("Bad code encountered"));
+		return -2;
+	}
+
 	context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
 	context->block_buf[1] = context->block_buf[context->code_last_byte - 1];
author	Tobias Mueller <muelli@cryptobitch.de>	2016-12-14 08:03:16 +0100
committer	Bastien Nocera <hadess@hadess.net>	2017-12-04 17:27:30 +0100
commit	23e2a7c4b7794220ecd77389b3976c0767fc839d (patch)
tree	2e32650c14324d7d5c7f2774a8b7e47b14bd9b8d /gdk-pixbuf/io-gif.c
parent	a6303ad765882555cf1b278a09be5f9e4cf3a39d (diff)
download	gdk-pixbuf-23e2a7c4b7794220ecd77389b3976c0767fc839d.tar.gz