diff options
author | Tobias Mueller <muelli@cryptobitch.de> | 2016-12-14 08:03:16 +0100 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2017-12-04 17:27:30 +0100 |
commit | 23e2a7c4b7794220ecd77389b3976c0767fc839d (patch) | |
tree | 2e32650c14324d7d5c7f2774a8b7e47b14bd9b8d /gdk-pixbuf/io-gif.c | |
parent | a6303ad765882555cf1b278a09be5f9e4cf3a39d (diff) | |
download | gdk-pixbuf-23e2a7c4b7794220ecd77389b3976c0767fc839d.tar.gz |
gif: Prevent access to negative array indexes
It seems that a pathological gif file can cause a negative array index
to be read. UBSAN reported this:
io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'
https://bugzilla.gnome.org/show_bug.cgi?id=778584
Diffstat (limited to 'gdk-pixbuf/io-gif.c')
-rw-r--r-- | gdk-pixbuf/io-gif.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index ef1001779..acbd1f3be 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context) return -2; } + if (context->code_last_byte < 2) { + g_set_error_literal (context->error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Bad code encountered")); + return -2; + } + context->block_buf[0] = context->block_buf[context->code_last_byte - 2]; context->block_buf[1] = context->block_buf[context->code_last_byte - 1]; |