diff options
| author | Robert Ancell <robert.ancell@canonical.com> | 2020-11-30 12:26:12 +1300 |
|---|---|---|
| committer | Robert Ancell <robert.ancell@canonical.com> | 2020-12-08 11:22:01 +1300 |
| commit | bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 (patch) | |
| tree | 4fb0bf828c10019e2e489d28d8895b17eb187bb4 /gdk-pixbuf/lzw.c | |
| parent | 3c6779c37482d8c322446629a5407d7bd912b23d (diff) | |
| download | gdk-pixbuf-bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81.tar.gz | |
gif: Fix LZW decoder accepting invalid LZW code.
The code value after a reset wasn't being validated, which means we would
accept invalid codes. This could cause an infinite loop in the decoder.
Fixes CVE-2020-29385
Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
Diffstat (limited to 'gdk-pixbuf/lzw.c')
| -rw-r--r-- | gdk-pixbuf/lzw.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c index 9e052a6f7..105daf2b1 100644 --- a/gdk-pixbuf/lzw.c +++ b/gdk-pixbuf/lzw.c @@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self, if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) { if (self->code < self->code_table_size) add_code (self, self->code); - else if (self->code == self->code_table_size) + else add_code (self, self->last_code); - else { - /* Invalid code received - just stop here */ - self->last_code = self->eoi_code; - return output_length; - } /* When table is full increase code size */ if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX) self->code_size++; } + /* Invalid code received - just stop here */ + if (self->code >= self->code_table_size) { + self->last_code = self->eoi_code; + return output_length; + } + /* Convert codeword into indexes */ n_written += write_indexes (self, output + n_written, output_length - n_written); } |