diff options
| author | Matthias Clasen <matthiasc@src.gnome.org> | 2002-10-22 22:41:58 +0000 |
|---|---|---|
| committer | Matthias Clasen <matthiasc@src.gnome.org> | 2002-10-22 22:41:58 +0000 |
| commit | fbccc0848ded858cf6681050cc8c880fe9c91c00 (patch) | |
| tree | dda665132d89342cb9478a545212ef139b477d9a /gdk-pixbuf | |
| parent | f900039c8f0562119aa7e66105155449a07ab721 (diff) | |
| download | gdk-pixbuf-fbccc0848ded858cf6681050cc8c880fe9c91c00.tar.gz | |
Check for stack overflow throughout. (#91808, Elliot Lee)
* io-gif.c (lzw_read_byte): Check for stack overflow throughout.
(#91808, Elliot Lee)
Diffstat (limited to 'gdk-pixbuf')
| -rw-r--r-- | gdk-pixbuf/ChangeLog | 5 | ||||
| -rw-r--r-- | gdk-pixbuf/io-gif.c | 14 |
2 files changed, 17 insertions, 2 deletions
diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog index 4cdb33ab4..1bb1938c6 100644 --- a/gdk-pixbuf/ChangeLog +++ b/gdk-pixbuf/ChangeLog @@ -1,3 +1,8 @@ +2002-10-23 Matthias Clasen <maclas@gmx.de> + + * io-gif.c (lzw_read_byte): Check for stack overflow throughout. + (#91808, Elliot Lee) + 2002-10-21 Matthias Clasen <maclas@gmx.de> Support the Netscape application extension for gif animations diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index 7342c3ef9..6eb364ec1 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -565,6 +565,14 @@ gif_lzw_clear_code (GifContext *context) return 0; } +#define CHECK_LZW_SP() if(((guchar *)context->lzw_sp) >= (((guchar *)context->lzw_stack) + sizeof(context->lzw_stack))) { \ + g_set_error (context->error, \ + GDK_PIXBUF_ERROR, \ + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, \ + _("Stack overflow")); \ + return -2; \ +} + static int lzw_read_byte (GifContext *context) { @@ -639,19 +647,20 @@ lzw_read_byte (GifContext *context) incode = code; if (code >= context->lzw_max_code) { + CHECK_LZW_SP (); *(context->lzw_sp)++ = context->lzw_firstcode; code = context->lzw_oldcode; } while (code >= context->lzw_clear_code) { - if ((code >= (1 << MAX_LZW_BITS)) - || (context->lzw_sp >= context->lzw_stack + ((1 << (MAX_LZW_BITS)) * 2 + 1))) { + if (code >= (1 << MAX_LZW_BITS)) { g_set_error (context->error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, _("Bad code encountered")); return -2; } + CHECK_LZW_SP (); *(context->lzw_sp)++ = context->lzw_table[1][code]; if (code == context->lzw_table[0][code]) { @@ -664,6 +673,7 @@ lzw_read_byte (GifContext *context) code = context->lzw_table[0][code]; } + CHECK_LZW_SP (); *(context->lzw_sp)++ = context->lzw_firstcode = context->lzw_table[1][code]; if ((code = context->lzw_max_code) < (1 << MAX_LZW_BITS)) { |