diff options
| author | Mike Frysinger <vapier@gentoo.org> | 2018-01-26 01:57:52 -0500 |
|---|---|---|
| committer | Mike Frysinger <vapier@gentoo.org> | 2018-01-26 01:57:52 -0500 |
| commit | 9fa3abd2e61da18ed2b889704e4e252f0f5a95fe (patch) | |
| tree | 9e9e292dfa21cc1c496ef804ae47d06aa150b6b9 | |
| parent | a8f1d5cab0cad2bca2ed88a49c3f3de8585ff19b (diff) | |
| download | libgd-9fa3abd2e61da18ed2b889704e4e252f0f5a95fe.tar.gz | |
gif: fix out-of-bounds read w/corrupted lzw data
oss-fuzz pointed out:
gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]'
Add some bounds checking on each code that we read from the file.
| -rw-r--r-- | src/gd_gif_in.c | 8 | ||||
| -rw-r--r-- | tests/gif/.gitignore | 1 | ||||
| -rw-r--r-- | tests/gif/CMakeLists.txt | 3 | ||||
| -rw-r--r-- | tests/gif/Makemodule.am | 2 | ||||
| -rw-r--r-- | tests/gif/ossfuzz5700.c | 13 | ||||
| -rw-r--r-- | tests/gif/ossfuzz5700.gif | bin | 0 -> 30 bytes |
6 files changed, 26 insertions, 1 deletions
diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c index afc08bf..daf26e7 100644 --- a/src/gd_gif_in.c +++ b/src/gd_gif_in.c @@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i /* Bad compressed data stream */ return -1; } + if(code >= (1 << MAX_LWZ_BITS)) { + /* Corrupted code */ + return -1; + } *sd->sp++ = sd->table[1][code]; @@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i code = sd->table[0][code]; } + if(code >= (1 << MAX_LWZ_BITS)) { + /* Corrupted code */ + return -1; + } *sd->sp++ = sd->firstcode = sd->table[1][code]; diff --git a/tests/gif/.gitignore b/tests/gif/.gitignore index d22658d..4e80a4b 100644 --- a/tests/gif/.gitignore +++ b/tests/gif/.gitignore @@ -7,4 +7,5 @@ /bug00227 /gif_im2im /gif_null +/ossfuzz5700 /uninitialized_memory_read diff --git a/tests/gif/CMakeLists.txt b/tests/gif/CMakeLists.txt index 7d40cdd..2b73749 100644 --- a/tests/gif/CMakeLists.txt +++ b/tests/gif/CMakeLists.txt @@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES bug00181 bug00227 gif_null + ossfuzz5700 + uninitialized_memory_read ) IF(PNG_FOUND) @@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES bug00060 bug00066 gif_im2im - uninitialized_memory_read ) ENDIF(PNG_FOUND) diff --git a/tests/gif/Makemodule.am b/tests/gif/Makemodule.am index 0bdeab7..3199438 100644 --- a/tests/gif/Makemodule.am +++ b/tests/gif/Makemodule.am @@ -3,6 +3,7 @@ libgd_test_programs += \ gif/bug00181 \ gif/bug00227 \ gif/gif_null \ + gif/ossfuzz5700 \ gif/uninitialized_memory_read if HAVE_LIBPNG @@ -24,4 +25,5 @@ EXTRA_DIST += \ gif/bug00060.gif \ gif/bug00066.gif \ gif/bug00066_exp.png \ + gif/ossfuzz5700.gif \ gif/unitialized_memory_read.gif diff --git a/tests/gif/ossfuzz5700.c b/tests/gif/ossfuzz5700.c new file mode 100644 index 0000000..8fc9f88 --- /dev/null +++ b/tests/gif/ossfuzz5700.c @@ -0,0 +1,13 @@ +#include <stdio.h> +#include "gd.h" +#include "gdtest.h" + +int main() +{ + gdImagePtr im; + FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif"); + im = gdImageCreateFromGif(fp); + fclose(fp); + gdImageDestroy(im); + return 0; +} diff --git a/tests/gif/ossfuzz5700.gif b/tests/gif/ossfuzz5700.gif Binary files differnew file mode 100644 index 0000000..315c5a8 --- /dev/null +++ b/tests/gif/ossfuzz5700.gif |
