Fix possible buffer read overflow

detected by -fsanitize=address, thanks to Jan Bee
author: Remi Collet <fedora@famillecollet.com> 2014-12-13 08:48:18 +0100
committer: Remi Collet <fedora@famillecollet.com> 2014-12-13 08:48:18 +0100
commit: 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 (patch)
tree: ec3eebd8fd9989fd3241ef53aa676d5ca39830cb /src/gd_gif_in.c
parent: 6db34b72f7222fb2172ca577d38573f17d7b2d49 (diff)
download: libgd-47eb44b2e90ca88a08dca9f9a1aa9041e9587f43.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c
index b3b4ca3..13a663c 100644
--- a/src/gd_gif_in.c
+++ b/src/gd_gif_in.c
@@ -75,8 +75,10 @@ static struct {
 
 #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
 
+#define CSD_BUF_SIZE 280
+
 typedef struct {
-	unsigned char buf[280];
+	unsigned char buf[CSD_BUF_SIZE];
 	int curbit;
 	int lastbit;
 	int done;
@@ -468,7 +470,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
 
 	ret = 0;
 	for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
-		ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+		if (i < CSD_BUF_SIZE * 8) {
+			ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+		} else {
+			ret = -1;
+			break;
+		}
 	}
 
 	scd->curbit += code_size;
author	Remi Collet <fedora@famillecollet.com>	2014-12-13 08:48:18 +0100
committer	Remi Collet <fedora@famillecollet.com>	2014-12-13 08:48:18 +0100
commit	47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 (patch)
tree	ec3eebd8fd9989fd3241ef53aa676d5ca39830cb /src/gd_gif_in.c
parent	6db34b72f7222fb2172ca577d38573f17d7b2d49 (diff)
download	libgd-47eb44b2e90ca88a08dca9f9a1aa9041e9587f43.tar.gz