diff options
author | Remi Collet <fedora@famillecollet.com> | 2014-12-13 08:48:18 +0100 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2014-12-13 08:48:18 +0100 |
commit | 47eb44b2e90ca88a08dca9f9a1aa9041e9587f43 (patch) | |
tree | ec3eebd8fd9989fd3241ef53aa676d5ca39830cb /src/gd_gif_in.c | |
parent | 6db34b72f7222fb2172ca577d38573f17d7b2d49 (diff) | |
download | libgd-47eb44b2e90ca88a08dca9f9a1aa9041e9587f43.tar.gz |
Fix possible buffer read overflow
detected by -fsanitize=address, thanks to Jan Bee
Diffstat (limited to 'src/gd_gif_in.c')
-rw-r--r-- | src/gd_gif_in.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/gd_gif_in.c b/src/gd_gif_in.c index b3b4ca3..13a663c 100644 --- a/src/gd_gif_in.c +++ b/src/gd_gif_in.c @@ -75,8 +75,10 @@ static struct { #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) +#define CSD_BUF_SIZE 280 + typedef struct { - unsigned char buf[280]; + unsigned char buf[CSD_BUF_SIZE]; int curbit; int lastbit; int done; @@ -468,7 +470,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD ret = 0; for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { - ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + if (i < CSD_BUF_SIZE * 8) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + } else { + ret = -1; + break; + } } scd->curbit += code_size; |