From 3c94bf44fed260b404dbcd2c6615e2abd8f39281 Mon Sep 17 00:00:00 2001 From: Nils Philippsen <nils@redhat.com> Date: Thu, 12 Jul 2012 12:52:01 +0200 Subject: [PATCH] patch: CVE-2011-2896 Squashed commit of the following: commit 4713e4998f20c7b08b6bbe95599400a4ff77eb14 Author: Nils Philippsen <nils@redhat.com> Date: Thu Jul 12 12:40:33 2012 +0200 gifload: fix heap corruption and buffer overflow (CVE-2011-2896) (backported from commit 376ad788c1a1c31d40f18494889c383f6909ebfc) commit 25f2fd1a69bc4e122558575cfdc6dcfa1cc5ad08 Author: Nils Philippsen <nils@redhat.com> Date: Thu Jul 12 12:33:27 2012 +0200 gifload: ensure return value of LZWReadByte() is <= 255 (backported from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32) --- plug-ins/common/gifload.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/plug-ins/common/gifload.c b/plug-ins/common/gifload.c index 2d182a6..9744fbb 100644 --- a/plug-ins/common/gifload.c +++ b/plug-ins/common/gifload.c @@ -658,7 +658,8 @@ LZWReadByte (FILE *fd, static int firstcode, oldcode; static int clear_code, end_code; static int table[2][(1 << MAX_LZW_BITS)]; - static int stack[(1 << (MAX_LZW_BITS)) * 2], *sp; +#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) + static int stack[STACK_SIZE], *sp; register int i; if (just_reset_LZW) @@ -704,11 +705,11 @@ LZWReadByte (FILE *fd, GetCode (fd, code_size, FALSE); } while (firstcode == clear_code); - return firstcode; + return firstcode & 255; } if (sp > stack) - return *--sp; + return (*--sp) & 255; while ((code = GetCode (fd, code_size, FALSE)) >= 0) { @@ -730,9 +731,9 @@ LZWReadByte (FILE *fd, sp = stack; firstcode = oldcode = GetCode (fd, code_size, FALSE); - return firstcode; + return firstcode & 255; } - else if (code == end_code) + else if (code == end_code || code > max_code) { int count; unsigned char buf[260]; @@ -750,13 +751,14 @@ LZWReadByte (FILE *fd, incode = code; - if (code >= max_code) + if (code == max_code) { - *sp++ = firstcode; + if (sp < &(stack[STACK_SIZE])) + *sp++ = firstcode; code = oldcode; } - while (code >= clear_code) + while (code >= clear_code && sp < &(stack[STACK_SIZE])) { *sp++ = table[1][code]; if (code == table[0][code]) @@ -767,7 +769,8 @@ LZWReadByte (FILE *fd, code = table[0][code]; } - *sp++ = firstcode = table[1][code]; + if (sp < &(stack[STACK_SIZE])) + *sp++ = firstcode = table[1][code]; if ((code = max_code) < (1 << MAX_LZW_BITS)) { @@ -785,9 +788,9 @@ LZWReadByte (FILE *fd, oldcode = incode; if (sp > stack) - return *--sp; + return (*--sp) & 255; } - return code; + return code & 255; } static gint32 -- 1.7.10.4