Package: libgd2-xpm
Version: 2.0.33-2
Severity: normal
Tags: patch
Given a truncated GIF *buffer*, gd-2.0.33's gdImageCreateFromGifPtr
function gets stuck in an infinite loop.
Note that gdImageCreateFromGif does not have this problem.
Here's a simple program to illustrate the bug:
-----------------
#include <stdio.h>
#include <stdlib.h>
#include <gd.h>
int
main()
{
char buf[40000];
int len = fread (buf, 1, sizeof buf, stdin);
gdImageCreateFromGifPtr (len, buf);
exit (0);
}
-----------------
Any .gif file will do as input.
Just remove a few bytes from the end (removing 2 is often enough).
For example, create a 1x1 GIF and output all but the last two bytes:
perl -MGD -e 'print substr(new GD::Image(1,1)->gif,0,-2)' > gd-infloop.gif
Then compile and run the C program:
# Compile it:
$ gcc -O -W -Wall k.c -lgd
# Demonstrate that it hangs; interrupt after a few seconds:
$ time ./a.out < gd-infloop.gif
Command terminated by signal 2
4.96user 0.00system 0:05.05elapsed 98%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+288minor)pagefaults 0swaps
# Using the fixed library, it terminates right away:
$ time env LD_LIBRARY_PATH=/var/tmp/gd/lib ./a.out < gd-infloop.gif
0.00user 0.00system 0:00.01elapsed 90%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (0major+383minor)pagefaults 0swaps
===================
You can demonstrate the infinite loop with a perl/GD one-liner, too.
This hangs:
perl -MGD -e 'my $d = `cat gd-infloop.gif`; GD::Image->new($d) or die'
But with the patched library, it works fine:
LD_LIBRARY_PATH=/var/tmp/gd/lib \
perl -MGD -e 'my $d = `cat gd-infloop.gif`; GD::Image->new($d) or die'
================================
Here's the patch I'm using:
[don't treat a negative return value from gdGetBuf as `ok']
--- gd_gif_in.c.~1~ 2005-04-24 01:04:05.624546171 +0200
+++ gd_gif_in.c 2005-04-20 18:55:47.975056540 +0200
@@ -43,7 +43,7 @@ static int set_verbose(void)
#define LOCALCOLORMAP 0x80
#define BitSet(byte, bit) (((byte) & (bit)) == (bit))
-#define ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) != 0)
+#define ReadOK(file,buffer,len) (gdGetBuf(buffer, len, file) >= 0)
#define LM_to_uint(a,b) (((b)<<8)|(a))
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11.8
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages libgd2-xpm depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libfontconfig1 2.3.2-1 generic font configuration library
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine, shared lib
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libx11-6 4.3.0.dfsg.1-12.0.1 X Window System protocol client li
ii libxpm4 4.3.0.dfsg.1-12.0.1 X pixmap library
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
