Re: [E-devel] [PATCH] gif: fix oob reads w/bad colormaps

Tue, 05 Apr 2016 18:27:58 -0700 


On 04/06/2016 10:44 AM, Kim Woelders wrote:
> On 04/02/2016 08:26 PM, Yuriy M. Kaminskiy wrote:
>> Mike Frysinger <[email protected]> writes:
>>
>> This does not cover out-of-bound SBackGroundColor (giflib does not
>> verify if it is less than ColorCount).
>> I've just sent *better* patch that fixes this problem:
>> http://permalink.gmane.org/gmane.comp.window-managers.enlightenment.devel/64001
>> (with wrong bug link)
>>
>>> From: Bernhard Übelacker <[email protected]>
>>>
>>> Verify the color map is inbounds before indexing with it.
>>>
>>> https://bugs.debian.org/785369
>>> ---
>>>   src/modules/loaders/loader_gif.c | 13 ++++++++++---
>>>   1 file changed, 10 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/src/modules/loaders/loader_gif.c 
>>> b/src/modules/loaders/loader_gif.c
>>> index 638df59..7bdf29c 100644
>>> --- a/src/modules/loaders/loader_gif.c
>>> +++ b/src/modules/loaders/loader_gif.c
>>> @@ -170,9 +170,16 @@ load(ImlibImage * im, ImlibProgressFunction progress, 
>>> char progress_granularity,
>>>                       }
>>>                     else
>>>                       {
>>> -                       r = cmap->Colors[rows[i][j]].Red;
>>> -                       g = cmap->Colors[rows[i][j]].Green;
>>> -                       b = cmap->Colors[rows[i][j]].Blue;
>>> +                       if (rows[i][j] < cmap->ColorCount)
>>> +                         {
>>> +                            r = cmap->Colors[rows[i][j]].Red;
>>> +                            g = cmap->Colors[rows[i][j]].Green;
>>> +                            b = cmap->Colors[rows[i][j]].Blue;
>>> +                         }
>>> +                       else
>>> +                         {
>>> +                            r = g = b = 0;
>>> +                         }
>>>                          *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
>>>                       }
>>>                     per += per_inc;
>>
>>
> 
> Right, I was going to push Yuriys patches as they look a bit more 
> correct and efficient to me (although I haven't tested it), but I see 
> Mike has pushed this one.
> 
> Any comments?
> 
> /Kim

I also took Yuriy's patches for SUSE / openSUSE, with the exception of
the div by 0 where I wrote my own.

Cheers,

-- 

Simon Lees (Simotek)                            http://simotek.net

Emergency Update Team                           keybase.io/simotek
SUSE Linux                            Adeliade Australia, UTC+9:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
enlightenment-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel

Reply via email to