projects / platform / upstream / giflib.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1491cb5)
[CVE patch] CVE-2016-3977 in giflib version 5.1.2 92/88692/1 accepted/tizen_3.0.m2_mobile accepted/tizen_3.0.m2_tv accepted/tizen_3.0.m2_wearable accepted/tizen_3.0_common accepted/tizen_3.0_ivi accepted/tizen_3.0_mobile accepted/tizen_3.0_tv accepted/tizen_3.0_wearable accepted/tizen_common accepted/tizen_ivi accepted/tizen_mobile accepted/tizen_tv accepted/tizen_wearable tizen_3.0.m2 tizen_3.0_tv accepted/tizen/3.0.m2/mobile/20170104.142955 accepted/tizen/3.0.m2/tv/20170104.143444 accepted/tizen/3.0.m2/wearable/20170104.143842 accepted/tizen/3.0/common/20161114.110602 accepted/tizen/3.0/ivi/20161011.044149 accepted/tizen/3.0/mobile/20161015.033231 accepted/tizen/3.0/tv/20161016.004724 accepted/tizen/3.0/wearable/20161015.082844 accepted/tizen/common/20160921.162249 accepted/tizen/ivi/20160922.042639 accepted/tizen/mobile/20160922.042418 accepted/tizen/tv/20160922.042511 accepted/tizen/unified/20170309.035623 accepted/tizen/wearable/20160922.042556 submit/tizen/20160921.041639 submit/tizen_3.0.m2/20170104.093752 submit/tizen_3.0_common/20161104.104000 submit/tizen_3.0_ivi/20161010.000002 submit/tizen_3.0_mobile/20161015.000002 submit/tizen_3.0_tv/20161015.000002 submit/tizen_3.0_wearable/20161015.000002 submit/tizen_unified/20170308.100412
authorJiyong Min <jiyong.min@samsung.com>
Tue, 20 Sep 2016 08:37:27 +0000 (17:37 +0900)
committerJiyong Min <jiyong.min@samsung.com>
Tue, 20 Sep 2016 08:39:47 +0000 (17:39 +0900)
 - Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.

Change-Id: I8fcf54bb71c5fb55e79a4c4150d348098984977b
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
NEWS patch | blob | history
lib/dgif_lib.c patch | blob | history
util/gif2rgb.c patch | blob | history

diff --git a/NEWS b/NEWS
index 89d6f24..df795e0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,13 @@
                        GIFLIB NEWS
 
+Repository head
+===============
+
+Code Fixes
+----------
+
+* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
+
 Version 5.1.2
 =============
 
diff --git a/lib/dgif_lib.c b/lib/dgif_lib.c
index e22925e..09dccc2 100644 (file)
--- a/lib/dgif_lib.c
+++ b/lib/dgif_lib.c
@@ -289,6 +289,11 @@ DGifGetScreenDesc(GifFileType *GifFile)
         GifFile->SColorMap = NULL;
     }
 
+    /*
+     * No check here for whether the background color is in range for the
+     * screen color map.  Possibly there should be.
+     */
+
     return GIF_OK;
 }
 
diff --git a/util/gif2rgb.c b/util/gif2rgb.c
index c71d4fa..051c5a2 100644 (file)
--- a/util/gif2rgb.c
+++ b/util/gif2rgb.c
@@ -15,7 +15,7 @@ Toshio Kuratomi had written this in a comment about the rgb2gif code:
 
 I (ESR) took this off the main to-do list in 2012 because I don't think
 the GIFLIB project actually needs to be in the converters-and-tools business.
-Plenty of hackers do that; our jub is to supply stable library capability
+Plenty of hackers do that; our job is to supply stable library capability
 with our utilities mainly interesting as test tools.
 
 ***************************************************************************/
@@ -478,6 +478,12 @@ static void GIF2RGB(int NumFiles, char *FileName,
         exit(EXIT_FAILURE);
     }
 
+    /* check that the background color isn't garbage (SF bug #87) */
+    if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) {
+        fprintf(stderr, "Background color out of range for colormap\n");
+        exit(EXIT_FAILURE);
+    }
+
     DumpScreen2RGB(OutFileName, OneFileFlag,
                   ColorMap,
                   ScreenBuffer, 
Domain: Multimedia / Imaging;