From 8236083c901e4740d31e916bccfecf37522f82f2 Mon Sep 17 00:00:00 2001
From: Jiyong Min <jiyong.min@samsung.com>
Date: Tue, 20 Sep 2016 17:37:27 +0900
Subject: [PATCH] [CVE patch] CVE-2016-3977 in giflib version 5.1.2

 - Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.

Change-Id: I8fcf54bb71c5fb55e79a4c4150d348098984977b
Signed-off-by: Jiyong Min <jiyong.min@samsung.com>
---
 NEWS           | 8 ++++++++
 lib/dgif_lib.c | 5 +++++
 util/gif2rgb.c | 8 +++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 89d6f24..df795e0 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,13 @@
 			GIFLIB NEWS
 
+Repository head
+===============
+
+Code Fixes
+----------
+
+* Fix SF bug #87 Heap buffer overflow in 5.1.2 (gif2rgb).
+
 Version 5.1.2
 =============
 
diff --git a/lib/dgif_lib.c b/lib/dgif_lib.c
index e22925e..09dccc2 100644
--- a/lib/dgif_lib.c
+++ b/lib/dgif_lib.c
@@ -289,6 +289,11 @@ DGifGetScreenDesc(GifFileType *GifFile)
         GifFile->SColorMap = NULL;
     }
 
+    /*
+     * No check here for whether the background color is in range for the
+     * screen color map.  Possibly there should be.
+     */
+
     return GIF_OK;
 }
 
diff --git a/util/gif2rgb.c b/util/gif2rgb.c
index c71d4fa..051c5a2 100644
--- a/util/gif2rgb.c
+++ b/util/gif2rgb.c
@@ -15,7 +15,7 @@ Toshio Kuratomi had written this in a comment about the rgb2gif code:
 
 I (ESR) took this off the main to-do list in 2012 because I don't think
 the GIFLIB project actually needs to be in the converters-and-tools business.
-Plenty of hackers do that; our jub is to supply stable library capability
+Plenty of hackers do that; our job is to supply stable library capability
 with our utilities mainly interesting as test tools.
 
 ***************************************************************************/
@@ -478,6 +478,12 @@ static void GIF2RGB(int NumFiles, char *FileName,
         exit(EXIT_FAILURE);
     }
 
+    /* check that the background color isn't garbage (SF bug #87) */
+    if (GifFile->SBackGroundColor < 0 || GifFile->SBackGroundColor >= ColorMap->ColorCount) {
+        fprintf(stderr, "Background color out of range for colormap\n");
+        exit(EXIT_FAILURE);
+    }
+
     DumpScreen2RGB(OutFileName, OneFileFlag,
 		   ColorMap,
 		   ScreenBuffer, 
-- 
2.7.4