blob: ed297579e226881a97f5a825cd780e4fe0133964 (
plain)
1 From 16de244bd03d2f75da6508feb1ad9cb4e668e9dc Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?Bernhard=20=C3=9Cbelacker?= <bernhardu@vr-web.de>
3 Date: Sat, 2 Apr 2016 13:05:21 -0400
4 Subject: [PATCH] gif: fix oob reads w/bad colormaps
5
6 Verify the color map is inbounds before indexing with it.
7
8 https://bugs.debian.org/785369
9 ---
10 src/modules/loaders/loader_gif.c | 13 ++++++++++---
11 1 file changed, 10 insertions(+), 3 deletions(-)
12
13 diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
14 index 638df59..7bdf29c 100644
15 --- a/src/modules/loaders/loader_gif.c
16 +++ b/src/modules/loaders/loader_gif.c
17 @@ -170,9 +170,16 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
18 }
19 else
20 {
21 - r = cmap->Colors[rows[i][j]].Red;
22 - g = cmap->Colors[rows[i][j]].Green;
23 - b = cmap->Colors[rows[i][j]].Blue;
24 + if (rows[i][j] < cmap->ColorCount)
25 + {
26 + r = cmap->Colors[rows[i][j]].Red;
27 + g = cmap->Colors[rows[i][j]].Green;
28 + b = cmap->Colors[rows[i][j]].Blue;
29 + }
30 + else
31 + {
32 + r = g = b = 0;
33 + }
34 *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
35 }
36 per += per_inc;
37 --
38 2.7.4
|
