pool/gdk-pixbuf
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7fcb12fb15
gdk-pixbuf/gdk-pixbuf-gif-uninitialized-variable.patch
Dominique Leuenberger 7d230a8bba Accepting request 562058 from home:mgorse:branches:GNOME:Factory 
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
  integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
  gdk-pixbuf-gif-uninitialized-variable.patch: protect against
  access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
  computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
  short block length when reading icns (boo#1027024
  CVE-2017-6313).

OBS-URL: https://build.opensuse.org/request/show/562058
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144
2018-01-08 12:31:19 +00:00

47 lines
1.5 KiB
Diff
Raw Blame History

From c1fd9f5d6592c0183c54efc806b3ca6871e1f496 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <muelli@cryptobitch.de>
Date: Fri, 10 Nov 2017 18:51:21 +0100
Subject: [PATCH] gif: Initialise code_last_byte to not cause undefined
behaviour
Currently, code_last_byte is set only after it has been used, i.e.
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
comes before anything has touched context->code_last_byte yet.
Except for the initialisation.
context->code_last_byte is set a few lines later, though.
And nowhere else, except for the initialisation which sets it
to 0. That will inevitably lead to context->block_buf[-2] which is
undefined behaviour.
We hence set the code_last_byte to 2 in order to not make that
array index invalid.
https://bugzilla.gnome.org/show_bug.cgi?id=778584
---
gdk-pixbuf/io-gif.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index acbd1f3be..61821bdf9 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context)
context->lzw_fresh = TRUE;
context->code_curbit = 0;
context->code_lastbit = 0;
- context->code_last_byte = 0;
+ /* During initialistion (in gif_lzw_fill_buffer) we substract 2 from
+ * this value to peek into a buffer.
+ * In order to not get a negative array index later, we set the value
+ * to that magic 2 now.
+ */
+ context->code_last_byte = 2;
context->code_done = FALSE;
g_assert (context->lzw_clear_code <=
--
2.15.1
Reference in New Issue View Git Blame Copy Permalink