From 797226335ec47573f80e84d0fbdf1536292868d0 Mon Sep 17 00:00:00 2001

From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>

Date: Wed, 24 Aug 2011 14:08:17 +0200

Subject: [PATCH 1/2] SECURITY: Bug#9: Loading incomplete GIF files causes an

 invalid read. Petr Pisar.

An incomplete image file causes part of the pixels to be uninitialised.

As the pixels are entries in a colormap, this causes invalid reads.

---

 src/img/gifread.c |   19 ++++++++++++-------

 1 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/img/gifread.c b/src/img/gifread.c

index 0e24e27..9c35f63 100644

--- a/src/img/gifread.c

+++ b/src/img/gifread.c

@@ -553,7 +553,9 @@ ReadImage(IOSTREAM *fd,

   UCHAR c;

   int color;

   int xpos = 0, ypos = 0, pass = 0;

+  int lines = 0;

   long curidx;

+  int last;

   if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )

   { return GIF_INVALID;

@@ -606,20 +608,23 @@ ReadImage(IOSTREAM *fd,

 	  }

 	}

       } else

-      {

-	++ypos;

+      { ++ypos;

       }

+      ++lines;

     }

     if (ypos >= height)

-      break;

+      goto fini;

   }

+  return GIF_INVALID;			/* short file */

 fini:

+  if ( lines != height )

+    return GIF_INVALID;

-  if (LZWReadByte(fd, FALSE, c) >= 0)

-  {

+  if ( (last=LZWReadByte(fd, FALSE, c)) >= 0 )

+  { return GIF_OK;			/* end is 0x3B, but we only read the */

+  }					/* first image of animated GIFs */

-  }

-  return GIF_OK;

+  return GIF_INVALID;

 }

-- 

1.7.6