4922a6
From 797226335ec47573f80e84d0fbdf1536292868d0 Mon Sep 17 00:00:00 2001
4922a6
From: Jan Wielemaker <j.wielemaker@cs.vu.nl>
4922a6
Date: Wed, 24 Aug 2011 14:08:17 +0200
4922a6
Subject: [PATCH 1/2] SECURITY: Bug#9: Loading incomplete GIF files causes an
4922a6
 invalid read. Petr Pisar.
4922a6
4922a6
An incomplete image file causes part of the pixels to be uninitialised.
4922a6
As the pixels are entries in a colormap, this causes invalid reads.
4922a6
---
4922a6
 src/img/gifread.c |   19 ++++++++++++-------
4922a6
 1 files changed, 12 insertions(+), 7 deletions(-)
4922a6
4922a6
diff --git a/src/img/gifread.c b/src/img/gifread.c
4922a6
index 0e24e27..9c35f63 100644
4922a6
--- a/src/img/gifread.c
4922a6
+++ b/src/img/gifread.c
4922a6
@@ -553,7 +553,9 @@ ReadImage(IOSTREAM *fd,
4922a6
   UCHAR c;
4922a6
   int color;
4922a6
   int xpos = 0, ypos = 0, pass = 0;
4922a6
+  int lines = 0;
4922a6
   long curidx;
4922a6
+  int last;
4922a6
 
4922a6
   if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
4922a6
   { return GIF_INVALID;
4922a6
@@ -606,20 +608,23 @@ ReadImage(IOSTREAM *fd,
4922a6
 	  }
4922a6
 	}
4922a6
       } else
4922a6
-      {
4922a6
-	++ypos;
4922a6
+      { ++ypos;
4922a6
       }
4922a6
+      ++lines;
4922a6
     }
4922a6
     if (ypos >= height)
4922a6
-      break;
4922a6
+      goto fini;
4922a6
   }
4922a6
+  return GIF_INVALID;			/* short file */
4922a6
 
4922a6
 fini:
4922a6
+  if ( lines != height )
4922a6
+    return GIF_INVALID;
4922a6
 
4922a6
-  if (LZWReadByte(fd, FALSE, c) >= 0)
4922a6
-  {
4922a6
+  if ( (last=LZWReadByte(fd, FALSE, c)) >= 0 )
4922a6
+  { return GIF_OK;			/* end is 0x3B, but we only read the */
4922a6
+  }					/* first image of animated GIFs */
4922a6
 
4922a6
-  }
4922a6
-  return GIF_OK;
4922a6
+  return GIF_INVALID;
4922a6
 }
4922a6
 
4922a6
-- 
4922a6
1.7.6
4922a6