From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
Date: Thu, 18 Aug 2011 09:46:53 +0000 (+0200)
Subject: SECURITY: Bug#7 Gif-reader bufferoverflow.  Petr Pisar.
X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/bb328029beb148691edc031d9db9cf0a503c8247

SECURITY: Bug#7 Gif-reader bufferoverflow.  Petr Pisar.

See http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7
See https://bugzilla.redhat.com/show_bug.cgi?id=727800

This patch follows a corresponding patch in CUPS:

CUPS was fixed recently (in 1.4.7) and now does code > max_code check
http://cups.org/str.php?L3867
svn diff -c 9840 http://svn.easysw.com/public/cups/
---

diff --git a/src/img/gifread.c b/src/img/gifread.c
index bb66705..a12a2d8 100644
--- a/src/img/gifread.c
+++ b/src/img/gifread.c
@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
   /* read colormaps */
   if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
   { if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
-	 							!= GIF_OK )
+								!= GIF_OK )
     { setGifError("Error reading GIF colormap");
       return rval;
     }
@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
       max_code = clear_code + 2;
       sp = stack;
       firstcode = oldcode = GetCode(fd, code_size, FALSE);
-      return firstcode;
-    } else if (code == end_code)
+      return (firstcode&255);
+    } else if (code == end_code || code > max_code)
     {
       int count;
-      UCHAR buf[260];
+      UCHAR buf[260];			/* Block buffer */
 
       if (ZeroDataBlock)
 	return -2;
@@ -504,7 +504,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
     }
     incode = code;
 
-    if (code >= max_code)
+    if (code == max_code)
     {
       *sp++ = firstcode;
       code = oldcode;
@@ -537,9 +537,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
     oldcode = incode;
 
     if (sp > stack)
-      return *--sp;
+      return ((*--sp) & 255);
   }
-  return code;
+  return (code&255);
 }