1639bb364d
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
0.49.4, has a heap-based buffer overflow because a certain
"Private->RunningCode - 2" array index is not checked. This will lead
to a denial of service or possibly unspecified other impact.
- Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
triggers a divide-by-zero exception in the decoder function DGifSlurp
in dgif_lib.c if the height field of the ImageSize data structure is
equal to zero.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d7926d7cb5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
From 799eb6a3af8a3dd81e2429bf11a72a57e541f908 Mon Sep 17 00:00:00 2001
|
|
From: "Eric S. Raymond" <esr@thyrsus.com>
|
|
Date: Sun, 17 Mar 2019 12:37:21 -0400
|
|
Subject: [PATCH] Address SF bug #119: MemorySanitizer: FPE on unknown address
|
|
|
|
[Retrieved (and backported) from:
|
|
https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
dgif_lib.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/lib/dgif_lib.c b/lib/dgif_lib.c
|
|
index 3a52467..179bd84 100644
|
|
--- a/lib/dgif_lib.c
|
|
+++ b/lib/dgif_lib.c
|
|
@@ -1143,7 +1143,7 @@ DGifSlurp(GifFileType *GifFile)
|
|
|
|
sp = &GifFile->SavedImages[GifFile->ImageCount - 1];
|
|
/* Allocate memory for the image */
|
|
- if (sp->ImageDesc.Width < 0 && sp->ImageDesc.Height < 0 &&
|
|
+ if (sp->ImageDesc.Width <= 0 || sp->ImageDesc.Height <= 0 ||
|
|
sp->ImageDesc.Width > (INT_MAX / sp->ImageDesc.Height)) {
|
|
return GIF_ERROR;
|
|
}
|
|
--
|
|
2.20.1
|
|
|