Hi, On Mon, Dec 21, 2015 at 10:51:28PM +0100, Salvatore Bonaccorso wrote: > Source: giflib > Version: 5.1.1-0.2 > Severity: important > Tags: security upstream > > Hi, > > the following vulnerability was published for giflib. > > CVE-2015-7555[0]: > Heap-based buffer overflow in giffix utility > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Does the attached patch make sense? If so I'd prepare debdiffs for squeeze/jessie/wheezy. Cheers, -- Guido
>From 04b4bb123834e9a5374290d3b1f3fc1880c03195 Mon Sep 17 00:00:00 2001 Message-Id: <04b4bb123834e9a5374290d3b1f3fc1880c03195.1451570523.git....@sigxcpu.org> From: =?UTF-8?q?Guido=20G=C3=BCnther?= <[email protected]> Date: Thu, 31 Dec 2015 14:15:40 +0100 Subject: [PATCH] CVE-2015-7555: base width on image width instead of canvas width Based on docs at http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html --- util/giffix.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/giffix.c b/util/giffix.c index 6fba84a..d1ff72b 100644 --- a/util/giffix.c +++ b/util/giffix.c @@ -91,9 +91,6 @@ int main(int argc, char **argv) GifFileIn->SColorMap) == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut); - if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL) - GIF_EXIT("Failed to allocate memory required, aborted."); - /* Scan the content of the GIF file and load the image(s) in: */ do { if (DGifGetRecordType(GifFileIn, &RecordType) == GIF_ERROR) @@ -113,6 +110,9 @@ int main(int argc, char **argv) GifQprintf("\n%s: Image %d at (%d, %d) [%dx%d]: ", PROGRAM_NAME, ++ImageNum, Col, Row, Width, Height); + if ((LineBuffer = (GifRowType) malloc(Width)) == NULL) + GIF_EXIT("Failed to allocate memory required, aborted."); + /* Put the image descriptor to out file: */ if (EGifPutImageDesc(GifFileOut, Col, Row, Width, Height, false, GifFileIn->Image.ColorMap) == GIF_ERROR) -- 2.6.4
