Bug#1068438: giflib: snprintf buffer overflow

Fri, 05 Apr 2024 01:57:14 -0700 

Source: giflib
Version: 5.2.2-1
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: nathan.teodo...@canonical.com

In Ubuntu giflib failed to build from source due to detection of a buffer
overflow in sprintf. This didn't cause build problems in Debian because
it uses FORTIFY_SOURCE=2.

Here is the debdiff containing the upstream patch for it.

Cheers,
Nathan Teodosio

diff -Nru giflib-5.2.2/debian/changelog giflib-5.2.2/debian/changelog
--- giflib-5.2.2/debian/changelog       2024-02-25 18:44:51.000000000 +0100
+++ giflib-5.2.2/debian/changelog       2024-04-05 10:31:09.000000000 +0200
@@ -1,3 +1,10 @@
+giflib (5.2.2-2) unstable; urgency=medium
+
+  [Adam Sampson]
+  * d/p/snprintf.patch: Fix incorrect length arg to snprintf.
+
+ -- Nathan Pratta Teodosio <nathan.teodo...@canonical.com>  Fri, 05 Apr 2024 
10:31:09 +0200
+
 giflib (5.2.2-1) unstable; urgency=medium
 
   [ Debian Janitor]
diff -Nru giflib-5.2.2/debian/patches/series giflib-5.2.2/debian/patches/series
--- giflib-5.2.2/debian/patches/series  2024-02-25 18:29:30.000000000 +0100
+++ giflib-5.2.2/debian/patches/series  2024-04-05 10:20:12.000000000 +0200
@@ -5,3 +5,4 @@
 dont-spoil-tests-with-stderr.patch
 giflib_quantize-header.patch
 Clean-up-memory-better-at-end-of-run-CVE-2021-40633.patch
+snprintf.patch
diff -Nru giflib-5.2.2/debian/patches/snprintf.patch 
giflib-5.2.2/debian/patches/snprintf.patch
--- giflib-5.2.2/debian/patches/snprintf.patch  1970-01-01 01:00:00.000000000 
+0100
+++ giflib-5.2.2/debian/patches/snprintf.patch  2024-04-05 10:30:28.000000000 
+0200
@@ -0,0 +1,24 @@
+Description: Fix incorrect length args to snprintf
+Author: Adam Sampson
+Bug: https://sourceforge.net/p/giflib/bugs/170/
+
+--- giflib-5.2.2/giftext.c     2024-02-19 03:01:28.000000000 +0000
++++ giflib-5.2.2/giftext.c     2024-04-04 19:20:51.474029582 +0100
+@@ -442,7 +442,7 @@
+               for (i = 1; i <= Len; i++) {
+                       (void)snprintf(&HexForm[CrntPlace * 3], 3, " %02x",
+                                      Extension[i]);
+-                      (void)snprintf(&AsciiForm[CrntPlace], 3, "%c",
++                      (void)snprintf(&AsciiForm[CrntPlace], 2, "%c",
+                                      MAKE_PRINTABLE(Extension[i]));
+                       if (++CrntPlace == 16) {
+                               HexForm[CrntPlace * 3] = 0;
+@@ -488,7 +488,7 @@
+       for (i = 0; i < Len; i++) {
+               (void)snprintf(&HexForm[CrntPlace * 3], 3, " %02x",
+                              PixelBlock[i]);
+-              (void)snprintf(&AsciiForm[CrntPlace], 3, "%c",
++              (void)snprintf(&AsciiForm[CrntPlace], 2, "%c",
+                              MAKE_PRINTABLE(PixelBlock[i]));
+               if (++CrntPlace == 16) {
+                       HexForm[CrntPlace * 3] = 0;

Reply via email to