As reported on http://bugs.debian.org/734425, when ColorCount is less
than 256, it is possible that image loading will trigger out of bound
read.
Security imlications: DoS (application crash), potentially host memory
exposure.
Attached patch(es) gracefully handles out-of-range image data, out-of-range
background and transparent colors, and make code a bit simplier and
faster.
Description: Fixes out-of-bound reads from colormap
Bug-Debian: http://bugs.debian.org/734425
Note: removes all special-casing from the inner loop, optimize for common case.
Author: Yuriy M. Kaminskiy <[email protected]>
Reported-By: Jakub Wilk <[email protected]>
Thanks to Bernhard U:belacker <[email protected]> for analysis.
Index: imlib2-1.4.7/src/modules/loaders/loader_gif.c
===================================================================
--- imlib2-1.4.7.orig/src/modules/loaders/loader_gif.c
+++ imlib2-1.4.7/src/modules/loaders/loader_gif.c
@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunct
if (im->loader || immediate_load || progress)
{
+ DATA32 colormap[256];
+
bg = gif->SBackGroundColor;
cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
+ memset (colormap, 0, sizeof(colormap));
+ if (cmap != NULL)
+ {
+ for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
+ {
+ r = cmap->Colors[i].Red;
+ g = cmap->Colors[i].Green;
+ b = cmap->Colors[i].Blue;
+ colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
+ }
+ /* if bg > cmap->ColorCount, it is transparent black already */
+ if (transp >= 0 && transp < 256)
+ colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
+ }
im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
if (!im->data)
goto quit;
@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunct
{
for (j = 0; j < w; j++)
{
- if (rows[i][j] == transp)
- {
- r = cmap->Colors[bg].Red;
- g = cmap->Colors[bg].Green;
- b = cmap->Colors[bg].Blue;
- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
- }
- else
- {
- r = cmap->Colors[rows[i][j]].Red;
- g = cmap->Colors[rows[i][j]].Green;
- b = cmap->Colors[rows[i][j]].Blue;
- *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
- }
+ *ptr++ = colormap[rows[i][j]];
per += per_inc;
if (progress && (((int)per) != last_per)
&& (((int)per) % progress_granularity == 0))
Description: cleanup: remove check redundant by fix-bug-785369.patch
Index: imlib2-1.4.7/src/modules/loaders/loader_gif.c
===================================================================
--- imlib2-1.4.7.orig/src/modules/loaders/loader_gif.c
+++ imlib2-1.4.7/src/modules/loaders/loader_gif.c
@@ -163,14 +163,6 @@ load(ImlibImage * im, ImlibProgressFunct
if (!im->data)
goto quit;
- if (!cmap)
- {
- /* No colormap? Now what?? Let's clear the image (and not segv) */
- memset(im->data, 0, sizeof(DATA32) * w * h);
- rc = 1;
- goto finish;
- }
-
ptr = im->data;
per_inc = 100.0 / (((float)w) * h);
for (i = 0; i < h; i++)
Description: reduce progress checks from per-pixel to per-row
Index: imlib2-1.4.7/src/modules/loaders/loader_gif.c
===================================================================
--- imlib2-1.4.7.orig/src/modules/loaders/loader_gif.c
+++ imlib2-1.4.7/src/modules/loaders/loader_gif.c
@@ -164,12 +164,13 @@ load(ImlibImage * im, ImlibProgressFunct
goto quit;
ptr = im->data;
- per_inc = 100.0 / (((float)w) * h);
+ per_inc = 100.0 / (float)h;
for (i = 0; i < h; i++)
{
for (j = 0; j < w; j++)
{
*ptr++ = colormap[rows[i][j]];
+ }
per += per_inc;
if (progress && (((int)per) != last_per)
&& (((int)per) % progress_granularity == 0))
@@ -182,7 +183,6 @@ load(ImlibImage * im, ImlibProgressFunct
}
last_y = i;
}
- }
}
finish:
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
enlightenment-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
