Re: [E-devel] [PATCH] gif: fix oob reads w/bad colormaps

Thu, 07 Apr 2016 11:27:48 -0700 

On 04/06/2016 03:25 AM, Simon Lees wrote:
>
>
> On 04/06/2016 10:44 AM, Kim Woelders wrote:
>> On 04/02/2016 08:26 PM, Yuriy M. Kaminskiy wrote:
>>> Mike Frysinger <vap...@gentoo.org> writes:
>>>
>>> This does not cover out-of-bound SBackGroundColor (giflib does not
>>> verify if it is less than ColorCount).
>>> I've just sent *better* patch that fixes this problem:
>>> http://permalink.gmane.org/gmane.comp.window-managers.enlightenment.devel/64001
>>> (with wrong bug link)
>>>
>>>> From: Bernhard Übelacker <bernha...@vr-web.de>
>>>>
>>>> Verify the color map is inbounds before indexing with it.
>>>>
>>>> https://bugs.debian.org/785369
>>>> ---
>>>>    src/modules/loaders/loader_gif.c | 13 ++++++++++---
>>>>    1 file changed, 10 insertions(+), 3 deletions(-)
>>>>
>>>> diff --git a/src/modules/loaders/loader_gif.c 
>>>> b/src/modules/loaders/loader_gif.c
>>>> index 638df59..7bdf29c 100644
>>>> --- a/src/modules/loaders/loader_gif.c
>>>> +++ b/src/modules/loaders/loader_gif.c
>>>> @@ -170,9 +170,16 @@ load(ImlibImage * im, ImlibProgressFunction progress, 
>>>> char progress_granularity,
>>>>                        }
>>>>                      else
>>>>                        {
>>>> -                       r = cmap->Colors[rows[i][j]].Red;
>>>> -                       g = cmap->Colors[rows[i][j]].Green;
>>>> -                       b = cmap->Colors[rows[i][j]].Blue;
>>>> +                       if (rows[i][j] < cmap->ColorCount)
>>>> +                         {
>>>> +                            r = cmap->Colors[rows[i][j]].Red;
>>>> +                            g = cmap->Colors[rows[i][j]].Green;
>>>> +                            b = cmap->Colors[rows[i][j]].Blue;
>>>> +                         }
>>>> +                       else
>>>> +                         {
>>>> +                            r = g = b = 0;
>>>> +                         }
>>>>                           *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
>>>>                        }
>>>>                      per += per_inc;
>>>
>>>
>>
>> Right, I was going to push Yuriys patches as they look a bit more
>> correct and efficient to me (although I haven't tested it), but I see
>> Mike has pushed this one.
>>
>> Any comments?
>>
>> /Kim
>
> I also took Yuriy's patches for SUSE / openSUSE, with the exception of
> the div by 0 where I wrote my own.
>
> Cheers,
>
Ok, I have reverted this one and pushed Yuriy's.

/Kim


------------------------------------------------------------------------------
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel

Reply via email to