vapier pushed a commit to branch master.
http://git.enlightenment.org/legacy/imlib2.git/commit/?id=16de244bd03d2f75da6508feb1ad9cb4e668e9dc
commit 16de244bd03d2f75da6508feb1ad9cb4e668e9dc
Author: Bernhard Übelacker <bernha...@vr-web.de>
Date: Sat Apr 2 13:05:21 2016 -0400
gif: fix oob reads w/bad colormaps
Verify the color map is inbounds before indexing with it.
https://bugs.debian.org/785369
---
src/modules/loaders/loader_gif.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index 638df59..7bdf29c 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -170,9 +170,16 @@ load(ImlibImage * im, ImlibProgressFunction progress, char
progress_granularity,
}
else
{
- r = cmap->Colors[rows[i][j]].Red;
- g = cmap->Colors[rows[i][j]].Green;
- b = cmap->Colors[rows[i][j]].Blue;
+ if (rows[i][j] < cmap->ColorCount)
+ {
+ r = cmap->Colors[rows[i][j]].Red;
+ g = cmap->Colors[rows[i][j]].Green;
+ b = cmap->Colors[rows[i][j]].Blue;
+ }
+ else
+ {
+ r = g = b = 0;
+ }
*ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
}
per += per_inc;
--
