gif: fix out-of-bounds read w/corrupted lzw data
oss-fuzz pointed out: gd_gif_in.c:605:16: runtime error: index 5595 out of bounds for type 'int [4096]' Add some bounds checking on each code that we read from the file.master
parent
a8f1d5cab0
commit
9fa3abd2e6
|
@ -601,6 +601,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i
|
|||
/* Bad compressed data stream */
|
||||
return -1;
|
||||
}
|
||||
if(code >= (1 << MAX_LWZ_BITS)) {
|
||||
/* Corrupted code */
|
||||
return -1;
|
||||
}
|
||||
|
||||
*sd->sp++ = sd->table[1][code];
|
||||
|
||||
|
@ -610,6 +614,10 @@ LWZReadByte_(gdIOCtx *fd, LZW_STATIC_DATA *sd, char flag, int input_code_size, i
|
|||
|
||||
code = sd->table[0][code];
|
||||
}
|
||||
if(code >= (1 << MAX_LWZ_BITS)) {
|
||||
/* Corrupted code */
|
||||
return -1;
|
||||
}
|
||||
|
||||
*sd->sp++ = sd->firstcode = sd->table[1][code];
|
||||
|
||||
|
|
|
@ -7,4 +7,5 @@
|
|||
/bug00227
|
||||
/gif_im2im
|
||||
/gif_null
|
||||
/ossfuzz5700
|
||||
/uninitialized_memory_read
|
||||
|
|
|
@ -3,6 +3,8 @@ LIST(APPEND TESTS_FILES
|
|||
bug00181
|
||||
bug00227
|
||||
gif_null
|
||||
ossfuzz5700
|
||||
uninitialized_memory_read
|
||||
)
|
||||
|
||||
IF(PNG_FOUND)
|
||||
|
@ -12,7 +14,6 @@ LIST(APPEND TESTS_FILES
|
|||
bug00060
|
||||
bug00066
|
||||
gif_im2im
|
||||
uninitialized_memory_read
|
||||
)
|
||||
ENDIF(PNG_FOUND)
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@ libgd_test_programs += \
|
|||
gif/bug00181 \
|
||||
gif/bug00227 \
|
||||
gif/gif_null \
|
||||
gif/ossfuzz5700 \
|
||||
gif/uninitialized_memory_read
|
||||
|
||||
if HAVE_LIBPNG
|
||||
|
@ -24,4 +25,5 @@ EXTRA_DIST += \
|
|||
gif/bug00060.gif \
|
||||
gif/bug00066.gif \
|
||||
gif/bug00066_exp.png \
|
||||
gif/ossfuzz5700.gif \
|
||||
gif/unitialized_memory_read.gif
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
#include <stdio.h>
|
||||
#include "gd.h"
|
||||
#include "gdtest.h"
|
||||
|
||||
int main()
|
||||
{
|
||||
gdImagePtr im;
|
||||
FILE *fp = gdTestFileOpen("gif/ossfuzz5700.gif");
|
||||
im = gdImageCreateFromGif(fp);
|
||||
fclose(fp);
|
||||
gdImageDestroy(im);
|
||||
return 0;
|
||||
}
|
Binary file not shown.
After Width: | Height: | Size: 30 B |
Loading…
Reference in New Issue