From afbf725e7380dfb3ff43a993e43abd9759a66c2b Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 13 Dec 2014 09:03:44 +0100 Subject: [PATCH] Fix bug #68601 buffer read overflow in gd_gif_in.c --- NEWS | 3 +++ ext/gd/libgd/gd_gif_in.c | 11 +++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c index ee88a2f..491e942 100644 --- a/ext/gd/libgd/gd_gif_in.c +++ b/ext/gd/libgd/gd_gif_in.c @@ -72,8 +72,10 @@ static struct { #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2) +#define CSD_BUF_SIZE 280 + typedef struct { - unsigned char buf[280]; + unsigned char buf[CSD_BUF_SIZE]; int curbit, lastbit, done, last_byte; } CODE_STATIC_DATA; @@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD ret = 0; for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) - ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j; + if (i < CSD_BUF_SIZE * 8) { + ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; + } else { + ret = -1; + break; + } scd->curbit += code_size; return ret; -- 2.1.4 From bd31cb756399101234258c5491443531099957c3 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 17 Dec 2014 10:59:36 +0100 Subject: [PATCH] Better fix for #68601 for perf https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467 --- ext/gd/libgd/gd_gif_in.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c index 491e942..f41ec84 100644 --- a/ext/gd/libgd/gd_gif_in.c +++ b/ext/gd/libgd/gd_gif_in.c @@ -400,14 +400,14 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD scd->lastbit = (2+count)*8 ; } - ret = 0; - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) - if (i < CSD_BUF_SIZE * 8) { + if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) { + ret = -1; + } else { + ret = 0; + for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) { ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j; - } else { - ret = -1; - break; } + } scd->curbit += code_size; return ret; -- 2.1.4