callisto-debian/gtk2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Check for stack overflow throughout. (#91808, Elliot Lee)

Browse Source 
* io-gif.c (lzw_read_byte): Check for stack overflow throughout.
	(#91808, Elliot Lee)
This commit is contained in:
Matthias Clasen
2002-10-22 22:41:58 +00:00
parent f900039c8f
commit fbccc0848d
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
gdk-pixbuf/ChangeLog
View File

@ -1,3 +1,8 @@
2002-10-23 Matthias Clasen <maclas@gmx.de>
* io-gif.c (lzw_read_byte): Check for stack overflow throughout.
(#91808, Elliot Lee)
2002-10-21 Matthias Clasen <maclas@gmx.de> 2002-10-21 Matthias Clasen <maclas@gmx.de>
Support the Netscape application extension for gif animations Support the Netscape application extension for gif animations

14
gdk-pixbuf/io-gif.c
View File

@ -565,6 +565,14 @@ gif_lzw_clear_code (GifContext *context)
return 0; return 0;
} }
#define CHECK_LZW_SP() if(((guchar *)context->lzw_sp) >= (((guchar *)context->lzw_stack) + sizeof(context->lzw_stack))) { \
g_set_error (context->error, \
GDK_PIXBUF_ERROR, \
GDK_PIXBUF_ERROR_CORRUPT_IMAGE, \
_("Stack overflow")); \
return -2; \
}
static int static int
lzw_read_byte (GifContext *context) lzw_read_byte (GifContext *context)
{ {
@ -639,19 +647,20 @@ lzw_read_byte (GifContext *context)
incode = code; incode = code;
if (code >= context->lzw_max_code) { if (code >= context->lzw_max_code) {
CHECK_LZW_SP ();
*(context->lzw_sp)++ = context->lzw_firstcode; *(context->lzw_sp)++ = context->lzw_firstcode;
code = context->lzw_oldcode; code = context->lzw_oldcode;
} }
while (code >= context->lzw_clear_code) { while (code >= context->lzw_clear_code) {
if ((code >= (1 << MAX_LZW_BITS)) if (code >= (1 << MAX_LZW_BITS)) {
|| (context->lzw_sp >= context->lzw_stack + ((1 << (MAX_LZW_BITS)) * 2 + 1))) {
g_set_error (context->error, g_set_error (context->error,
GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE, GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("Bad code encountered")); _("Bad code encountered"));
return -2; return -2;
} }
CHECK_LZW_SP ();
*(context->lzw_sp)++ = context->lzw_table[1][code]; *(context->lzw_sp)++ = context->lzw_table[1][code];
if (code == context->lzw_table[0][code]) { if (code == context->lzw_table[0][code]) {
@ -664,6 +673,7 @@ lzw_read_byte (GifContext *context)
code = context->lzw_table[0][code]; code = context->lzw_table[0][code];
} }
CHECK_LZW_SP ();
*(context->lzw_sp)++ = context->lzw_firstcode = context->lzw_table[1][code]; *(context->lzw_sp)++ = context->lzw_firstcode = context->lzw_table[1][code];
if ((code = context->lzw_max_code) < (1 << MAX_LZW_BITS)) { if ((code = context->lzw_max_code) < (1 << MAX_LZW_BITS)) {