'[oss-security] Re:[oss-security] Re: a bug in gif2rgb.c in giflib-5.1.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re:[oss-security] Re: a bug in gif2rgb.c in giflib-5.1.2
From:       xiaoqixue_1  <xiaoqixue_1 () 163 ! com>
Date:       2016-01-28 23:03:16
Message-ID: 4e14191f.1337.1528a79fc07.Coremail.xiaoqixue_1 () 163 ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]



It has been fixed now.

GifFile->SHeight and GifFile->SWidth both could result to zero memory allocation actually.
the patch as follows:
http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/#diff-2

--- a/util/gif2rgb.c+++ b/util/gif2rgb.c@@ -378,8 +378,8 @@
 	}
     }
 
-    if (GifFile->SHeight == 0) {-	fprintf(stderr, "Image of height 0\n");+    if \
(GifFile->SHeight == 0 || GifFile->SWidth == 0) {+	fprintf(stderr, "Image of width or height \
0\n");  exit(EXIT_FAILURE);
     }







At 2016-01-27 13:40:08, cve-assign@mitre.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > We find a memory allocation whose size could be zero in gif2rgb.c.
> > and It will result to several memory out of bound read and write. the bug in gif2rgb.c:386 \
> > : 
> > 386 if ((ScreenBuffer = (GifRowType *) 
> > 387 malloc(GifFile->SHeight * sizeof(GifRowType))) == NULL) 
> > 388 GIF_EXIT("Failed to allocate memory required, aborted.");
> > 
> > 
> > Please see "http://sourceforge.net/p/giflib/bugs/82/" for more details.
> 
> Can you provide more information about the relationship between
> http://sourceforge.net/p/giflib/bugs/82/ and the above instance of
> GifFile->SHeight in the malloc call? The
> http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/
> patch for http://sourceforge.net/p/giflib/bugs/82/ adds a check for
> "GifFile->SWidth == 0" but does not add new validation of the
> GifFile->SHeight value.
> 
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBCAAGBQJWqFekAAoJEL54rhJi8gl5AtQP/imjqKTZMrt2KiqYaIAiEbvK
> KBvoKNDaBesh4kJQ2XHIlT+kG5y2Qr0KiXYR3+O0nrbebXzM9pUlcAI6H3jAhiOX
> h2mRNBXKGOof7wbsoAFsKrYEKAdASvLxy+KSl74Bxb00Z68PSezgBo1SoHi/xW3z
> C5yFxRnOjYLlVz/X76+gYYqbLgwnLHUPWN4mIxu2unDZ67Mc43i8br4pr1eXH4an
> 1GgExNhoMsIk2vwPLatOL7DDEqBJKLygVh5QYtXs1uXjBx/RA4opzJRsb3mgmX2D
> K4q5mjgrUfx85meR/9zBVs22HLSWcJPQoqQnaRHcKKN0R8J0P+31X2NYBqbMj9d3
> HVZaaX9zB4Uq3Mpj9ZTgGnvyJuI/YVi7VviYTWhn17NGrvH3ivCr/vvhs7nudBti
> PfQj6if3vhy6cH7WYUN9ybzG3NXFdPpL9ZU5WN5GAyICXfYo3m63X03OZWPuTm3h
> skzp2a4dAfh+6KTF53ebUzoi0V+vX3tq5+jnMbDam/UfZBOdq+cK0CYU2VrOmNCj
> F0LcBDjzGBxepVLQS54Bvh/B5ymrIWjcub4zJ6gIIh0Sg5sUBBW2eg80my5wrD46
> 7mvpMgl2D2FWy8dHkdyf4abotfnZj62d43XD+tqjfERuTRnJCDNh/O8q4MyMVw73
> 69PiDuGJuPAhFns58FDN
> =bNmf
> -----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic