goulash-lover
/
legacy-imlib2
forked from old/legacy-imlib2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GIF loader: Fix out-of-bound reads from colormap. 

Bug-Debian: http://bugs.debian.org/785369
Note: removes all special-casing from the inner loop, optimize for common case.
Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
Reported-By: Jakub Wilk <jwilk@debian.org>

Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.
This commit is contained in:
Kim Woelders 2016-04-03 19:40:25 +02:00
parent 5b5544ab77
commit 37a9680166
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/modules/loaders/loader_gif.c
View File

@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
if (im->loader || immediate_load || progress)
{
DATA32 colormap[256];
bg = gif->SBackGroundColor;
cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
memset (colormap, 0, sizeof(colormap));
if (cmap != NULL)
{
for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
{
r = cmap->Colors[i].Red;
g = cmap->Colors[i].Green;
b = cmap->Colors[i].Blue;
colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
}
/* if bg > cmap->ColorCount, it is transparent black already */
if (transp >= 0 && transp < 256)
colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
}
im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
if (!im->data)
goto quit;
@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
{
for (j = 0; j < w; j++)
{
if (rows[i][j] == transp)
{
r = cmap->Colors[bg].Red;
g = cmap->Colors[bg].Green;
b = cmap->Colors[bg].Blue;
*ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
}
else
{
r = cmap->Colors[rows[i][j]].Red;
g = cmap->Colors[rows[i][j]].Green;
b = cmap->Colors[rows[i][j]].Blue;
*ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
}
*ptr++ = colormap[rows[i][j]];
per += per_inc;
if (progress && (((int)per) != last_per)
&& (((int)per) % progress_granularity == 0))