Group :: Sistema/Bibliotecas
RPM: libgif
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: libgif-4.1.6-deb-cve.patch
Download
Download
Author: Michael Fedrowitz <michaelf@debian.org>
Description: Fix CVE-2005-2974 and CVE-2005-3350 (Closes: #337972).
--- giflib-4.1.6/lib/dgif_lib.c
+++ giflib-4.1.6/lib/dgif_lib.c
@@ -249,6 +249,8 @@ DGifGetScreenDesc(GifFileType * GifFile)
if (READ(GifFile, Buf, 3) != 3) {
_GifError = D_GIF_ERR_READ_FAILED;
+ FreeMapObject(GifFile->SColorMap);
+ GifFile->SColorMap = NULL;
return GIF_ERROR;
}
GifFile->SColorResolution = (((Buf[0] & 0x70) + 1) >> 4) + 1;
@@ -346,6 +348,8 @@ DGifGetImageDesc(GifFileType * GifFile)
return GIF_ERROR;
if (READ(GifFile, Buf, 1) != 1) {
_GifError = D_GIF_ERR_READ_FAILED;
+ FreeMapObject(GifFile->Image.ColorMap);
+ GifFile->Image.ColorMap = NULL;
return GIF_ERROR;
}
BitsPerPixel = (Buf[0] & 0x07) + 1;
@@ -994,6 +998,14 @@ DGifBufferedInput(GifFileType * GifFile,
_GifError = D_GIF_ERR_IMAGE_DEFECT;
return GIF_ERROR;
}
+ /* There shouldn't be any empty data blocks here as the LZW spec
+ * says the LZW termination code should come first. Therefore we
+ * shouldn't be inside this routine at that point.
+ */
+ if (Buf[0] == 0) {
+ _GifError = D_GIF_ERR_IMAGE_DEFECT;
+ return GIF_ERROR;
+ }
if (READ(GifFile, &Buf[1], Buf[0]) != Buf[0]) {
_GifError = D_GIF_ERR_READ_FAILED;
return GIF_ERROR;