oss-sec mailing list archives
Re:[oss-security] Re: a bug in gif2rgb.c in giflib-5.1.2
From: xiaoqixue_1 <xiaoqixue_1 () 163 com>
Date: Fri, 29 Jan 2016 07:03:16 +0800 (CST)
It has been fixed now. GifFile->SHeight and GifFile->SWidth both could result to zero memory allocation actually. the patch as follows: http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/#diff-2 --- a/util/gif2rgb.c+++ b/util/gif2rgb.c@@ -378,8 +378,8 @@ } } - if (GifFile->SHeight == 0) {- fprintf(stderr, "Image of height 0\n");+ if (GifFile->SHeight == 0 || GifFile->SWidth == 0) {+ fprintf(stderr, "Image of width or height 0\n"); exit(EXIT_FAILURE); } At 2016-01-27 13:40:08, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256We find a memory allocation whose size could be zero in gif2rgb.c. and It will result to several memory out of bound read and write. the bug in gif2rgb.c:386 : 386 if ((ScreenBuffer = (GifRowType *) 387 malloc(GifFile->SHeight * sizeof(GifRowType))) == NULL) 388 GIF_EXIT("Failed to allocate memory required, aborted."); Please see "http://sourceforge.net/p/giflib/bugs/82/" for more details.Can you provide more information about the relationship between http://sourceforge.net/p/giflib/bugs/82/ and the above instance of GifFile->SHeight in the malloc call? The http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/ patch for http://sourceforge.net/p/giflib/bugs/82/ adds a check for "GifFile->SWidth == 0" but does not add new validation of the GifFile->SHeight value. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWqFekAAoJEL54rhJi8gl5AtQP/imjqKTZMrt2KiqYaIAiEbvK KBvoKNDaBesh4kJQ2XHIlT+kG5y2Qr0KiXYR3+O0nrbebXzM9pUlcAI6H3jAhiOX h2mRNBXKGOof7wbsoAFsKrYEKAdASvLxy+KSl74Bxb00Z68PSezgBo1SoHi/xW3z C5yFxRnOjYLlVz/X76+gYYqbLgwnLHUPWN4mIxu2unDZ67Mc43i8br4pr1eXH4an 1GgExNhoMsIk2vwPLatOL7DDEqBJKLygVh5QYtXs1uXjBx/RA4opzJRsb3mgmX2D K4q5mjgrUfx85meR/9zBVs22HLSWcJPQoqQnaRHcKKN0R8J0P+31X2NYBqbMj9d3 HVZaaX9zB4Uq3Mpj9ZTgGnvyJuI/YVi7VviYTWhn17NGrvH3ivCr/vvhs7nudBti PfQj6if3vhy6cH7WYUN9ybzG3NXFdPpL9ZU5WN5GAyICXfYo3m63X03OZWPuTm3h skzp2a4dAfh+6KTF53ebUzoi0V+vX3tq5+jnMbDam/UfZBOdq+cK0CYU2VrOmNCj F0LcBDjzGBxepVLQS54Bvh/B5ymrIWjcub4zJ6gIIh0Sg5sUBBW2eg80my5wrD46 7mvpMgl2D2FWy8dHkdyf4abotfnZj62d43XD+tqjfERuTRnJCDNh/O8q4MyMVw73 69PiDuGJuPAhFns58FDN =bNmf -----END PGP SIGNATURE-----
Current thread:
- Buffer Overflow in lha compression utility Paris Zoumpouloglou (Jan 18)
- Re: Buffer Overflow in lha compression utility cve-assign (Jan 18)
- Re:[oss-security] Re: Buffer Overflow in lha compression utility xiaoqixue_1 (Jan 19)
- Re: an out of bound read is found in libdwarf -20151114 cve-assign (Jan 28)
- a bug in gif2rgb.c in giflib-5.1.2 xiaoqixue_1 (Jan 26)
- Re: a bug in gif2rgb.c in giflib-5.1.2 cve-assign (Jan 26)
- Re:[oss-security] Re: a bug in gif2rgb.c in giflib-5.1.2 xiaoqixue_1 (Jan 28)
- Re:[oss-security] Re: Buffer Overflow in lha compression utility xiaoqixue_1 (Jan 19)
- Re: Buffer Overflow in lha compression utility cve-assign (Jan 18)