MantisBT - LibNSGIF | |||||
View Issue Details | |||||
ID | Project | Category | View Status | Date Submitted | Last Update |
0002515 | LibNSGIF | [All Projects] General | public | 2017-01-22 13:05 | 2020-05-27 09:24 |
Reporter | npnth | ||||
---|---|---|---|---|---|
Assigned To | Vincent Sanders | ||||
Priority | normal | Severity | crash | Reproducibility | always |
Status | closed | Resolution | open | ||
Platform | x86_64 | OS | Gentoo Linux | OS Version | Rolling |
Fixed in CI build # | 0211 | ||||
Reported in CI build # | |||||
Summary | 0002515: Malformed gifs can cause bad array indexing in gif_decode_frame() | ||||
Description | Since last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)) ; can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed. (Found while I was playing around with AFL.) | ||||
Steps To Reproduce | Run test_decode_gif on attached file, which should consistently produce a segfault. | ||||
Additional Information | I locally replaced the loop with the naive --last_undisposed_frame; while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)) --last_undisposed_frame; This fixed the issue for me and doesn't seem to break anything. | ||||
Tags | No tags attached. | ||||
Relationships | |||||
Attached Files | bad_restore.gif (15,754) 2017-01-22 13:05 https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=477&type=bug |
Notes | |||||
|
|||||
|
|
||||
|
|||||
|
|
Issue History | |||||
Date Modified | Username | Field | Change | ||
---|---|---|---|---|---|
2017-01-22 13:05 | npnth | New Issue | |||
2017-01-22 13:05 | npnth | File Added: bad_restore.gif | |||
2017-01-22 15:01 | Vincent Sanders | Project | NetSurf => LibNSGIF | ||
2017-01-25 00:58 | Vincent Sanders | Fixed in CI build # | => 0211 | ||
2017-01-25 00:58 | Vincent Sanders | Note Added: 0001510 | |||
2017-01-25 00:58 | Vincent Sanders | Assigned To | => Vincent Sanders | ||
2017-01-25 00:58 | Vincent Sanders | Severity | tweak => crash | ||
2017-01-25 00:58 | Vincent Sanders | Status | new => resolved | ||
2020-05-27 09:24 | Vincent Sanders | Status | resolved => closed | ||
2020-05-27 09:24 | Vincent Sanders | Note Added: 0002264 |