2017-08-22 04:23 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002515LibNSGIF[All Projects] Generalpublic2017-01-25 00:58
Reporternpnth 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionopen 
Platformx86_64OSGentoo LinuxOS VersionRolling
Summary0002515: Malformed gifs can cause bad array indexing in gif_decode_frame()
DescriptionSince last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop

    while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        ;

can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed.

(Found while I was playing around with AFL.)
Steps To ReproduceRun test_decode_gif on attached file, which should consistently produce a segfault.
Additional InformationI locally replaced the loop with the naive

    --last_undisposed_frame;
    while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        --last_undisposed_frame;

This fixed the issue for me and doesn't seem to break anything.
TagsNo tags attached.
Fixed in CI build #0211
Reported in CI build #
Attached Files

-Relationships
+Relationships

-Notes
Vincent Sanders

~0001510

Vincent Sanders (administrator)

Thanks for the report, this was fixed in commit

http://source.netsurf-browser.org/libnsgif.git/commit/?id=abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4
+Notes

-Issue History
Date Modified Username Field Change
2017-01-22 13:05 npnth New Issue
2017-01-22 13:05 npnth File Added: bad_restore.gif
2017-01-22 15:01 Vincent Sanders Project NetSurf => LibNSGIF
2017-01-25 00:58 Vincent Sanders Fixed in CI build # => 0211
2017-01-25 00:58 Vincent Sanders Note Added: 0001510
2017-01-25 00:58 Vincent Sanders Assigned To => Vincent Sanders
2017-01-25 00:58 Vincent Sanders Severity tweak => crash
2017-01-25 00:58 Vincent Sanders Status new => resolved
+Issue History