MantisBT - LibNSGIF
View Issue Details
0002515LibNSGIF[All Projects] Generalpublic2017-01-22 13:052017-01-25 00:58
Assigned ToVincent Sanders 
Platformx86_64OSGentoo LinuxOS VersionRolling
Fixed in CI build #0211
Reported in CI build #
Summary0002515: Malformed gifs can cause bad array indexing in gif_decode_frame()
DescriptionSince last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop

    while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))

can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed.

(Found while I was playing around with AFL.)
Steps To ReproduceRun test_decode_gif on attached file, which should consistently produce a segfault.
Additional InformationI locally replaced the loop with the naive

    while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))

This fixed the issue for me and doesn't seem to break anything.
TagsNo tags attached.
Attached Filesgif bad_restore.gif (15,754) 2017-01-22 13:05

Vincent Sanders   
2017-01-25 00:58   
Thanks for the report, this was fixed in commit

Issue History
2017-01-22 13:05npnthNew Issue
2017-01-22 13:05npnthFile Added: bad_restore.gif
2017-01-22 15:01Vincent SandersProjectNetSurf => LibNSGIF
2017-01-25 00:58Vincent SandersFixed in CI build # => 0211
2017-01-25 00:58Vincent SandersNote Added: 0001510
2017-01-25 00:58Vincent SandersAssigned To => Vincent Sanders
2017-01-25 00:58Vincent SandersSeveritytweak => crash
2017-01-25 00:58Vincent SandersStatusnew => resolved