MantisBT - LibNSGIF
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0002515LibNSGIF[All Projects] Generalpublic2017-01-22 13:052020-05-27 09:24
Reporternpnth 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionopen 
Platformx86_64OSGentoo LinuxOS VersionRolling
Fixed in CI build #0211
Reported in CI build #
Summary0002515: Malformed gifs can cause bad array indexing in gif_decode_frame()
DescriptionSince last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop

    while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        ;

can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed.

(Found while I was playing around with AFL.)
Steps To ReproduceRun test_decode_gif on attached file, which should consistently produce a segfault.
Additional InformationI locally replaced the loop with the naive

    --last_undisposed_frame;
    while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        --last_undisposed_frame;

This fixed the issue for me and doesn't seem to break anything.
TagsNo tags attached.
Relationships
Attached Filesgif bad_restore.gif (15,754) 2017-01-22 13:05
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=477&type=bug
gif

Notes
(0001510)
Vincent Sanders   
2017-01-25 00:58   
Thanks for the report, this was fixed in commit

http://source.netsurf-browser.org/libnsgif.git/commit/?id=abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4
(0002264)
Vincent Sanders   
2020-05-27 09:24   
Thankyou for reporting this issue.
We believe this is fixed in the 3.10 release.
If this is not the case please feel free to reopen the issue with additional details.

Issue History
Date ModifiedUsernameFieldChange
2017-01-22 13:05npnthNew Issue
2017-01-22 13:05npnthFile Added: bad_restore.gif
2017-01-22 15:01Vincent SandersProjectNetSurf => LibNSGIF
2017-01-25 00:58Vincent SandersFixed in CI build # => 0211
2017-01-25 00:58Vincent SandersNote Added: 0001510
2017-01-25 00:58Vincent SandersAssigned To => Vincent Sanders
2017-01-25 00:58Vincent SandersSeveritytweak => crash
2017-01-25 00:58Vincent SandersStatusnew => resolved
2020-05-27 09:24Vincent SandersStatusresolved => closed
2020-05-27 09:24Vincent SandersNote Added: 0002264