MantisBT - LibNSGIF
View Issue Details
0002515LibNSGIF[All Projects] Generalpublic2017-01-22 13:052017-01-25 00:58
Reporternpnth 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionopen 
Platformx86_64OSGentoo LinuxOS VersionRolling
Fixed in CI build #0211
Reported in CI build #
Summary0002515: Malformed gifs can cause bad array indexing in gif_decode_frame()
DescriptionSince last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop

    while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        ;

can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed.

(Found while I was playing around with AFL.)
Steps To ReproduceRun test_decode_gif on attached file, which should consistently produce a segfault.
Additional InformationI locally replaced the loop with the naive

    --last_undisposed_frame;
    while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        --last_undisposed_frame;

This fixed the issue for me and doesn't seem to break anything.
TagsNo tags attached.
Attached Filesgif bad_restore.gif (15,754) 2017-01-22 13:05
https://bugs.netsurf-browser.org/mantis/file_download.php?file_id=477&type=bug
gif

Notes
(0001510)
Vincent Sanders   
2017-01-25 00:58   
Thanks for the report, this was fixed in commit

http://source.netsurf-browser.org/libnsgif.git/commit/?id=abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4

Issue History
2017-01-22 13:05npnthNew Issue
2017-01-22 13:05npnthFile Added: bad_restore.gif
2017-01-22 15:01Vincent SandersProjectNetSurf => LibNSGIF
2017-01-25 00:58Vincent SandersFixed in CI build # => 0211
2017-01-25 00:58Vincent SandersNote Added: 0001510
2017-01-25 00:58Vincent SandersAssigned To => Vincent Sanders
2017-01-25 00:58Vincent SandersSeveritytweak => crash
2017-01-25 00:58Vincent SandersStatusnew => resolved