| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0002515 | LibNSGIF | [All Projects] General | public | 2017-01-22 13:05 | 2020-05-27 08:24 | ||||
| Reporter | npnth | ||||||||
| Assigned To | Vincent Sanders | ||||||||
| Priority | normal | Severity | crash | Reproducibility | always | ||||
| Status | closed | Resolution | open | ||||||
| Platform | x86_64 | OS | Gentoo Linux | OS Version | Rolling | ||||
| Summary | 0002515: Malformed gifs can cause bad array indexing in gif_decode_frame() | ||||||||
| Description | Since last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)) ; can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed. (Found while I was playing around with AFL.) | ||||||||
| Steps To Reproduce | Run test_decode_gif on attached file, which should consistently produce a segfault. | ||||||||
| Additional Information | I locally replaced the loop with the naive --last_undisposed_frame; while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE)) --last_undisposed_frame; This fixed the issue for me and doesn't seem to break anything. | ||||||||
| Tags | No tags attached. | ||||||||
| Fixed in CI build # | 0211 | ||||||||
| Reported in CI build # | |||||||||
| Attached Files |
| ||||||||
 Relationships |
|
 Relationships |
| Notes |
|
Vincent Sanders (administrator) 2017-01-25 00:58 |
Thanks for the report, this was fixed in commit http://source.netsurf-browser.org/libnsgif.git/commit/?id=abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4 |
|
Vincent Sanders (administrator) 2020-05-27 08:24 |
Thankyou for reporting this issue. We believe this is fixed in the 3.10 release. If this is not the case please feel free to reopen the issue with additional details. |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-01-22 13:05 | npnth | New Issue | |
| 2017-01-22 13:05 | npnth | File Added: bad_restore.gif | |
| 2017-01-22 15:01 | Vincent Sanders | Project | NetSurf => LibNSGIF |
| 2017-01-25 00:58 | Vincent Sanders | Fixed in CI build # | => 0211 |
| 2017-01-25 00:58 | Vincent Sanders | Note Added: 0001510 | |
| 2017-01-25 00:58 | Vincent Sanders | Assigned To | => Vincent Sanders |
| 2017-01-25 00:58 | Vincent Sanders | Severity | tweak => crash |
| 2017-01-25 00:58 | Vincent Sanders | Status | new => resolved |
| 2020-05-27 08:24 | Vincent Sanders | Status | resolved => closed |
| 2020-05-27 08:24 | Vincent Sanders | Note Added: 0002264 | |
| Issue History |