2019-12-06 21:48 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002515LibNSGIF[All Projects] Generalpublic2017-01-25 00:58
Assigned ToVincent Sanders 
Platformx86_64OSGentoo LinuxOS VersionRolling
Summary0002515: Malformed gifs can cause bad array indexing in gif_decode_frame()
DescriptionSince last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop

    while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))

can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed.

(Found while I was playing around with AFL.)
Steps To ReproduceRun test_decode_gif on attached file, which should consistently produce a segfault.
Additional InformationI locally replaced the loop with the naive

    while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))

This fixed the issue for me and doesn't seem to break anything.
TagsNo tags attached.
Fixed in CI build #0211
Reported in CI build #
Attached Files


Vincent Sanders


Vincent Sanders (administrator)

Thanks for the report, this was fixed in commit


-Issue History
Date Modified Username Field Change
2017-01-22 13:05 npnth New Issue
2017-01-22 13:05 npnth File Added: bad_restore.gif
2017-01-22 15:01 Vincent Sanders Project NetSurf => LibNSGIF
2017-01-25 00:58 Vincent Sanders Fixed in CI build # => 0211
2017-01-25 00:58 Vincent Sanders Note Added: 0001510
2017-01-25 00:58 Vincent Sanders Assigned To => Vincent Sanders
2017-01-25 00:58 Vincent Sanders Severity tweak => crash
2017-01-25 00:58 Vincent Sanders Status new => resolved
+Issue History