2020-07-12 04:40 BST

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002515LibNSGIF[All Projects] Generalpublic2020-05-27 09:24
Reporternpnth 
Assigned ToVincent Sanders 
PrioritynormalSeveritycrashReproducibilityalways
StatusclosedResolutionopen 
Platformx86_64OSGentoo LinuxOS VersionRolling
Summary0002515: Malformed gifs can cause bad array indexing in gif_decode_frame()
DescriptionSince last_undisposed_frame is decremented after being tested for -1, but before being used as an index, the loop

    while ((last_undisposed_frame != -1) && (gif->frames[--last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        ;

can sometimes evaluate gif->frames[-1] if the gif is sufficiently malformed.

(Found while I was playing around with AFL.)
Steps To ReproduceRun test_decode_gif on attached file, which should consistently produce a segfault.
Additional InformationI locally replaced the loop with the naive

    --last_undisposed_frame;
    while ((last_undisposed_frame >= 0) && (gif->frames[last_undisposed_frame].disposal_method == GIF_FRAME_RESTORE))
        --last_undisposed_frame;

This fixed the issue for me and doesn't seem to break anything.
TagsNo tags attached.
Fixed in CI build #0211
Reported in CI build #
Attached Files

-Relationships
+Relationships

-Notes
Vincent Sanders

~0001510

Vincent Sanders (administrator)

Thanks for the report, this was fixed in commit

http://source.netsurf-browser.org/libnsgif.git/commit/?id=abc6a95ad6a8fd14cce943b4f9643b0a2ad175b4
Vincent Sanders

~0002264

Vincent Sanders (administrator)

Thankyou for reporting this issue.
We believe this is fixed in the 3.10 release.
If this is not the case please feel free to reopen the issue with additional details.
+Notes

-Issue History
Date Modified Username Field Change
2017-01-22 13:05 npnth New Issue
2017-01-22 13:05 npnth File Added: bad_restore.gif
2017-01-22 15:01 Vincent Sanders Project NetSurf => LibNSGIF
2017-01-25 00:58 Vincent Sanders Fixed in CI build # => 0211
2017-01-25 00:58 Vincent Sanders Note Added: 0001510
2017-01-25 00:58 Vincent Sanders Assigned To => Vincent Sanders
2017-01-25 00:58 Vincent Sanders Severity tweak => crash
2017-01-25 00:58 Vincent Sanders Status new => resolved
2020-05-27 09:24 Vincent Sanders Status resolved => closed
2020-05-27 09:24 Vincent Sanders Note Added: 0002264
+Issue History