[cups.bugs] [MOD] STR #3869: cups: GIF reader gif_read_lzw() may not return byte
Tomas Hoger
thoger at redhat.com
Mon Jun 20 09:47:34 PDT 2011
DO NOT REPLY TO THIS MESSAGE. INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.
[STR New]
gif_read_lzw() is documented as:
523 /*
524 * 'gif_read_lzw()' - Read a byte from the LZW stream...
525 */
Its return value is int and it can actually return value >= 256. This can
happen at least during the second call to gif_read_lzw(), when fresh == 1.
Following code path is used in that case:
607 do
608 firstcode = oldcode = gif_get_code(fp, code_size, 0);
609 while (firstcode == clear_code);
610
611 return (firstcode);
An input GIF file can specify code_size up to 12 (see GIF_MAX_BITS check
in gif_read_image()), which allows returned firstcode of up to 2^12-1.
gif_read_image() uses returned value (stored in pixel) as an index to
cmap[256][4], hence this leads to buffer over-read. In a quick test, I
managed to get pixel value set to ~4k, but it did not trigger crash. I've
not tried creating a better reproducer to see if it's actually possible to
trigger a crash with this.
Link: http://www.cups.org/str.php?L3869
Version: 1.4.6
More information about the cups
mailing list