LibGfx: Fix OOB access in GIF deinterlacing

It was possible to go outside the interlacing row strid/offset arrays. Just fail the decode if this is about to happen. I've added a FIXME about rejecting such images earlier, since it's a bit sad to only do this once we realize the pass index is about to overflow. Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28239
2025-05-31 10:48:11 +00:00 · 2020-12-22 09:31:33 +01:00 · 2020-12-22 09:31:33 +01:00 · 531c3fe72e
commit 531c3fe72e
parent 69d7a34bc2
1 changed files with 3 additions and 0 deletions
--- a/Libraries/LibGfx/GIFLoader.cpp
+++ b/Libraries/LibGfx/GIFLoader.cpp
@ -380,6 +380,9 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
                    if (image.interlaced) {
                        if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
                            ++interlace_pass;
+                            // FIXME: We could probably figure this out earlier and fail before doing a bunch of work.
+                            if (interlace_pass >= 4)
+                                return false;
                            row = INTERLACE_ROW_OFFSETS[interlace_pass];
                        } else {
                            row += INTERLACE_ROW_STRIDES[interlace_pass];