RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 19:37:35 +00:00
Code Issues Activity Actions

LibGfx: Fix read buffer overflow in interlaced GIF decode

Browse source 
Unfortunately 10420dee7e didn't quite fix it,
as the buffer overflow was actually happening here:
af22204488/Userland/Libraries/LibGfx/GIFLoader.cpp (L402)

Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30507
This commit is contained in:
Luke 2021-02-26 22:31:07 +00:00 committed by Andreas Kling
parent 9aa91e6c6f
commit ce5fe2a6e8
1 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

13
Userland/Libraries/LibGfx/GIFLoader.cpp
View file

@ -399,13 +399,14 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
++pixel_index;
if (pixel_index % image.width == 0) {
if (image.interlaced) {
if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
++interlace_pass;
if (interlace_pass < 4)
row = INTERLACE_ROW_OFFSETS[interlace_pass];
} else {
if (interlace_pass < 4)
if (interlace_pass < 4) {
if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
++interlace_pass;
if (interlace_pass < 4)
row = INTERLACE_ROW_OFFSETS[interlace_pass];
} else {
row += INTERLACE_ROW_STRIDES[interlace_pass];
}
}
} else {
++row;