LineageOS/android_packages_apps_Messaging
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so

Browse Source 
in colorMap->Colors[colorIndex]

* No range checking was done on a color index. Add range
checking and bail if the color index is out of range.

Test: tested sending a large gif that would invoke the GifTranscoder library
to make the gif smaller.

Bug: 32764144
Change-Id: I44f36274ec333ae1960fa8fc96b2dbde35fbaa66
This commit is contained in:
Tom Taylor
2017-01-11 09:17:01 -08:00
parent 837474a376
commit 6f763fef7a
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
jni/GifTranscoder.cpp
View File

@@ -384,6 +384,11 @@ bool GifTranscoder::renderImage(GifFileType* gifIn,
for (int y = 0; y < gifIn->Image.Height; y++) { for (int y = 0; y < gifIn->Image.Height; y++) {
for (int x = 0; x < gifIn->Image.Width; x++) { for (int x = 0; x < gifIn->Image.Width; x++) {
GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y); GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y);
if (colorIndex >= colorMap->ColorCount) {
LOGE("Color Index %d is out of bounds (count=%d)", colorIndex,
colorMap->ColorCount);
return false;
}
// This image may be smaller than the GIF's "logical screen" // This image may be smaller than the GIF's "logical screen"
int renderX = x + gifIn->Image.Left; int renderX = x + gifIn->Image.Left;