LibGfx: Fix OOB access in GIF deinterlacing

It was possible to go outside the interlacing row strid/offset arrays. Just fail the decode if this is about to happen. I've added a FIXME about rejecting such images earlier, since it's a bit sad to only do this once we realize the pass index is about to overflow. Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28239
author: Andreas Kling <kling@serenityos.org> 2020-12-22 09:31:33 +0100
committer: Andreas Kling <kling@serenityos.org> 2020-12-22 10:09:41 +0100
commit: 531c3fe72eb18615dba89bfe673b8a8336abfb89 (patch)
tree: 14bc8c47a05155bdd50afd0e1388e60e10b3a477 /Libraries
parent: 69d7a34bc2ae1c014c702f9a5b662b30bfcab34f (diff)
download: serenity-531c3fe72eb18615dba89bfe673b8a8336abfb89.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/Libraries/LibGfx/GIFLoader.cpp b/Libraries/LibGfx/GIFLoader.cpp
index 1b36361cc8..b27aa05868 100644
--- a/Libraries/LibGfx/GIFLoader.cpp
+++ b/Libraries/LibGfx/GIFLoader.cpp
@@ -380,6 +380,9 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
                     if (image.interlaced) {
                         if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
                             ++interlace_pass;
+                            // FIXME: We could probably figure this out earlier and fail before doing a bunch of work.
+                            if (interlace_pass >= 4)
+                                return false;
                             row = INTERLACE_ROW_OFFSETS[interlace_pass];
                         } else {
                             row += INTERLACE_ROW_STRIDES[interlace_pass];
author	Andreas Kling <kling@serenityos.org>	2020-12-22 09:31:33 +0100
committer	Andreas Kling <kling@serenityos.org>	2020-12-22 10:09:41 +0100
commit	531c3fe72eb18615dba89bfe673b8a8336abfb89 (patch)
tree	14bc8c47a05155bdd50afd0e1388e60e10b3a477 /Libraries
parent	69d7a34bc2ae1c014c702f9a5b662b30bfcab34f (diff)
download	serenity-531c3fe72eb18615dba89bfe673b8a8336abfb89.zip