diff options
| author | Luke <luke.wilde@live.co.uk> | 2021-02-26 22:31:07 +0000 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2021-02-27 07:30:39 +0100 |
| commit | ce5fe2a6e807b819866b4f429ca6f7a2d74445b7 (patch) | |
| tree | c8bd738714ff3e21e440ada5f04980846dc3ecbf /Userland | |
| parent | 9aa91e6c6f267c843b92cf57eeae289ccae82799 (diff) | |
| download | serenity-ce5fe2a6e807b819866b4f429ca6f7a2d74445b7.zip | |
LibGfx: Fix read buffer overflow in interlaced GIF decode
Unfortunately 10420dee7e48c818a7b1c5386b8fcebc587825f0 didn't quite fix it,
as the buffer overflow was actually happening here:
https://github.com/SerenityOS/serenity/blob/af2220448834fb0bff5132bf68104719819862ce/Userland/Libraries/LibGfx/GIFLoader.cpp#L402
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30507
Diffstat (limited to 'Userland')
| -rw-r--r-- | Userland/Libraries/LibGfx/GIFLoader.cpp | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/Userland/Libraries/LibGfx/GIFLoader.cpp b/Userland/Libraries/LibGfx/GIFLoader.cpp index 3bec3d1ce9..fb7b9eb26b 100644 --- a/Userland/Libraries/LibGfx/GIFLoader.cpp +++ b/Userland/Libraries/LibGfx/GIFLoader.cpp @@ -399,13 +399,14 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index) ++pixel_index; if (pixel_index % image.width == 0) { if (image.interlaced) { - if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) { - ++interlace_pass; - if (interlace_pass < 4) - row = INTERLACE_ROW_OFFSETS[interlace_pass]; - } else { - if (interlace_pass < 4) + if (interlace_pass < 4) { + if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) { + ++interlace_pass; + if (interlace_pass < 4) + row = INTERLACE_ROW_OFFSETS[interlace_pass]; + } else { row += INTERLACE_ROW_STRIDES[interlace_pass]; + } } } else { ++row; |