diff options
Diffstat (limited to 'meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch')
-rw-r--r-- | meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch b/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch new file mode 100644 index 0000000000..221e10811a --- /dev/null +++ b/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch @@ -0,0 +1,40 @@ +From 368f28c0034ecfb6dd4b3412af4cc589a56e0611 Mon Sep 17 00:00:00 2001 +From: Matej Muzila <mmuzila@redhat.com> +Date: Mon, 30 May 2022 09:04:27 +0200 +Subject: [PATCH] Fix heap-buffer overflow (CVE-2022-28506) + +There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c. This +occurs when a crafted gif file, where size of color table is < 256 but +image data contains pixels with color code highier than size of color +table. This causes oferflow of ColorMap->Colors array. + +Fix the issue by checking if value of each pixel is within bounds of +given color table. If the value is out of color table, print error +message and exit. + +Fixes: #159 + +Upstream-Status: Backport [https://sourceforge.net/p/giflib/code/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/] +Signed-off-by: nikhil r <nikhil.r@kpit.com> +--- + gif2rgb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/gif2rgb.c b/gif2rgb.c +index 8d7c0ff..d9a469f 100644 +--- a/gif2rgb.c ++++ b/gif2rgb.c +@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag, + GifRow = ScreenBuffer[i]; + GifQprintf("\b\b\b\b%-4d", ScreenHeight - i); + for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) { ++ /* Check if color is within color palete */ ++ if (GifRow[j] >= ColorMap->ColorCount) ++ { ++ GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT)); ++ } + ColorMapEntry = &ColorMap->Colors[GifRow[j]]; + *BufferP++ = ColorMapEntry->Red; + *BufferP++ = ColorMapEntry->Green; +-- +2.25.1 |