1 files changed, 40 insertions, 0 deletions

diff --git a/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch b/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch
new file mode 100644
index 0000000000..221e10811a
--- /dev/null
+++ b/meta-oe/recipes-devtools/giflib/files/CVE-2022-28506.patch
@@ -0,0 +1,40 @@
+From 368f28c0034ecfb6dd4b3412af4cc589a56e0611 Mon Sep 17 00:00:00 2001
+From: Matej Muzila <mmuzila@redhat.com>
+Date: Mon, 30 May 2022 09:04:27 +0200
+Subject: [PATCH] Fix heap-buffer overflow (CVE-2022-28506)
+
+There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c.  This
+occurs when a crafted gif file, where size of color table is < 256 but
+image data contains pixels with color code highier than size of color
+table. This causes oferflow of ColorMap->Colors array.
+
+Fix the issue by checking if value of each pixel is within bounds of
+given color table. If the value is out of color table, print error
+message and exit.
+
+Fixes: #159
+
+Upstream-Status: Backport [https://sourceforge.net/p/giflib/code/ci/5b74cdd9c1285514eaa4675347ba3eea81d32c65/]
+Signed-off-by: nikhil r <nikhil.r@kpit.com>
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 8d7c0ff..d9a469f 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.25.1