Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
cups: GIF reader gif_read_lzw() may not return byte #3869
gif_read_lzw() is documented as:
Its return value is int and it can actually return value >= 256. This can happen at least during the second call to gif_read_lzw(), when fresh == 1. Following code path is used in that case:
An input GIF file can specify code_size up to 12 (see GIF_MAX_BITS check in gif_read_image()), which allows returned firstcode of up to 2^12-1. gif_read_image() uses returned value (stored in pixel) as an index to cmap, hence this leads to buffer over-read. In a quick test, I managed to get pixel value set to ~4k, but it did not trigger crash. I've not tried creating a better reproducer to see if it's actually possible to trigger a crash with this.