cups: GIF reader loop, STR #3867 like #3914

Closed
michaelrsweet opened this Issue Aug 5, 2011 · 2 comments

Comments

Projects
None yet
1 participant
Collaborator

michaelrsweet commented Aug 5, 2011

Version: 1.4.8
CUPS.org User: thoger

Mike, I have found another way to trigger the condition that was described in STR #3867. The reason is a special handling of the first code in LZW streams, somewhat related to STR #3869. Few other implementations that do not have stack overflow check in the while loop seem to handle this case by checking the first code is < 256.

Test case attached.

Collaborator

michaelrsweet commented Aug 6, 2011

CUPS.org User: mike

Fixed in Subversion repository.

Collaborator

michaelrsweet commented Aug 6, 2011

"str3914.patch":

Index: filter/image-gif.c

--- filter/image-gif.c (revision 9862)
+++ filter/image-gif.c (working copy)
@@ -648,11 +648,13 @@

 if (code == max_code)
 {
  •  *sp++ = firstcode;
    
  •  code  = oldcode;
    
  •  if (sp < (stack + 8192))
    
  • *sp++ = firstcode;
  •  code = oldcode;
    

    }

  • while (code >= clear_code)

  • while (code >= clear_code && sp < (stack + 8192))
    {
    *sp++ = table[1][code];
    if (code == table[0][code])
    @@ -661,9 +663,11 @@
    code = table[0][code];
    }

  • *sp++ = firstcode = table[1][code];

  • code = max_code;

  • if (sp < (stack + 8192))

  •  *sp++ = firstcode = table[1][code];
    
  • code = max_code;

if (code < 4096)
{
table[0][code] = oldcode;

michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment