Heap Buffer Overflow-2 in function DGifDecompressLine() in cgif.c #38
Labels
more info needed to reproduce
This issue is blocked on more information from the reporter or from contributors.
Comments
|
@Xin-Jiang could you attach the reproducer file to this issue report, thanks. |
pts
added
the
more info needed to reproduce
|
Thank you for reporting this bug! Could you please attach the |
|
Closing this bug now. I'll reopen it as soon as more information is attached. |
pts
pushed a commit
that referenced
this issue
Aug 6, 2018
|
I'm still waiting for a .gif input file which breaks sam2p (at commit af05f34). If you have one, please attach one! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here is the bug:
1295 if (LastCode != NO_SUCH_CODE) {
1296 Prefix[Private->RunningCode - 2] = LastCode;
the "Private->RunningCode - 2" should be checked if it is less than LZ_MAX_CODE.
The crash is as follows:
(gdb) run crash000005 1.pdf
Program received signal SIGSEGV, Segmentation fault.
0x00000000004120aa in DGifDecompressLine (Line=0x7ffff7f74010 "", LineLen=486109, GifFile=0x691740) at cgif.c:1296
1296 Prefix[Private->RunningCode - 2] = LastCode;
(gdb) bt
#0 0x00000000004120aa in DGifDecompressLine (Line=0x7ffff7f74010 "", LineLen=486109, GifFile=0x691740) at cgif.c:1296
#1 0x00000000004132eb in CGIF::DGifGetLine (GifFile=0x691740, Line=, LineLen=) at cgif.c:939
#2 0x00000000004136ba in CGIF::DGifSlurp (GifFile=GifFile@entry=0x691740) at cgif.c:1508
#3 0x000000000041391d in in_gif_reader (ufd=) at in_gif.cpp:48
#4 0x000000000042fca8 in Image::load (ufd0=0x66a010, loadHints=..., format=format@entry=0x0) at image.cpp:1428
#5 0x0000000000401eb0 in run_sam2p_engine (sout=..., serr=..., argv1=, helpp=helpp@entry=false) at sam2p_main.cpp:1055
#6 0x00000000004014d0 in main (argv=0x7fffffffe5c8) at sam2p_main.cpp:1148
(gdb) p Private->RunningCode
$1 = 32772
(gdb)
The text was updated successfully, but these errors were encountered: