From cac9a36a23fe538370a9f308d564c2eec39e487d Mon Sep 17 00:00:00 2001 From: James Zern Date: Tue, 1 Nov 2016 21:30:13 -0700 Subject: [PATCH] gifdec,Remap: avoid out of bounds colormap read make this function return success/failure. an empty map or out of bounds read is treated as an error. BUG=webp:316 Change-Id: Ic8651836915ea4dd8e0dc81ca8d5d3f247be1ff8 --- examples/gifdec.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/examples/gifdec.c b/examples/gifdec.c index d04ed8d9..5442aa50 100644 --- a/examples/gifdec.c +++ b/examples/gifdec.c @@ -81,20 +81,27 @@ int GIFReadGraphicsExtension(const GifByteType* const buf, int* const duration, return 1; } -static void Remap(const GifFileType* const gif, const uint8_t* const src, - int len, int transparent_index, uint32_t* dst) { +static int Remap(const GifFileType* const gif, const uint8_t* const src, + int len, int transparent_index, uint32_t* dst) { int i; const GifColorType* colors; const ColorMapObject* const cmap = gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap; - if (cmap == NULL) return; + if (cmap == NULL) return 1; + if (cmap->Colors == NULL || cmap->ColorCount <= 0) return 0; colors = cmap->Colors; for (i = 0; i < len; ++i) { - const GifColorType c = colors[src[i]]; - dst[i] = (src[i] == transparent_index) ? GIF_TRANSPARENT_COLOR - : c.Blue | (c.Green << 8) | (c.Red << 16) | (0xffu << 24); + if (src[i] == transparent_index) { + dst[i] = GIF_TRANSPARENT_COLOR; + } else if (src[i] < cmap->ColorCount) { + const GifColorType c = colors[src[i]]; + dst[i] = c.Blue | (c.Green << 8) | (c.Red << 16) | (0xffu << 24); + } else { + return 0; + } } + return 1; } int GIFReadFrame(GifFileType* const gif, int transparent_index, @@ -139,7 +146,7 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index, const size_t jump = interlace_jumps[pass] * stride; for (; y < rect.height; y += interlace_jumps[pass], row += jump) { if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End; - Remap(gif, tmp, rect.width, transparent_index, row); + if (!Remap(gif, tmp, rect.width, transparent_index, row)) goto End; } } } else { // Non-interlaced image. @@ -147,7 +154,7 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index, uint32_t* ptr = dst; for (y = 0; y < rect.height; ++y, ptr += sub_image.argb_stride) { if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End; - Remap(gif, tmp, rect.width, transparent_index, ptr); + if (!Remap(gif, tmp, rect.width, transparent_index, ptr)) goto End; } } ok = 1;