Fixed a bug in Gif processing that could overflow an unsigned amount

Problem details in bof-read-0_Gif_data_blocks.gif.asan There was an off-by-one safety check that failed when the amounts were equal.
author: Jorge Arellano Cid <jcid@dillo.org> 2013-07-28 09:51:11 -0400
committer: Jorge Arellano Cid <jcid@dillo.org> 2013-07-28 09:51:11 -0400
commit: 0d0e61f454008dc27d49a3b6a5f1a97f9f81297a (patch)
tree: 952899cf9c342390edbd16874b9cb058c731c109
parent: e6fd6ea3c95343428570d4356734f66dc4908c40 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/gif.c b/src/gif.c
index 69fcf5d3..7ce1e110 100644
--- a/src/gif.c
+++ b/src/gif.c
@@ -287,13 +287,15 @@ static inline size_t Gif_data_blocks(const uchar_t *Buf, size_t BSize)
  */
 static inline size_t Gif_do_generic_ext(const uchar_t *Buf, size_t BSize)
 {
-   size_t Size = Buf[0] + 1, DSize;
+
+   size_t Size = Buf[0] + 1,  /* (uchar_t + 1) can't overflow size_t */
+          DSize;
 
    /* The Block size (the first byte) is supposed to be a specific size
     * for each extension... we don't check.
     */
 
-   if (Buf[0] > BSize)
+   if (Size > BSize)
       return 0;
    DSize = Gif_data_blocks(Buf + Size, BSize - Size);
    if (!DSize)
author	Jorge Arellano Cid <jcid@dillo.org>	2013-07-28 09:51:11 -0400
committer	Jorge Arellano Cid <jcid@dillo.org>	2013-07-28 09:51:11 -0400
commit	0d0e61f454008dc27d49a3b6a5f1a97f9f81297a (patch)
tree	952899cf9c342390edbd16874b9cb058c731c109
parent	e6fd6ea3c95343428570d4356734f66dc4908c40 (diff)