From 0d0e61f454008dc27d49a3b6a5f1a97f9f81297a Mon Sep 17 00:00:00 2001 From: Jorge Arellano Cid Date: Sun, 28 Jul 2013 09:51:11 -0400 Subject: Fixed a bug in Gif processing that could overflow an unsigned amount Problem details in bof-read-0_Gif_data_blocks.gif.asan There was an off-by-one safety check that failed when the amounts were equal. --- src/gif.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/gif.c') diff --git a/src/gif.c b/src/gif.c index 69fcf5d3..7ce1e110 100644 --- a/src/gif.c +++ b/src/gif.c @@ -287,13 +287,15 @@ static inline size_t Gif_data_blocks(const uchar_t *Buf, size_t BSize) */ static inline size_t Gif_do_generic_ext(const uchar_t *Buf, size_t BSize) { - size_t Size = Buf[0] + 1, DSize; + + size_t Size = Buf[0] + 1, /* (uchar_t + 1) can't overflow size_t */ + DSize; /* The Block size (the first byte) is supposed to be a specific size * for each extension... we don't check. */ - if (Buf[0] > BSize) + if (Size > BSize) return 0; DSize = Gif_data_blocks(Buf + Size, BSize - Size); if (!DSize) -- cgit v1.2.3