diff options
author | Tom Taylor <tomtaylor@google.com> | 2017-01-11 09:17:01 -0800 |
---|---|---|
committer | gitbuildkicker <android-build@google.com> | 2017-01-19 16:33:04 -0800 |
commit | 3f9821128abd66c4cd2f040d8243efb334bfad2d (patch) | |
tree | 7ce2676e717bffb7d4c3450e4c6f75ff85989c12 | |
parent | 8ba22b48ebff50311d7eaa8d512f9d507f0bdd0d (diff) | |
download | Messaging-3f9821128abd66c4cd2f040d8243efb334bfad2d.tar.gz |
32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.soandroid-7.1.1_r50android-7.1.1_r48android-7.1.1_r45android-7.1.1_r42android-7.1.1_r40android-7.1.1_r38android-7.1.1_r28
in colorMap->Colors[colorIndex]
* No range checking was done on a color index. Add range
checking and bail if the color index is out of range.
Test: tested sending a large gif that would invoke the GifTranscoder library
to make the gif smaller.
Bug: 32764144
Change-Id: I44f36274ec333ae1960fa8fc96b2dbde35fbaa66
(cherry picked from commit 6f763fef7ab16e28f6c43496e0f866e7803b4dc8)
-rw-r--r-- | jni/GifTranscoder.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp index 6245538..112feca 100644 --- a/jni/GifTranscoder.cpp +++ b/jni/GifTranscoder.cpp @@ -384,6 +384,11 @@ bool GifTranscoder::renderImage(GifFileType* gifIn, for (int y = 0; y < gifIn->Image.Height; y++) { for (int x = 0; x < gifIn->Image.Width; x++) { GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y); + if (colorIndex >= colorMap->ColorCount) { + LOGE("Color Index %d is out of bounds (count=%d)", colorIndex, + colorMap->ColorCount); + return false; + } // This image may be smaller than the GIF's "logical screen" int renderX = x + gifIn->Image.Left; |