Heap Buffer Overflow-2 in function DGifDecompressLine() in cgif.c

[Xin-Jiang]

Here is the bug: 1295 if (LastCode != NO_SUCH_CODE) { 1296 Prefix[Private->RunningCode - 2] = LastCode; the "Private->RunningCode - 2" should be checked if it is less than LZ_MAX_CODE.

The crash is as follows: (gdb) run crash000005 1.pdf Program received signal SIGSEGV, Segmentation fault. 0x00000000004120aa in DGifDecompressLine (Line=0x7ffff7f74010 "", LineLen=486109, GifFile=0x691740) at cgif.c:1296 1296 Prefix[Private->RunningCode - 2] = LastCode; (gdb) bt

0 0x00000000004120aa in DGifDecompressLine (Line=0x7ffff7f74010 "", LineLen=486109, GifFile=0x691740) at cgif.c:1296

1 0x00000000004132eb in CGIF::DGifGetLine (GifFile=0x691740, Line=, LineLen=) at cgif.c:939

2 0x00000000004136ba in CGIF::DGifSlurp (GifFile=GifFile@entry=0x691740) at cgif.c:1508

3 0x000000000041391d in in_gif_reader (ufd=) at in_gif.cpp:48

4 0x000000000042fca8 in Image::load (ufd0=0x66a010, loadHints=..., format=format@entry=0x0) at image.cpp:1428

5 0x0000000000401eb0 in run_sam2p_engine (sout=..., serr=..., argv1=, helpp=helpp@entry=false) at sam2p_main.cpp:1055

6 0x00000000004014d0 in main (argv=0x7fffffffe5c8) at sam2p_main.cpp:1148

(gdb) p Private->RunningCode $1 = 32772 (gdb)

[fgeek]

@Xin-Jiang could you attach the reproducer file to this issue report, thanks.

[pts]

Thank you for reporting this bug!

Could you please attach the crash000005 file to this issue, so that I can reprodue the crash and find the culprit?

[pts]

Closing this bug now. I'll reopen it as soon as more information is attached.

[pts]

I'm still waiting for a .gif input file which breaks sam2p (at commit af05f34db7c27fbd1931a4aa898e1226623072d5). If you have one, please attach one!