buffer overflow issue - OOB write

[niugx]

there is a buffer overflow issue in gif_process_raster function, line 310 of fromgif.c

309 for (code = 0; code < clear; code++) { 310 g->codes[code].prefix = -1; 311 g->codes[code].first = (unsigned char) code; 312 g->codes[code].suffix = (unsigned char) code; 313 }

g->codes[code] will OOB write with a crafted gif file.

root@ubuntu:/libsixel-master/converters# ./img2sixel crafted.gif Segmentation fault (core dumped)

//////////debug information///////////// root@ubuntu:/libsixel-master/converters# gdb -q .libs/img2sixel Reading symbols from .libs/img2sixel...done. (gdb) set args crafted.gif (gdb) r Starting program: /libsixel-master/converters/.libs/img2sixel crafted.gif

Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bad7e6 in gif_process_raster (s=0x7fffffffdc40, g=0x7fffffff95d0) at fromgif.c:310 310 g->codes[code].prefix = -1; (gdb) bt

0 0x00007ffff7bad7e6 in gif_process_raster (s=0x7fffffffdc40, g=0x7fffffff95d0) at fromgif.c:310

1 0x00007ffff7badead in gif_load_next (s=0x7fffffffdc40, g=0x7fffffff95d0, bgcolor=0x0) at fromgif.c:462

2 0x00007ffff7bae39f in load_gif (buffer=0x7ffff6d53010 "GIF89a\376\001\037", <incomplete sequence \346>, size=1888416, bgcolor=0x0, reqcolors=256, fuse_palette=1, fstatic=0, loop_control=1195900927, fn_load=0x7ffff7bb1d9d , context=0x606040, allocator=0x606010) at fromgif.c:599

Guoxiang Niu, Xiaolong Zhao, Muxing Guan, EaglEye Team

[saitoha]

This is same problem as #75. It is fixed with 7808a06 and merged into v1.8.3. Thanks!