tags 395382 + patch thanks Hi,
Attached please find my proposed NMU patch for this bug. Feel free to take over it and include it in a maintainer upload. However, if I don't hear from you within the next several days (let's say, by November 3rd) I will upload myself. best regards, -- Kevin B. McCarty <[EMAIL PROTECTED]> Physics Department WWW: http://www.princeton.edu/~kmccarty/ Princeton University GPG: public key ID 4F83C751 Princeton, NJ 08544
diff -ur giflib-3.0.old/debian/changelog giflib-3.0/debian/changelog --- giflib-3.0.old/debian/changelog 2006-10-26 13:57:08.000000000 -0400 +++ giflib-3.0/debian/changelog 2006-10-26 13:55:19.108418553 -0400 @@ -1,3 +1,16 @@ +giflib (3.0-12.1) unstable; urgency=high + + * Non-maintainer upload for security patch. + * Backport fixes from giflib 4.1.4: + - lib/dgif_lib.c: Fix NULL dereference crash with crafted LZW + termination blocks. CVE-2005-2974 + - lib/dgif_lib.c, lib/egif_lib.c, lib/gifalloc.c, util/gifcomb.c: + Fix multiple buffer overflows with crafted GIF files, possibly + exploitable. CVE-2005-3350 + - closes: #395382 + + -- Kevin B. McCarty <[EMAIL PROTECTED]> Thu, 26 Oct 2006 13:45:43 -0400 + giflib (3.0-12) unstable; urgency=low * Applied patch from Dann Frazier <[EMAIL PROTECTED]> to fix problems on 64-bit diff -ur giflib-3.0.old/lib/dgif_lib.c giflib-3.0/lib/dgif_lib.c --- giflib-3.0.old/lib/dgif_lib.c 1997-06-26 13:09:56.000000000 -0400 +++ giflib-3.0/lib/dgif_lib.c 2006-10-26 12:49:24.418823486 -0400 @@ -492,14 +492,26 @@ File = Private->File; - if (GifFile->Image.ColorMap) + if (GifFile->Image.ColorMap) { FreeMapObject(GifFile->Image.ColorMap); - if (GifFile->SColorMap) + GifFile->Image.ColorMap = NULL; + } + + if (GifFile->SColorMap) { FreeMapObject(GifFile->SColorMap); - if (Private) + GifFile->SColorMap = NULL; + } + + if (Private) { free((char *) Private); - if (GifFile->SavedImages) + Private = NULL; + } + + if (GifFile->SavedImages) { FreeSavedImages(GifFile); + GifFile->SavedImages = NULL; + } + free(GifFile); if (fclose(File) != 0) { @@ -805,6 +817,11 @@ 0x00ff, 0x01ff, 0x03ff, 0x07ff, 0x0fff }; + /* The image can't contain more than LZ_BITS per code. */ + if (Private->RunningBits > LZ_BITS) { + _GifError = D_GIF_ERR_IMAGE_DEFECT; + return GIF_ERROR; + } while (Private->CrntShiftState < Private->RunningBits) { /* Needs to get more bytes from input stream for next code: */ @@ -821,9 +838,13 @@ Private->CrntShiftDWord >>= Private->RunningBits; Private->CrntShiftState -= Private->RunningBits; - /* If code cannt fit into RunningBits bits, must raise its size. Note */ - /* however that codes above 4095 are used for special signaling. */ - if (++Private->RunningCode > Private->MaxCode1 && + /* If code cannt fit into RunningBits bits, must raise its size. Note + * however that codes above 4095 are used for special signaling. + * If we're using LZ_BITS bits already and we're at the max code, just + * keep using the table as it is, don't increment Private->RunningCode. + */ + if (Private->RunningCode < LZ_MAX_CODE + 2 && + ++Private->RunningCode > Private->MaxCode1 && Private->RunningBits < LZ_BITS) { Private->MaxCode1 <<= 1; Private->RunningBits++; @@ -847,6 +868,14 @@ _GifError = D_GIF_ERR_READ_FAILED; return GIF_ERROR; } + /* There shouldn't be any empty data blocks here as the LZW spec + * says the LZW termination code should come first. Therefore we + * shouldn't be inside this routine at that point. + */ + if (Buf[0] == 0) { + _GifError = D_GIF_ERR_IMAGE_DEFECT; + return GIF_ERROR; + } if (fread(&Buf[1], 1, Buf[0], File) != Buf[0]) { _GifError = D_GIF_ERR_READ_FAILED; diff -ur giflib-3.0.old/lib/egif_lib.c giflib-3.0/lib/egif_lib.c --- giflib-3.0.old/lib/egif_lib.c 2006-10-26 13:57:08.000000000 -0400 +++ giflib-3.0/lib/egif_lib.c 2006-10-26 12:58:03.869314228 -0400 @@ -598,10 +598,14 @@ Buf = ';'; fwrite(&Buf, 1, 1, Private->File); - if (GifFile->Image.ColorMap) + if (GifFile->Image.ColorMap) { FreeMapObject(GifFile->Image.ColorMap); - if (GifFile->SColorMap) + GifFile->Image.ColorMap = NULL; + } + if (GifFile->SColorMap) { FreeMapObject(GifFile->SColorMap); + GifFile->SColorMap = NULL; + } if (Private) { if (Private->HashTable) free((char *) Private->HashTable); free((char *) Private); diff -ur giflib-3.0.old/lib/gifalloc.c giflib-3.0/lib/gifalloc.c --- giflib-3.0.old/lib/gifalloc.c 2006-10-26 13:57:08.000000000 -0400 +++ giflib-3.0/lib/gifalloc.c 2006-10-26 12:34:25.128104179 -0400 @@ -326,8 +326,10 @@ sp < GifFile->SavedImages + GifFile->ImageCount; sp++) { - if (sp->ImageDesc.ColorMap) + if (sp->ImageDesc.ColorMap) { FreeMapObject(sp->ImageDesc.ColorMap); + sp->ImageDesc.ColorMap = NULL; + } if (sp->RasterBits) free((char *)sp->RasterBits); diff -ur giflib-3.0.old/util/gifcomb.c giflib-3.0/util/gifcomb.c --- giflib-3.0.old/util/gifcomb.c 2006-10-26 13:57:08.000000000 -0400 +++ giflib-3.0/util/gifcomb.c 2006-10-26 12:35:30.365232173 -0400 @@ -196,6 +196,7 @@ } FreeMapObject(ColorUnion); /* We dont need this any more... */ + ColorUnion = NULL; if (DGifCloseFile(GifFileIn1) == GIF_ERROR || DGifCloseFile(GifFileIn2) == GIF_ERROR ||