Bug#395382: proposed patch

Thu, 26 Oct 2006 11:32:35 -0700 

tags 395382 + patch
thanks

Hi,

Attached please find my proposed NMU patch for this bug.  Feel free to
take over it and include it in a maintainer upload.  However, if I don't
hear from you within the next several days (let's say, by November 3rd)
I will upload myself.

best regards,

-- 
Kevin B. McCarty <[EMAIL PROTECTED]>   Physics Department
WWW: http://www.princeton.edu/~kmccarty/    Princeton University
GPG: public key ID 4F83C751                 Princeton, NJ 08544

diff -ur giflib-3.0.old/debian/changelog giflib-3.0/debian/changelog
--- giflib-3.0.old/debian/changelog     2006-10-26 13:57:08.000000000 -0400
+++ giflib-3.0/debian/changelog 2006-10-26 13:55:19.108418553 -0400
@@ -1,3 +1,16 @@
+giflib (3.0-12.1) unstable; urgency=high
+
+  * Non-maintainer upload for security patch.
+  * Backport fixes from giflib 4.1.4:
+    - lib/dgif_lib.c: Fix NULL dereference crash with crafted LZW
+      termination blocks.  CVE-2005-2974
+    - lib/dgif_lib.c, lib/egif_lib.c, lib/gifalloc.c, util/gifcomb.c:
+      Fix multiple buffer overflows with crafted GIF files, possibly
+      exploitable.  CVE-2005-3350
+    - closes: #395382
+
+ -- Kevin B. McCarty <[EMAIL PROTECTED]>  Thu, 26 Oct 2006 13:45:43 -0400
+
 giflib (3.0-12) unstable; urgency=low
 
   * Applied patch from Dann Frazier <[EMAIL PROTECTED]> to fix problems on 
64-bit
diff -ur giflib-3.0.old/lib/dgif_lib.c giflib-3.0/lib/dgif_lib.c
--- giflib-3.0.old/lib/dgif_lib.c       1997-06-26 13:09:56.000000000 -0400
+++ giflib-3.0/lib/dgif_lib.c   2006-10-26 12:49:24.418823486 -0400
@@ -492,14 +492,26 @@
 
     File = Private->File;
 
-    if (GifFile->Image.ColorMap)
+    if (GifFile->Image.ColorMap) {
        FreeMapObject(GifFile->Image.ColorMap);
-    if (GifFile->SColorMap)
+       GifFile->Image.ColorMap = NULL;
+    }
+    
+    if (GifFile->SColorMap) {
        FreeMapObject(GifFile->SColorMap);
-    if (Private)
+       GifFile->SColorMap = NULL;
+    }
+    
+    if (Private) {
        free((char *) Private);
-    if (GifFile->SavedImages)
+       Private = NULL;
+    }
+    
+    if (GifFile->SavedImages) {
        FreeSavedImages(GifFile);
+       GifFile->SavedImages = NULL;
+    }
+    
     free(GifFile);
 
     if (fclose(File) != 0) {
@@ -805,6 +817,11 @@
        0x00ff, 0x01ff, 0x03ff, 0x07ff,
        0x0fff
     };
+    /* The image can't contain more than LZ_BITS per code. */
+    if (Private->RunningBits > LZ_BITS) {
+        _GifError = D_GIF_ERR_IMAGE_DEFECT;
+       return GIF_ERROR;
+    }
 
     while (Private->CrntShiftState < Private->RunningBits) {
        /* Needs to get more bytes from input stream for next code: */
@@ -821,9 +838,13 @@
     Private->CrntShiftDWord >>= Private->RunningBits;
     Private->CrntShiftState -= Private->RunningBits;
 
-    /* If code cannt fit into RunningBits bits, must raise its size. Note */
-    /* however that codes above 4095 are used for special signaling.      */
-    if (++Private->RunningCode > Private->MaxCode1 &&
+    /* If code cannt fit into RunningBits bits, must raise its size. Note
+     * however that codes above 4095 are used for special signaling.
+     * If we're using LZ_BITS bits already and we're at the max code, just
+     * keep using the table as it is, don't increment Private->RunningCode.
+     */
+    if (Private->RunningCode < LZ_MAX_CODE + 2 &&
+       ++Private->RunningCode > Private->MaxCode1 &&
        Private->RunningBits < LZ_BITS) {
        Private->MaxCode1 <<= 1;
        Private->RunningBits++;
@@ -847,6 +868,14 @@
            _GifError = D_GIF_ERR_READ_FAILED;
            return GIF_ERROR;
        }
+       /* There shouldn't be any empty data blocks here as the LZW spec
+        * says the LZW termination code should come first.  Therefore we
+        * shouldn't be inside this routine at that point.
+        */
+       if (Buf[0] == 0) {
+           _GifError = D_GIF_ERR_IMAGE_DEFECT;
+           return GIF_ERROR;
+       }
        if (fread(&Buf[1], 1, Buf[0], File) != Buf[0])
        {
            _GifError = D_GIF_ERR_READ_FAILED;
diff -ur giflib-3.0.old/lib/egif_lib.c giflib-3.0/lib/egif_lib.c
--- giflib-3.0.old/lib/egif_lib.c       2006-10-26 13:57:08.000000000 -0400
+++ giflib-3.0/lib/egif_lib.c   2006-10-26 12:58:03.869314228 -0400
@@ -598,10 +598,14 @@
     Buf = ';';
     fwrite(&Buf, 1, 1, Private->File);
 
-    if (GifFile->Image.ColorMap)
+    if (GifFile->Image.ColorMap) {
        FreeMapObject(GifFile->Image.ColorMap);
-    if (GifFile->SColorMap)
+       GifFile->Image.ColorMap = NULL;
+    }
+    if (GifFile->SColorMap) {
        FreeMapObject(GifFile->SColorMap);
+       GifFile->SColorMap = NULL;
+    }
     if (Private) {
        if (Private->HashTable) free((char *) Private->HashTable);
        free((char *) Private);
diff -ur giflib-3.0.old/lib/gifalloc.c giflib-3.0/lib/gifalloc.c
--- giflib-3.0.old/lib/gifalloc.c       2006-10-26 13:57:08.000000000 -0400
+++ giflib-3.0/lib/gifalloc.c   2006-10-26 12:34:25.128104179 -0400
@@ -326,8 +326,10 @@
         sp < GifFile->SavedImages + GifFile->ImageCount;
         sp++)
     {
-       if (sp->ImageDesc.ColorMap)
+       if (sp->ImageDesc.ColorMap) {
            FreeMapObject(sp->ImageDesc.ColorMap);
+           sp->ImageDesc.ColorMap = NULL;
+       }
 
        if (sp->RasterBits)
            free((char *)sp->RasterBits);
diff -ur giflib-3.0.old/util/gifcomb.c giflib-3.0/util/gifcomb.c
--- giflib-3.0.old/util/gifcomb.c       2006-10-26 13:57:08.000000000 -0400
+++ giflib-3.0/util/gifcomb.c   2006-10-26 12:35:30.365232173 -0400
@@ -196,6 +196,7 @@
     }
 
     FreeMapObject(ColorUnion);             /* We dont need this any more... */
+    ColorUnion = NULL;
 
     if (DGifCloseFile(GifFileIn1) == GIF_ERROR ||
        DGifCloseFile(GifFileIn2) == GIF_ERROR ||

Reply via email to