On Mon, 07 Apr 2025 21:15:25 +0800 李亚杰 <[email protected]> wrote:
> In the function DumpScreen2RGB of the giflib software, an attempt is > made to access the color map through ColorMapEntry. The size of > ColorMap is 6 bytes (from 0x602000000030 to 0x602000000036). However, > when accessing ColorMap->Colors[GifRow[j]], the value of GifRow[j] > exceeds the actual number of colors stored. The address pointed to by > ColorMapEntry, 0x602000000039, goes beyond the allocated memory range > for color data. As a result, accessing ColorMapEntry->Red leads to > out-of-bounds access, causing a heap-buffer-overflow. I... think I reported this in 2016 already: https://sourceforge.net/p/giflib/bugs/79/ The bug was closed without a fix, yet with giflib's author claiming multiple times that it was fixed. -- Hanno Böck https://hboeck.de/
