Skip to content

Commit 07b5896

Browse files
remicolletremicollet
committed
Fix bug #68601 buffer read overflow in gd_gif_in.c
1 parent 9beb376 commit 07b5896

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

ext/gd/libgd/gd_gif_in.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -72,8 +72,10 @@ static struct {
7272

7373
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
7474

75+
#define CSD_BUF_SIZE 280
76+
7577
typedef struct {
76-
unsigned char buf[280];
78+
unsigned char buf[CSD_BUF_SIZE];
7779
int curbit, lastbit, done, last_byte;
7880
} CODE_STATIC_DATA;
7981

@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
400402

401403
ret = 0;
402404
for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
403-
ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
405+
if (i < CSD_BUF_SIZE * 8) {
406+
ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
407+
} else {
408+
ret = -1;
409+
break;
410+
}
404411

405412
scd->curbit += code_size;
406413
return ret;

0 commit comments

Comments
 (0)