diff options
| author | Tom Taylor <tomtaylor@google.com> | 2017-01-17 19:59:54 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2017-01-17 19:59:54 +0000 |
| commit | 8495e582a1ae64747005a267902b16051474458b (patch) | |
| tree | 7ce2676e717bffb7d4c3450e4c6f75ff85989c12 | |
| parent | f07dfd0a1956b250a0b710887471ad67f5104351 (diff) | |
| parent | eece1bd759770f2c44a4b60ed79e705b44df0223 (diff) | |
| download | android_packages_apps_Messaging-8495e582a1ae64747005a267902b16051474458b.tar.gz android_packages_apps_Messaging-8495e582a1ae64747005a267902b16051474458b.tar.bz2 android_packages_apps_Messaging-8495e582a1ae64747005a267902b16051474458b.zip | |
32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap->Colors[colorIndex] am: 6f763fef7a am: 9f00add2fb am: 71d4913462 am: 82fa311e9a am: cc649e4e1e am: 657379f51c am: fb324f89bf
am: eece1bd759
Change-Id: I5b978323dc12e67a3ea2b27a71d1bf1de27e1c0a
| -rw-r--r-- | jni/GifTranscoder.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp index 6245538..112feca 100644 --- a/jni/GifTranscoder.cpp +++ b/jni/GifTranscoder.cpp @@ -384,6 +384,11 @@ bool GifTranscoder::renderImage(GifFileType* gifIn, for (int y = 0; y < gifIn->Image.Height; y++) { for (int x = 0; x < gifIn->Image.Width; x++) { GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y); + if (colorIndex >= colorMap->ColorCount) { + LOGE("Color Index %d is out of bounds (count=%d)", colorIndex, + colorMap->ColorCount); + return false; + } // This image may be smaller than the GIF's "logical screen" int renderX = x + gifIn->Image.Left; |