diff options
| author | Tom Taylor <tomtaylor@google.com> | 2017-01-17 19:51:36 +0000 |
|---|---|---|
| committer | android-build-merger <android-build-merger@google.com> | 2017-01-17 19:51:36 +0000 |
| commit | cc649e4e1e0b21800e0345e5743f757acf22f24d (patch) | |
| tree | 553cb77e85662562dafe7f48042379d2d8fe5e3a | |
| parent | 29170155298276116623f7605aba238750f079ed (diff) | |
| parent | 82fa311e9a68b6f4edbe33cc3d363155d9aea897 (diff) | |
| download | android_packages_apps_Messaging-cc649e4e1e0b21800e0345e5743f757acf22f24d.tar.gz android_packages_apps_Messaging-cc649e4e1e0b21800e0345e5743f757acf22f24d.tar.bz2 android_packages_apps_Messaging-cc649e4e1e0b21800e0345e5743f757acf22f24d.zip | |
32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so in colorMap->Colors[colorIndex] am: 6f763fef7a am: 9f00add2fb am: 71d4913462
am: 82fa311e9a
Change-Id: Ifd7c99312f526e379268f5f12a5ff61d95a90996
| -rw-r--r-- | jni/GifTranscoder.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp index 6245538..112feca 100644 --- a/jni/GifTranscoder.cpp +++ b/jni/GifTranscoder.cpp @@ -384,6 +384,11 @@ bool GifTranscoder::renderImage(GifFileType* gifIn, for (int y = 0; y < gifIn->Image.Height; y++) { for (int x = 0; x < gifIn->Image.Width; x++) { GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y); + if (colorIndex >= colorMap->ColorCount) { + LOGE("Color Index %d is out of bounds (count=%d)", colorIndex, + colorMap->ColorCount); + return false; + } // This image may be smaller than the GIF's "logical screen" int renderX = x + gifIn->Image.Left; |