summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Taylor <tomtaylor@google.com>2017-01-11 17:17:01 (GMT)
committerSean McCreary <mccreary@mcwest.org>2017-03-22 18:50:27 (GMT)
commit78cb8b00ee024cfdf383912695e30d9c2cb64f7d (patch)
tree24492ebb7c4880364b971d4f1036ef204c6fd02f
parent62371f2e4bfe3d54f2b79fe55bbb423642a235d2 (diff)
downloadandroid_packages_apps_Messaging-78cb8b00ee024cfdf383912695e30d9c2cb64f7d.zip
android_packages_apps_Messaging-78cb8b00ee024cfdf383912695e30d9c2cb64f7d.tar.gz
android_packages_apps_Messaging-78cb8b00ee024cfdf383912695e30d9c2cb64f7d.tar.bz2
32764144 Security Vulnerability - heap buffer overflow in libgiftranscode.so
in colorMap->Colors[colorIndex] * No range checking was done on a color index. Add range checking and bail if the color index is out of range. Test: tested sending a large gif that would invoke the GifTranscoder library to make the gif smaller. Bug: 32764144 CVE-2017-0494 Change-Id: I44f36274ec333ae1960fa8fc96b2dbde35fbaa66 (cherry picked from commit 6f763fef7ab16e28f6c43496e0f866e7803b4dc8) (cherry picked from commit 3f9821128abd66c4cd2f040d8243efb334bfad2d)
-rw-r--r--jni/GifTranscoder.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp
index 81f3f75..0e83982 100644
--- a/jni/GifTranscoder.cpp
+++ b/jni/GifTranscoder.cpp
@@ -384,6 +384,11 @@ bool GifTranscoder::renderImage(GifFileType* gifIn,
for (int y = 0; y < gifIn->Image.Height; y++) {
for (int x = 0; x < gifIn->Image.Width; x++) {
GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y);
+ if (colorIndex >= colorMap->ColorCount) {
+ LOGE("Color Index %d is out of bounds (count=%d)", colorIndex,
+ colorMap->ColorCount);
+ return false;
+ }
// This image may be smaller than the GIF's "logical screen"
int renderX = x + gifIn->Image.Left;