diff options
| author | Tom Taylor <tomtaylor@google.com> | 2016-12-01 12:20:44 -0800 |
|---|---|---|
| committer | Brinly Taylor <brinly@brinly.me> | 2017-03-13 04:51:58 +0000 |
| commit | f4a97c13cb076d606de10bdd068e8effff1b3646 (patch) | |
| tree | d77ac2dc95d0f1cc6ba5179de33810134475ef3b | |
| parent | 39b074283ac8f72e16cf96869e6292dd7ecc3daf (diff) | |
| download | android_packages_apps_Messaging-f4a97c13cb076d606de10bdd068e8effff1b3646.tar.gz android_packages_apps_Messaging-f4a97c13cb076d606de10bdd068e8effff1b3646.tar.bz2 android_packages_apps_Messaging-f4a97c13cb076d606de10bdd068e8effff1b3646.zip | |
32322450 Security Vulnerability - heap buffer overflow in libgiftranscode.so
* No range checking was done on the background color index. Add range
checking and bail if the color index is out of range.
* Test
Manual
- tested sending the gif attached in the bug.
- tested sending a 3.5mb gif to verify the gif transcoding was taking place.
- tested on arm64, arm, and x86 devices.
Change-Id: Id16ddccf05c8472ddebc1284b2a928dafd1be551
Fixes: 32322450
(cherry picked from commit bcc1f62715f8005684ac6b798d0d54224394e975)
(cherry picked from commit 47971bccc973ed00ff9b30ce27dc28e0d2cc5cfc)
| -rw-r--r-- | jni/GifTranscoder.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp index 44fa30c..0d50770 100644 --- a/jni/GifTranscoder.cpp +++ b/jni/GifTranscoder.cpp @@ -274,6 +274,11 @@ bool GifTranscoder::resizeBoxFilter(GifFileType* gifIn, GifFileType* gifOut) { // matches what libframesequence (Rastermill) does. if (imageIndex == 0 && gifIn->SColorMap) { if (gcb.TransparentColor == NO_TRANSPARENT_COLOR) { + if (gifIn->SBackGroundColor < 0 || + gifIn->SBackGroundColor >= gifIn->SColorMap->ColorCount) { + LOGE("SBackGroundColor overflow"); + return false; + } GifColorType bgColorIndex = gifIn->SColorMap->Colors[gifIn->SBackGroundColor]; bgColor = gifColorToColorARGB(bgColorIndex); |