From 9d34bc31927f47e91ba85980d4d146593cbbe1a8 Mon Sep 17 00:00:00 2001
From: Chris Craik <ccraik@google.com>
Date: Wed, 9 Apr 2014 16:31:18 -0700
Subject: Fix uninitialized read in gif extension reading

Use memcmp instead of strcmp, since string stored in gif may not be
null terminated.

Additionally, pass the correct carray for releasing the byte array.

Change-Id: Icb0260c953377d17b7dd7b4fb021147181cd5df8
---
 framesequence/jni/FrameSequenceJNI.cpp  |  3 +--
 framesequence/jni/FrameSequence_gif.cpp | 12 ++++++------
 2 files changed, 7 insertions(+), 8 deletions(-)

(limited to 'framesequence')

diff --git a/framesequence/jni/FrameSequenceJNI.cpp b/framesequence/jni/FrameSequenceJNI.cpp
index efeed7e..08a73bc 100644
--- a/framesequence/jni/FrameSequenceJNI.cpp
+++ b/framesequence/jni/FrameSequenceJNI.cpp
@@ -53,8 +53,7 @@ static jobject nativeDecodeByteArray(JNIEnv* env, jobject clazz,
                 "couldn't read array bytes");
         return NULL;
     }
-    bytes += offset;
-    MemoryStream stream(bytes, length);
+    MemoryStream stream(bytes + offset, length);
     FrameSequence* frameSequence = FrameSequence::create(&stream);
     env->ReleasePrimitiveArrayCritical(byteArray, bytes, 0);
     return createJavaFrameSequence(env, frameSequence);
diff --git a/framesequence/jni/FrameSequence_gif.cpp b/framesequence/jni/FrameSequence_gif.cpp
index 2402439..daa097b 100644
--- a/framesequence/jni/FrameSequence_gif.cpp
+++ b/framesequence/jni/FrameSequence_gif.cpp
@@ -81,14 +81,14 @@ FrameSequence_gif::FrameSequence_gif(Stream* stream) :
         for (int j = 0; (j + 1) < image.ExtensionBlockCount; j++) {
             ExtensionBlock* eb1 = image.ExtensionBlocks + j;
             ExtensionBlock* eb2 = image.ExtensionBlocks + j + 1;
-            if (eb1->Function == APPLICATION_EXT_FUNC_CODE &&
+            if (eb1->Function == APPLICATION_EXT_FUNC_CODE
                     // look for "NETSCAPE2.0" app extension
-                    eb1->ByteCount == 11 &&
-                    !strcmp((const char*)(eb1->Bytes), "NETSCAPE2.0") &&
+                    && eb1->ByteCount == 11
+                    && !memcmp((const char*)(eb1->Bytes), "NETSCAPE2.0", 11)
                     // verify extension contents and get loop count
-                    eb2->Function == CONTINUE_EXT_FUNC_CODE &&
-                    eb2->ByteCount == 3 &&
-                    eb2->Bytes[0] == 1) {
+                    && eb2->Function == CONTINUE_EXT_FUNC_CODE
+                    && eb2->ByteCount == 3
+                    && eb2->Bytes[0] == 1) {
                 mLoopCount = (int)(eb2->Bytes[2] & 0xff) + (int)(eb2->Bytes[1] & 0xff);
             }
         }
-- 
cgit v1.2.3