From 6f763fef7ab16e28f6c43496e0f866e7803b4dc8 Mon Sep 17 00:00:00 2001
From: Tom Taylor <tomtaylor@google.com>
Date: Wed, 11 Jan 2017 09:17:01 -0800
Subject: 32764144 Security Vulnerability - heap buffer overflow in
 libgiftranscode.so in colorMap->Colors[colorIndex]

* No range checking was done on a color index. Add range
checking and bail if the color index is out of range.

Test: tested sending a large gif that would invoke the GifTranscoder library
to make the gif smaller.

Bug: 32764144
Change-Id: I44f36274ec333ae1960fa8fc96b2dbde35fbaa66
---
 jni/GifTranscoder.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/jni/GifTranscoder.cpp b/jni/GifTranscoder.cpp
index 81f3f75..0e83982 100644
--- a/jni/GifTranscoder.cpp
+++ b/jni/GifTranscoder.cpp
@@ -384,6 +384,11 @@ bool GifTranscoder::renderImage(GifFileType* gifIn,
     for (int y = 0; y < gifIn->Image.Height; y++) {
         for (int x = 0; x < gifIn->Image.Width; x++) {
             GifByteType colorIndex = *getPixel(rasterBits, gifIn->Image.Width, x, y);
+            if (colorIndex >= colorMap->ColorCount) {
+                LOGE("Color Index %d is out of bounds (count=%d)", colorIndex,
+                    colorMap->ColorCount);
+                return false;
+            }
 
             // This image may be smaller than the GIF's "logical screen"
             int renderX = x + gifIn->Image.Left;
-- 
cgit v1.2.3