diff options
author | rmax <rmax> | 2008-02-01 16:53:52 (GMT) |
---|---|---|
committer | rmax <rmax> | 2008-02-01 16:53:52 (GMT) |
commit | b1cd7a91092f4d082434294a5719f8208e1882cd (patch) | |
tree | 6ae40c0133795ee24e90702f90e1dd2a549b866c | |
parent | df8e32d03c1f651934a9ba8d02e13faef8fe6dc6 (diff) | |
download | tk-b1cd7a91092f4d082434294a5719f8208e1882cd.zip tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.gz tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.bz2 |
* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).
* tests/imgPhoto.test: Added a test for the above.
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | generic/tkImgGIF.c | 8 | ||||
-rw-r--r-- | tests/imgPhoto.test | 43 |
3 files changed, 54 insertions, 2 deletions
@@ -1,3 +1,8 @@ +2008-02-01 Reinhard Max <max@suse.de> + + * generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484). + * tests/imgPhoto.test: Added a test for the above. + 2008-01-31 Jeff Hobbs <jeffh@ActiveState.com> * library/msgbox.tcl (::tk::MessageBox): don't use ttk::label in diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c index 61a2947..b31c64d 100644 --- a/generic/tkImgGIF.c +++ b/generic/tkImgGIF.c @@ -32,7 +32,7 @@ * This file also contains code from miGIF. See lower down in file for the * applicable copyright notice for that portion. * - * RCS: @(#) $Id: tkImgGIF.c,v 1.40 2007/12/13 15:24:14 dgp Exp $ + * RCS: @(#) $Id: tkImgGIF.c,v 1.41 2008/02/01 16:53:53 rmax Exp $ */ #include "tkInt.h" @@ -879,6 +879,12 @@ ReadImage( Tcl_PosixError(interp), NULL); return TCL_ERROR; } + + if (initialCodeSize > MAX_LWZ_BITS) { + Tcl_SetResult(interp, "malformed image", TCL_STATIC); + return TCL_ERROR; + } + if (transparent != -1) { cmap[transparent][CM_RED] = 0; cmap[transparent][CM_GREEN] = 0; diff --git a/tests/imgPhoto.test b/tests/imgPhoto.test index 829d6da..c73df01 100644 --- a/tests/imgPhoto.test +++ b/tests/imgPhoto.test @@ -9,7 +9,7 @@ # # Author: Paul Mackerras (paulus@cs.anu.edu.au) # -# RCS: @(#) $Id: imgPhoto.test,v 1.27 2007/12/13 15:27:54 dgp Exp $ +# RCS: @(#) $Id: imgPhoto.test,v 1.28 2008/02/01 16:53:57 rmax Exp $ package require tcltest 2.1 eval tcltest::configure $argv @@ -665,6 +665,47 @@ test imgPhoto-14.3 {GIF -index interleaving and small frames} -setup { image delete $i } +test imgPhoto-14.3 {GIF -index interleaving and small frames} -setup { + set i [image create photo] +} -body { + # Interleaved GIFs used to crash us when a smaller subsequent frame + # was accessed. + $i configure -format {GIF -index 1} -data { + R0lGODdhAQAFAPAAAP8AAAAAACwAAAAAAQAFAEACAoRdACwAAAAAAQAEAEACAoRRADs= + } +} -cleanup { + image delete $i +} + +test imgPhoto-14.4 {GIF buffer overflow} -setup { + set i [image create photo] +} -body { + # This crashes Tk up to 8.4.17 and 8.5.0 + $i configure -data { + R0lGODlhCgAKAPcAAAAAAIAAAACAAICAAAAAgIAAgACAgICAgMDAwP8AAAD/ + AP//AAAA//8A/wD//////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + AAAAMwAAZgAAmQAAzAAA/wAzAAAzMwAzZgAzmQAzzAAz/wBmAABmMwBmZgBm + mQBmzABm/wCZAACZMwCZZgCZmQCZzACZ/wDMAADMMwDMZgDMmQDMzADM/wD/ + AAD/MwD/ZgD/mQD/zAD//zMAADMAMzMAZjMAmTMAzDMA/zMzADMzMzMzZjMz + mTMzzDMz/zNmADNmMzNmZjNmmTNmzDNm/zOZADOZMzOZZjOZmTOZzDOZ/zPM + ADPMMzPMZjPMmTPMzDPM/zP/ADP/MzP/ZjP/mTP/zDP//2YAAGYAM2YAZmYA + mWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZmzGZm/2aZ + AGaZM2aZZmaZmWaZzGaZ/2bMAGbMM2bMZmbMmWbMzGbM/2b/AGb/M2b/Zmb/ + mWb/zGb//5kAAJkAM5kAZpkAmZkAzJkA/5kzAJkzM5kzZpkzmZkzzJkz/5lm + AJlmM5lmZplmmZlmzJlm/5mZAJmZM5mZZpmZmZmZzJmZ/5nMAJnMM5nMZpnM + mZnMzJnM/5n/AJn/M5n/Zpn/mZn/zJn//8wAAMwAM8wAZswAmcwAzMwA/8wz + AMwzM8wzZswzmcwzzMwz/8xmAMxmM8xmZsxmmcxmzMxm/8yZAMyZM8yZZsyZ + mcyZzMyZ/8zMAMzMM8zMZszMmczMzMzM/8z/AMz/M8z/Zsz/mcz/zMz///8A + AP8AM/8AZv8Amf8AzP8A//8zAP8zM/8zZv8zmf8zzP8z//9mAP9mM/9mZv9m + mf9mzP9m//+ZAP+ZM/+ZZv+Zmf+ZzP+Z///MAP/MM//MZv/Mmf/MzP/M//// + AP//M///Zv//mf//zP///yH5BAEAABAALAAAAAAKAAoAABUSAAD/HEiwoMGD + CBMqXMiwYcKAADs= + } +} -cleanup { + image delete $i +} -returnCodes error -result {malformed image} + test imgPhoto-15.1 {photo images can fail to allocate memory gracefully} \ {nonPortable} { # This is not portable to very large machines with more around |