* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).

* tests/imgPhoto.test: Added a test for the above.

3 files changed, 54 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 91ebf85..34fd1bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-02-01  Reinhard Max  <max@suse.de>
+
+	* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).
+	* tests/imgPhoto.test: Added a test for the above.
+
 2008-01-31  Jeff Hobbs  <jeffh@ActiveState.com>
 
 	* library/msgbox.tcl (::tk::MessageBox): don't use ttk::label in
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index 61a2947..b31c64d 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -32,7 +32,7 @@
  * This file also contains code from miGIF. See lower down in file for the
  * applicable copyright notice for that portion.
  *
- * RCS: @(#) $Id: tkImgGIF.c,v 1.40 2007/12/13 15:24:14 dgp Exp $
+ * RCS: @(#) $Id: tkImgGIF.c,v 1.41 2008/02/01 16:53:53 rmax Exp $
  */
 
 #include "tkInt.h"
@@ -879,6 +879,12 @@ ReadImage(
 		Tcl_PosixError(interp), NULL);
 	return TCL_ERROR;
     }
+
+    if (initialCodeSize > MAX_LWZ_BITS) {
+	Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+	return TCL_ERROR;
+    }
+
     if (transparent != -1) {
 	cmap[transparent][CM_RED] = 0;
 	cmap[transparent][CM_GREEN] = 0;
diff --git a/tests/imgPhoto.test b/tests/imgPhoto.test
index 829d6da..c73df01 100644
--- a/tests/imgPhoto.test
+++ b/tests/imgPhoto.test
@@ -9,7 +9,7 @@
 #
 # Author: Paul Mackerras (paulus@cs.anu.edu.au)
 #
-# RCS: @(#) $Id: imgPhoto.test,v 1.27 2007/12/13 15:27:54 dgp Exp $
+# RCS: @(#) $Id: imgPhoto.test,v 1.28 2008/02/01 16:53:57 rmax Exp $
 
 package require tcltest 2.1
 eval tcltest::configure $argv
@@ -665,6 +665,47 @@ test imgPhoto-14.3 {GIF -index interleaving and small frames} -setup {
     image delete $i
 }
 
+test imgPhoto-14.3 {GIF -index interleaving and small frames} -setup {
+    set i [image create photo]
+} -body {
+    # Interleaved GIFs used to crash us when a smaller subsequent frame
+    # was accessed.
+    $i configure -format {GIF -index 1} -data {
+        R0lGODdhAQAFAPAAAP8AAAAAACwAAAAAAQAFAEACAoRdACwAAAAAAQAEAEACAoRRADs=
+    }
+} -cleanup {
+    image delete $i
+}
+
+test imgPhoto-14.4 {GIF buffer overflow} -setup {
+    set i [image create photo]
+} -body {
+    # This crashes Tk up to 8.4.17 and 8.5.0
+    $i configure -data {
+	R0lGODlhCgAKAPcAAAAAAIAAAACAAICAAAAAgIAAgACAgICAgMDAwP8AAAD/
+	AP//AAAA//8A/wD//////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+	AAAAMwAAZgAAmQAAzAAA/wAzAAAzMwAzZgAzmQAzzAAz/wBmAABmMwBmZgBm
+	mQBmzABm/wCZAACZMwCZZgCZmQCZzACZ/wDMAADMMwDMZgDMmQDMzADM/wD/
+	AAD/MwD/ZgD/mQD/zAD//zMAADMAMzMAZjMAmTMAzDMA/zMzADMzMzMzZjMz
+	mTMzzDMz/zNmADNmMzNmZjNmmTNmzDNm/zOZADOZMzOZZjOZmTOZzDOZ/zPM
+	ADPMMzPMZjPMmTPMzDPM/zP/ADP/MzP/ZjP/mTP/zDP//2YAAGYAM2YAZmYA
+	mWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZmzGZm/2aZ
+	AGaZM2aZZmaZmWaZzGaZ/2bMAGbMM2bMZmbMmWbMzGbM/2b/AGb/M2b/Zmb/
+	mWb/zGb//5kAAJkAM5kAZpkAmZkAzJkA/5kzAJkzM5kzZpkzmZkzzJkz/5lm
+	AJlmM5lmZplmmZlmzJlm/5mZAJmZM5mZZpmZmZmZzJmZ/5nMAJnMM5nMZpnM
+	mZnMzJnM/5n/AJn/M5n/Zpn/mZn/zJn//8wAAMwAM8wAZswAmcwAzMwA/8wz
+	AMwzM8wzZswzmcwzzMwz/8xmAMxmM8xmZsxmmcxmzMxm/8yZAMyZM8yZZsyZ
+	mcyZzMyZ/8zMAMzMM8zMZszMmczMzMzM/8z/AMz/M8z/Zsz/mcz/zMz///8A
+	AP8AM/8AZv8Amf8AzP8A//8zAP8zM/8zZv8zmf8zzP8z//9mAP9mM/9mZv9m
+	mf9mzP9m//+ZAP+ZM/+ZZv+Zmf+ZzP+Z///MAP/MM//MZv/Mmf/MzP/M////
+	AP//M///Zv//mf//zP///yH5BAEAABAALAAAAAAKAAoAABUSAAD/HEiwoMGD
+	CBMqXMiwYcKAADs=
+    } 
+} -cleanup {
+    image delete $i
+} -returnCodes error -result {malformed image}
+
 test imgPhoto-15.1 {photo images can fail to allocate memory gracefully} \
 	{nonPortable} {
     # This is not portable to very large machines with more around