summaryrefslogtreecommitdiffstats
path: root/generic/tkImgGIF.c
diff options
context:
space:
mode:
authorrmax <rmax>2008-02-01 16:53:52 (GMT)
committerrmax <rmax>2008-02-01 16:53:52 (GMT)
commitb1cd7a91092f4d082434294a5719f8208e1882cd (patch)
tree6ae40c0133795ee24e90702f90e1dd2a549b866c /generic/tkImgGIF.c
parentdf8e32d03c1f651934a9ba8d02e13faef8fe6dc6 (diff)
downloadtk-b1cd7a91092f4d082434294a5719f8208e1882cd.zip
tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.gz
tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.bz2
* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).
* tests/imgPhoto.test: Added a test for the above.
Diffstat (limited to 'generic/tkImgGIF.c')
-rw-r--r--generic/tkImgGIF.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index 61a2947..b31c64d 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -32,7 +32,7 @@
* This file also contains code from miGIF. See lower down in file for the
* applicable copyright notice for that portion.
*
- * RCS: @(#) $Id: tkImgGIF.c,v 1.40 2007/12/13 15:24:14 dgp Exp $
+ * RCS: @(#) $Id: tkImgGIF.c,v 1.41 2008/02/01 16:53:53 rmax Exp $
*/
#include "tkInt.h"
@@ -879,6 +879,12 @@ ReadImage(
Tcl_PosixError(interp), NULL);
return TCL_ERROR;
}
+
+ if (initialCodeSize > MAX_LWZ_BITS) {
+ Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+ return TCL_ERROR;
+ }
+
if (transparent != -1) {
cmap[transparent][CM_RED] = 0;
cmap[transparent][CM_GREEN] = 0;