* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).

* tests/imgPhoto.test: Added a test for the above.
author: rmax <rmax> 2008-02-01 16:53:52 (GMT)
committer: rmax <rmax> 2008-02-01 16:53:52 (GMT)
commit: b1cd7a91092f4d082434294a5719f8208e1882cd (patch)
tree: 6ae40c0133795ee24e90702f90e1dd2a549b866c /generic/tkImgGIF.c
parent: df8e32d03c1f651934a9ba8d02e13faef8fe6dc6 (diff)
download: tk-b1cd7a91092f4d082434294a5719f8208e1882cd.zip
tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.gz
tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.bz2
1 files changed, 7 insertions, 1 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index 61a2947..b31c64d 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -32,7 +32,7 @@
  * This file also contains code from miGIF. See lower down in file for the
  * applicable copyright notice for that portion.
  *
- * RCS: @(#) $Id: tkImgGIF.c,v 1.40 2007/12/13 15:24:14 dgp Exp $
+ * RCS: @(#) $Id: tkImgGIF.c,v 1.41 2008/02/01 16:53:53 rmax Exp $
  */
 
 #include "tkInt.h"
@@ -879,6 +879,12 @@ ReadImage(
 		Tcl_PosixError(interp), NULL);
 	return TCL_ERROR;
     }
+
+    if (initialCodeSize > MAX_LWZ_BITS) {
+	Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+	return TCL_ERROR;
+    }
+
     if (transparent != -1) {
 	cmap[transparent][CM_RED] = 0;
 	cmap[transparent][CM_GREEN] = 0;
author	rmax <rmax>	2008-02-01 16:53:52 (GMT)
committer	rmax <rmax>	2008-02-01 16:53:52 (GMT)
commit	b1cd7a91092f4d082434294a5719f8208e1882cd (patch)
tree	6ae40c0133795ee24e90702f90e1dd2a549b866c /generic/tkImgGIF.c
parent	df8e32d03c1f651934a9ba8d02e13faef8fe6dc6 (diff)
download	tk-b1cd7a91092f4d082434294a5719f8208e1882cd.zip tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.gz tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.bz2