diff options
| author | rmax <rmax> | 2008-02-01 16:53:52 (GMT) |
|---|---|---|
| committer | rmax <rmax> | 2008-02-01 16:53:52 (GMT) |
| commit | b1cd7a91092f4d082434294a5719f8208e1882cd (patch) | |
| tree | 6ae40c0133795ee24e90702f90e1dd2a549b866c /generic | |
| parent | df8e32d03c1f651934a9ba8d02e13faef8fe6dc6 (diff) | |
| download | tk-b1cd7a91092f4d082434294a5719f8208e1882cd.zip tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.gz tk-b1cd7a91092f4d082434294a5719f8208e1882cd.tar.bz2 | |
* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).
* tests/imgPhoto.test: Added a test for the above.
Diffstat (limited to 'generic')
| -rw-r--r-- | generic/tkImgGIF.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c index 61a2947..b31c64d 100644 --- a/generic/tkImgGIF.c +++ b/generic/tkImgGIF.c @@ -32,7 +32,7 @@ * This file also contains code from miGIF. See lower down in file for the * applicable copyright notice for that portion. * - * RCS: @(#) $Id: tkImgGIF.c,v 1.40 2007/12/13 15:24:14 dgp Exp $ + * RCS: @(#) $Id: tkImgGIF.c,v 1.41 2008/02/01 16:53:53 rmax Exp $ */ #include "tkInt.h" @@ -879,6 +879,12 @@ ReadImage( Tcl_PosixError(interp), NULL); return TCL_ERROR; } + + if (initialCodeSize > MAX_LWZ_BITS) { + Tcl_SetResult(interp, "malformed image", TCL_STATIC); + return TCL_ERROR; + } + if (transparent != -1) { cmap[transparent][CM_RED] = 0; cmap[transparent][CM_GREEN] = 0; |