summaryrefslogtreecommitdiffstats
path: root/generic
diff options
context:
space:
mode:
authorrmax <rmax>2008-02-01 16:59:57 (GMT)
committerrmax <rmax>2008-02-01 16:59:57 (GMT)
commit03def044c94d5a92a5120296510cd2bfa8c9e3fe (patch)
tree8d1b1136c1077fc11fc759459a79faa36a791377 /generic
parent76d7d5362c5289ee5bedbb7005c6ec11f89c21f4 (diff)
downloadtk-03def044c94d5a92a5120296510cd2bfa8c9e3fe.zip
tk-03def044c94d5a92a5120296510cd2bfa8c9e3fe.tar.gz
tk-03def044c94d5a92a5120296510cd2bfa8c9e3fe.tar.bz2
* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).
* tests/imgPhoto.test: Added a test for the above.
Diffstat (limited to 'generic')
-rw-r--r--generic/tkImgGIF.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index c8588bc..b095414 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -29,7 +29,7 @@
* | provided "as is" without express or implied warranty. |
* +-------------------------------------------------------------------+
*
- * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.5 2007/09/11 18:01:45 rmax Exp $
+ * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.6 2008/02/01 16:59:58 rmax Exp $
*/
/*
@@ -826,6 +826,12 @@ ReadImage(interp, imagePtr, chan, len, rows, cmap,
Tcl_PosixError(interp), (char *) NULL);
return TCL_ERROR;
}
+
+ if (initialCodeSize > MAX_LWZ_BITS) {
+ Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+ return TCL_ERROR;
+ }
+
if (transparent != -1) {
cmap[transparent][CM_RED] = 0;
cmap[transparent][CM_GREEN] = 0;