diff options
author | rmax <rmax> | 2008-02-01 16:59:57 (GMT) |
---|---|---|
committer | rmax <rmax> | 2008-02-01 16:59:57 (GMT) |
commit | 03def044c94d5a92a5120296510cd2bfa8c9e3fe (patch) | |
tree | 8d1b1136c1077fc11fc759459a79faa36a791377 /generic | |
parent | 76d7d5362c5289ee5bedbb7005c6ec11f89c21f4 (diff) | |
download | tk-03def044c94d5a92a5120296510cd2bfa8c9e3fe.zip tk-03def044c94d5a92a5120296510cd2bfa8c9e3fe.tar.gz tk-03def044c94d5a92a5120296510cd2bfa8c9e3fe.tar.bz2 |
* generic/tkImgGIF.c: Fixed a buffer overflow (CVE-2006-4484).
* tests/imgPhoto.test: Added a test for the above.
Diffstat (limited to 'generic')
-rw-r--r-- | generic/tkImgGIF.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c index c8588bc..b095414 100644 --- a/generic/tkImgGIF.c +++ b/generic/tkImgGIF.c @@ -29,7 +29,7 @@ * | provided "as is" without express or implied warranty. | * +-------------------------------------------------------------------+ * - * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.5 2007/09/11 18:01:45 rmax Exp $ + * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.6 2008/02/01 16:59:58 rmax Exp $ */ /* @@ -826,6 +826,12 @@ ReadImage(interp, imagePtr, chan, len, rows, cmap, Tcl_PosixError(interp), (char *) NULL); return TCL_ERROR; } + + if (initialCodeSize > MAX_LWZ_BITS) { + Tcl_SetResult(interp, "malformed image", TCL_STATIC); + return TCL_ERROR; + } + if (transparent != -1) { cmap[transparent][CM_RED] = 0; cmap[transparent][CM_GREEN] = 0; |