summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog8
-rw-r--r--generic/tkImgGIF.c4
-rw-r--r--tests/imgPhoto.test14
3 files changed, 23 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index bc89bf9..2888485 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2007-09-11 Reinhard Max <max@suse.de>
+
+ * generic/tkImgGIF.c: Fixed a buffer overrun that got triggered by
+ multi-frame interlaced GIFs that contain subsequent frames that
+ are smaller than the first one.
+
+ * tests/imgPhoto.test: Added a test for the above.
+
2007-09-11 Daniel Steffen <das@users.sourceforge.net>
* unix/configure.in: backport of TK_INCLUDE_SPEC addition.
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index d4e5d39..c8588bc 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -29,7 +29,7 @@
* | provided "as is" without express or implied warranty. |
* +-------------------------------------------------------------------+
*
- * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.4 2006/03/27 12:13:56 dkf Exp $
+ * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.5 2007/09/11 18:01:45 rmax Exp $
*/
/*
@@ -995,7 +995,7 @@ ReadImage(interp, imagePtr, chan, len, rows, cmap,
*/
if (interlace) {
ypos += interlaceStep[pass];
- while (ypos >= height) {
+ while (ypos >= rows) {
pass++;
if (pass > 3) {
return TCL_OK;
diff --git a/tests/imgPhoto.test b/tests/imgPhoto.test
index 9905448..4118f74 100644
--- a/tests/imgPhoto.test
+++ b/tests/imgPhoto.test
@@ -9,7 +9,7 @@
#
# Author: Paul Mackerras (paulus@cs.anu.edu.au)
#
-# RCS: @(#) $Id: imgPhoto.test,v 1.15.2.4 2006/03/27 15:40:38 dkf Exp $
+# RCS: @(#) $Id: imgPhoto.test,v 1.15.2.5 2007/09/11 18:01:46 rmax Exp $
package require tcltest 2.1
namespace import -force tcltest::configure
@@ -669,6 +669,18 @@ test imgPhoto-14.2 {GIF -index handler buffer sizing} -setup {
image delete $i
} -returnCodes error -result {no image data for this index}
+test imgPhoto-14.3 {GIF -index interleaving and small frames} -setup {
+ set i [image create photo]
+} -body {
+ # Interleaved GIFs used to crash us when a smaller subsequent frame
+ # was accessed.
+ $i configure -format {GIF -index 1} -data {
+ R0lGODdhAQAFAPAAAP8AAAAAACwAAAAAAQAFAEACAoRdACwAAAAAAQAEAEACAoRRADs=
+ }
+} -cleanup {
+ image delete $i
+}
+
test imgPhoto-15.1 {photo images can fail to allocate memory gracefully} \
{nonPortable} {
# This is not portable to very large machines with more around