From 7548e69f75b914997b3a2f1f0404eb7693b426d1 Mon Sep 17 00:00:00 2001 From: rmax Date: Tue, 11 Sep 2007 18:01:45 +0000 Subject: * generic/tkImgGIF.c: Fixed a buffer overrun that got triggered by multi-frame interlaced GIFs that contain subsequent frames that are smaller than the first one. * tests/imgPhoto.test: Added a test for the above. --- ChangeLog | 8 ++++++++ generic/tkImgGIF.c | 4 ++-- tests/imgPhoto.test | 14 +++++++++++++- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc89bf9..2888485 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2007-09-11 Reinhard Max + + * generic/tkImgGIF.c: Fixed a buffer overrun that got triggered by + multi-frame interlaced GIFs that contain subsequent frames that + are smaller than the first one. + + * tests/imgPhoto.test: Added a test for the above. + 2007-09-11 Daniel Steffen * unix/configure.in: backport of TK_INCLUDE_SPEC addition. diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c index d4e5d39..c8588bc 100644 --- a/generic/tkImgGIF.c +++ b/generic/tkImgGIF.c @@ -29,7 +29,7 @@ * | provided "as is" without express or implied warranty. | * +-------------------------------------------------------------------+ * - * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.4 2006/03/27 12:13:56 dkf Exp $ + * RCS: @(#) $Id: tkImgGIF.c,v 1.24.2.5 2007/09/11 18:01:45 rmax Exp $ */ /* @@ -995,7 +995,7 @@ ReadImage(interp, imagePtr, chan, len, rows, cmap, */ if (interlace) { ypos += interlaceStep[pass]; - while (ypos >= height) { + while (ypos >= rows) { pass++; if (pass > 3) { return TCL_OK; diff --git a/tests/imgPhoto.test b/tests/imgPhoto.test index 9905448..4118f74 100644 --- a/tests/imgPhoto.test +++ b/tests/imgPhoto.test @@ -9,7 +9,7 @@ # # Author: Paul Mackerras (paulus@cs.anu.edu.au) # -# RCS: @(#) $Id: imgPhoto.test,v 1.15.2.4 2006/03/27 15:40:38 dkf Exp $ +# RCS: @(#) $Id: imgPhoto.test,v 1.15.2.5 2007/09/11 18:01:46 rmax Exp $ package require tcltest 2.1 namespace import -force tcltest::configure @@ -669,6 +669,18 @@ test imgPhoto-14.2 {GIF -index handler buffer sizing} -setup { image delete $i } -returnCodes error -result {no image data for this index} +test imgPhoto-14.3 {GIF -index interleaving and small frames} -setup { + set i [image create photo] +} -body { + # Interleaved GIFs used to crash us when a smaller subsequent frame + # was accessed. + $i configure -format {GIF -index 1} -data { + R0lGODdhAQAFAPAAAP8AAAAAACwAAAAAAQAFAEACAoRdACwAAAAAAQAEAEACAoRRADs= + } +} -cleanup { + image delete $i +} + test imgPhoto-15.1 {photo images can fail to allocate memory gracefully} \ {nonPortable} { # This is not portable to very large machines with more around -- cgit v0.12