Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix out-of-bounds read access in GIF decoding #46

Merged
merged 1 commit into from
Sep 12, 2024
Merged

Fix out-of-bounds read access in GIF decoding #46

merged 1 commit into from
Sep 12, 2024

Conversation

jserv
Copy link
Contributor

@jserv jserv commented Sep 12, 2024
edited
Loading

Caught by lldb:

* thread #1, stop reason = EXC_BAD_ACCESS (code=1, address=0x1080d6000) frame #0: 0x00000001000061a4 demo-sdl`_twin_gif_to_pixmap [inlined] gif_is_bgcolor(gif=0x00000001008b4200, color=<unavailable>) at image-gif.c:516:13 [opt] 513 514 	static int gif_is_bgcolor(const twin_gif_t *gif, const uint8_t *color) 515 	{
-> 516 	    return !memcmp(&gif->palette->colors[gif->bgindex * 3], color, 3);
   517 	}
   518
   519 	static void gif_rewind(twin_gif_t *gif)
Target 0: (demo-sdl) stopped.
(lldb) up
frame #1: 0x000000010000619e demo-sdl`_twin_gif_to_pixmap at image-gif.c:584 [opt]
   581 	            uint8_t r = *(color++);
   582 	            uint8_t g = *(color++);
   583 	            uint8_t b = *(color++);
-> 584 	            if (!gif_is_bgcolor(gif, color))
   585 	                *(p.argb32++) = 0xFF000000U | (r << 16) | (g << 8) | b;
   586 	            /* Construct background */
   587 	            else if (((row >> 3) + (col >> 3)) & 1)

The removal of unnecessary pointer arithmetics also help compiler optimizations.

@jserv
Fix out-of-bounds read access in GIF decoding
aeb0ad3 
Caught by lldb:

* thread #1, stop reason = EXC_BAD_ACCESS (code=1, address=0x1080d6000)
    frame #0: 0x00000001000061a4 demo-sdl`_twin_gif_to_pixmap [inlined] gif_is_bgcolor(gif=0x00000001008b4200, color=<unavailable>) at image-gif.c:516:13 [opt]
   513
   514 	static int gif_is_bgcolor(const twin_gif_t *gif, const uint8_t *color)
   515 	{
-> 516 	    return !memcmp(&gif->palette->colors[gif->bgindex * 3], color, 3);
   517 	}
   518
   519 	static void gif_rewind(twin_gif_t *gif)
Target 0: (demo-sdl) stopped.
(lldb) up
frame #1: 0x000000010000619e demo-sdl`_twin_gif_to_pixmap at image-gif.c:584 [opt]
   581 	            uint8_t r = *(color++);
   582 	            uint8_t g = *(color++);
   583 	            uint8_t b = *(color++);
-> 584 	            if (!gif_is_bgcolor(gif, color))
   585 	                *(p.argb32++) = 0xFF000000U | (r << 16) | (g << 8) | b;
   586 	            /* Construct background */
   587 	            else if (((row >> 3) + (col >> 3)) & 1)

The removal of unnecessary pointer arithmetics also help compiler
optimizations.
@jserv jserv requested a review from ndsl7109256 September 12, 2024 04:40
@jserv jserv merged commit a5b600c into main Sep 12, 2024
6 checks passed
@jserv jserv deleted the fix-gifdec branch September 12, 2024 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndsl7109256 ndsl7109256 ndsl7109256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jserv @ndsl7109256