15778 2007-10-31 14:16:06 -0700 Public GIF image decoder can corrupt memory on malformed GIFs 2007-11-01 02:41:10 -0700 1 1 1 Unclassified WebKit Images 523.x (Safari 3) PC All RESOLVED FIXED P2 Normal --- 0 pkasting webkit-unassigned oldest_to_newest 59952 0 pkasting 2007-10-31 14:16:06 -0700 This bug report is about the code in WebCore/platform/image-decoders/gif, so it affects the Qt/Cairo versions of WebCore, but not Safari (which uses its own decoders). When a malformed GIF specifies a frame (after the first) that is larger than the overall image, the GIF decoder does not properly check to avoid writing past the end of the memory buffer, and corrupts memory. Patch coming shortly. 59953 1 16968 pkasting 2007-10-31 14:24:23 -0700 Created attachment 16968 patch v1 This patch does a couple of things: * Explicitly ignores rows past the end of the image in GIFImageDecoder::haveDecodedRow(). This is similar to the behavior of the Mozilla image decoder sources, which allow a frame decoder to provide whatever data it wants, and then simply ignore the excess data when compositing/drawing the image. * Removes some broken code in GIFImageReader::output_row() that looks like it was trying to prevent this case, but didn't really succeed. This code isn't present in the Mozilla GIF decoder this file is based on, doesn't work right, and is significantly more complex than the simple added conditional described above. * Fixes some code in GIFImageDecoder::read() that would be hit in this case to set local variables more correctly. This doesn't make much difference, but it's much closer to the original Mozilla code -- it looks like when the file was ported to WebKit, someone originally misplaced a close brace in here, so e.g. screen_height would only get reset if screen_width also needed to be reset. The current Mozilla sources avoid the "rowbuf" struct entirely, but updating to that change is both a large patch and not really related to this bug. 59954 2 16968 hyatt 2007-10-31 14:25:19 -0700 Comment on attachment 16968 patch v1 r=me 59989 3 mrowe 2007-11-01 02:41:10 -0700 Landed in r27346. 16968 2007-10-31 14:24:23 -0700 2007-10-31 14:25:19 -0700 patch v1 patch text/plain 3852 pkasting SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAyNzMzMCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTYgQEAKKzIwMDctMTAtMzEgIFBldGVyIEthc3RpbmcgIDx6ZXJvZHB4QGdtYWls LmNvbT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBo dHRwOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTc3OAorICAgICAgICBNYWxm b3JtZWQgR0lGcyBzaG91bGQgbm90IHJlc3VsdCBpbiBtZW1vcnkgY29ycnVwdGlvbi4KKworICAg ICAgICAqIHBsYXRmb3JtL2ltYWdlLWRlY29kZXJzL2dpZi9HSUZJbWFnZURlY29kZXIuY3BwOgor ICAgICAgICAoV2ViQ29yZTo6R0lGSW1hZ2VEZWNvZGVyOjpoYXZlRGVjb2RlZFJvdyk6CisgICAg ICAgICogcGxhdGZvcm0vaW1hZ2UtZGVjb2RlcnMvZ2lmL0dJRkltYWdlUmVhZGVyLmNwcDoKKyAg ICAgICAgKEdJRkltYWdlUmVhZGVyOjpvdXRwdXRfcm93KToKKyAgICAgICAgKEdJRkltYWdlUmVh ZGVyOjpyZWFkKToKKwogMjAwNy0xMC0zMSAgRGFuIEJlcm5zdGVpbiAgPG1pdHpAYXBwbGUuY29t PgogCiAgICAgICAgIFJldmlld2VkIGJ5IERhcmluIEFkbGVyLgpJbmRleDogV2ViQ29yZS9wbGF0 Zm9ybS9pbWFnZS1kZWNvZGVycy9naWYvR0lGSW1hZ2VEZWNvZGVyLmNwcAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBXZWJDb3JlL3BsYXRmb3JtL2ltYWdlLWRlY29kZXJzL2dpZi9HSUZJbWFnZURlY29kZXIuY3Bw CShyZXZpc2lvbiAyNzMyOSkKKysrIFdlYkNvcmUvcGxhdGZvcm0vaW1hZ2UtZGVjb2RlcnMvZ2lm L0dJRkltYWdlRGVjb2Rlci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTI5OCw3ICsyOTgsOCBAQCB2 b2lkIEdJRkltYWdlRGVjb2Rlcjo6aGF2ZURlY29kZWRSb3codW5zCiAgICAgaWYgKGJ1ZmZlci5z dGF0dXMoKSA9PSBSR0JBMzJCdWZmZXI6OkZyYW1lRW1wdHkpCiAgICAgICAgIGluaXRGcmFtZUJ1 ZmZlcihidWZmZXIsIHByZXZpb3VzQnVmZmVyLCBjb21wb3NpdGVXaXRoUHJldmlvdXNGcmFtZSk7 CiAKLSAgICBpZiAocm93QnVmZmVyID09IDApCisgICAgLy8gRG8gbm90aGluZyBmb3IgYm9ndXMg ZGF0YS4KKyAgICBpZiAocm93QnVmZmVyID09IDAgfHwgc3RhdGljX2Nhc3Q8aW50Pihyb3dOdW1i ZXIpID49IG1fc2l6ZS5oZWlnaHQoKSkKICAgICAgIHJldHVybjsKIAogICAgIHVuc2lnbmVkIGNv bG9yTWFwU2l6ZTsKSW5kZXg6IFdlYkNvcmUvcGxhdGZvcm0vaW1hZ2UtZGVjb2RlcnMvZ2lmL0dJ RkltYWdlUmVhZGVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL3BsYXRmb3JtL2ltYWdlLWRl Y29kZXJzL2dpZi9HSUZJbWFnZVJlYWRlci5jcHAJKHJldmlzaW9uIDI3MzI5KQorKysgV2ViQ29y ZS9wbGF0Zm9ybS9pbWFnZS1kZWNvZGVycy9naWYvR0lGSW1hZ2VSZWFkZXIuY3BwCSh3b3JraW5n IGNvcHkpCkBAIC0xMTAsNyArMTEwLDcgQEAgdm9pZCBHSUZJbWFnZVJlYWRlcjo6b3V0cHV0X3Jv dygpCiB7CiAgIEdJRkZyYW1lUmVhZGVyKiBncyA9IGZyYW1lX3JlYWRlcjsKIAotICBpbnQgd2lk dGgsIGRyb3dfc3RhcnQsIGRyb3dfZW5kOworICBpbnQgZHJvd19zdGFydCwgZHJvd19lbmQ7CiAK ICAgZHJvd19zdGFydCA9IGRyb3dfZW5kID0gZ3MtPmlyb3c7CiAKQEAgLTE1OCwxOSArMTU4LDEw IEBAIHZvaWQgR0lGSW1hZ2VSZWFkZXI6Om91dHB1dF9yb3coKQogICBpZiAoKHVuc2lnbmVkKWRy b3dfc3RhcnQgPj0gZ3MtPmhlaWdodCkKICAgICByZXR1cm47CiAKLSAgLyogQ2hlY2sgZm9yIHNj YW5saW5lIGJlbG93IGVkZ2Ugb2YgbG9naWNhbCBzY3JlZW4gKi8KLSAgaWYgKChncy0+eV9vZmZz ZXQgKyBncy0+aXJvdykgPCBzY3JlZW5faGVpZ2h0KSB7Ci0gICAgLyogQ2xpcCBpZiByaWdodCBl ZGdlIG9mIGltYWdlIGV4Y2VlZHMgbGltaXRzICovCi0gICAgaWYgKChncy0+eF9vZmZzZXQgKyBn cy0+d2lkdGgpID4gc2NyZWVuX3dpZHRoKQotICAgICAgd2lkdGggPSBzY3JlZW5fd2lkdGggLSBn cy0+eF9vZmZzZXQ7Ci0gICAgZWxzZQotICAgICAgd2lkdGggPSBncy0+d2lkdGg7Ci0KLSAgICAv LyBDQUxMQkFDSzogTGV0IHRoZSBjbGllbnQga25vdyB3ZSBoYXZlIGRlY29kZWQgYSByb3cuCi0g ICAgaWYgKHdpZHRoID4gMCAmJiBjbGllbnRwdHIgJiYgZnJhbWVfcmVhZGVyKQotICAgICAgY2xp ZW50cHRyLT5oYXZlRGVjb2RlZFJvdyhpbWFnZXNfY291bnQgLSAxLCBmcmFtZV9yZWFkZXItPnJv d2J1ZiwgZnJhbWVfcmVhZGVyLT5yb3dlbmQsCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIGRyb3dfc3RhcnQsIGRyb3dfZW5kIC0gZHJvd19zdGFydCArIDEpOwotICB9CisgIC8vIENB TExCQUNLOiBMZXQgdGhlIGNsaWVudCBrbm93IHdlIGhhdmUgZGVjb2RlZCBhIHJvdy4KKyAgaWYg KGNsaWVudHB0ciAmJiBmcmFtZV9yZWFkZXIpCisgICAgY2xpZW50cHRyLT5oYXZlRGVjb2RlZFJv dyhpbWFnZXNfY291bnQgLSAxLCBmcmFtZV9yZWFkZXItPnJvd2J1ZiwgZnJhbWVfcmVhZGVyLT5y b3dlbmQsCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkcm93X3N0YXJ0LCBkcm93X2Vu ZCAtIGRyb3dfc3RhcnQgKyAxKTsKIAogICBncy0+cm93cCA9IGdzLT5yb3didWY7CiAKQEAgLTc4 MiwyNiArNzczLDE4IEBAIGJvb2wgR0lGSW1hZ2VSZWFkZXI6OnJlYWQoY29uc3QgdW5zaWduZWQK ICAgICAgICAgICAvKiBYWFggRGV2aWFudCEgKi8KIAogICAgICAgICAgIGRlbGV0ZSBbXWZyYW1l X3JlYWRlci0+cm93YnVmOwotICAgICAgICAgIGZyYW1lX3JlYWRlci0+cm93YnVmID0gbmV3IHVu c2lnbmVkIGNoYXJbd2lkdGhdOwotCi0gICAgICAgICAgaWYgKCFmcmFtZV9yZWFkZXItPnJvd2J1 ZikgewotICAgICAgICAgICAgc3RhdGUgPSBnaWZfb29tOwotICAgICAgICAgICAgYnJlYWs7Ci0g ICAgICAgICAgfQotCiAgICAgICAgICAgc2NyZWVuX3dpZHRoID0gd2lkdGg7Ci0gICAgICAgICAg aWYgKHNjcmVlbl9oZWlnaHQgPCBmcmFtZV9yZWFkZXItPmhlaWdodCkKLSAgICAgICAgICAgIHNj cmVlbl9oZWlnaHQgPSBmcmFtZV9yZWFkZXItPmhlaWdodDsKLSAgICAgICAgfQotICAgICAgICBl bHNlIHsKLSAgICAgICAgICBpZiAoIWZyYW1lX3JlYWRlci0+cm93YnVmKQotICAgICAgICAgICAg ZnJhbWVfcmVhZGVyLT5yb3didWYgPSBuZXcgdW5zaWduZWQgY2hhcltzY3JlZW5fd2lkdGhdOwor ICAgICAgICAgIGZyYW1lX3JlYWRlci0+cm93YnVmID0gbmV3IHVuc2lnbmVkIGNoYXJbc2NyZWVu X3dpZHRoXTsKKyAgICAgICAgfSBlbHNlIGlmICghZnJhbWVfcmVhZGVyLT5yb3didWYpIHsKKyAg ICAgICAgICBmcmFtZV9yZWFkZXItPnJvd2J1ZiA9IG5ldyB1bnNpZ25lZCBjaGFyW3NjcmVlbl93 aWR0aF07CiAgICAgICAgIH0KIAogICAgICAgICBpZiAoIWZyYW1lX3JlYWRlci0+cm93YnVmKSB7 CiAgICAgICAgICAgc3RhdGUgPSBnaWZfb29tOwogICAgICAgICAgIGJyZWFrOwogICAgICAgICB9 CisgICAgICAgIGlmIChzY3JlZW5faGVpZ2h0IDwgaGVpZ2h0KQorICAgICAgICAgIHNjcmVlbl9o ZWlnaHQgPSBoZWlnaHQ7CiAKICAgICAgICAgaWYgKHFbOF0gJiAweDQwKSB7CiAgICAgICAgICAg ZnJhbWVfcmVhZGVyLT5pbnRlcmxhY2VkID0gdHJ1ZTsK