Skip to content
Commit edb251a7 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Jehan
Browse files

Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI files.



It is possible to trigger a heap overflow while parsing FLI files. The
RLE decoder is vulnerable to out of boundary writes due to lack of
boundary checks.

The variable "framebuf" points to a memory area which was allocated
with fli_header->width * fli_header->height bytes. The RLE decoder
therefore must never write beyond that limit.

If an illegal frame is detected, the parser won't stop, which means
that the next valid sequence is properly parsed again. This should
allow GIMP to parse FLI files as good as possible even if they are
broken by an attacker or by accident.

While at it, I changed the variable xc to be of type size_t, because
the multiplication of width and height could overflow a 16 bit type.

Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent fff57f84
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment