mirror of
https://github.com/LadybirdBrowser/ladybird.git
synced 2024-09-20 17:58:18 +03:00
LibGfx: Fix read buffer overflow in interlaced GIF decode
Unfortunately10420dee7e
didn't quite fix it, as the buffer overflow was actually happening here:af22204488/Userland/Libraries/LibGfx/GIFLoader.cpp (L402)
Found by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30507
This commit is contained in:
parent
9aa91e6c6f
commit
ce5fe2a6e8
Notes:
sideshowbarker
2024-07-18 21:53:46 +09:00
Author: https://github.com/Lubrsi Commit: https://github.com/SerenityOS/serenity/commit/ce5fe2a6e80 Pull-request: https://github.com/SerenityOS/serenity/pull/5540
@ -399,13 +399,14 @@ static bool decode_frame(GIFLoadingContext& context, size_t frame_index)
|
||||
++pixel_index;
|
||||
if (pixel_index % image.width == 0) {
|
||||
if (image.interlaced) {
|
||||
if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
|
||||
++interlace_pass;
|
||||
if (interlace_pass < 4)
|
||||
row = INTERLACE_ROW_OFFSETS[interlace_pass];
|
||||
} else {
|
||||
if (interlace_pass < 4)
|
||||
if (interlace_pass < 4) {
|
||||
if (row + INTERLACE_ROW_STRIDES[interlace_pass] >= image.height) {
|
||||
++interlace_pass;
|
||||
if (interlace_pass < 4)
|
||||
row = INTERLACE_ROW_OFFSETS[interlace_pass];
|
||||
} else {
|
||||
row += INTERLACE_ROW_STRIDES[interlace_pass];
|
||||
}
|
||||
}
|
||||
} else {
|
||||
++row;
|
||||
|
Loading…
Reference in New Issue
Block a user