• Tobias Stoeckmann's avatar
    Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI files. · edb251a7
    Tobias Stoeckmann authored
    It is possible to trigger a heap overflow while parsing FLI files. The
    RLE decoder is vulnerable to out of boundary writes due to lack of
    boundary checks.
    The variable "framebuf" points to a memory area which was allocated
    with fli_header->width * fli_header->height bytes. The RLE decoder
    therefore must never write beyond that limit.
    If an illegal frame is detected, the parser won't stop, which means
    that the next valid sequence is properly parsed again. This should
    allow GIMP to parse FLI files as good as possible even if they are
    broken by an attacker or by accident.
    While at it, I changed the variable xc to be of type size_t, because
    the multiplication of width and height could overflow a 16 bit type.
    Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
fli.c 19.8 KB