blob: e8a81f384f28cdbe8a9242416c81bc99121a130c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
Index: generic/tkImgGIF.c
===================================================================
RCS file: /cvsroot/tktoolkit/tk/generic/tkImgGIF.c,v
retrieving revision 1.24.2.5
diff -u -r1.24.2.5 tkImgGIF.c
--- generic/tkImgGIF.c 11 Sep 2007 18:01:45 -0000 1.24.2.5
+++ generic/tkImgGIF.c 25 Jan 2008 19:23:01 -0000
@@ -826,6 +826,12 @@
Tcl_PosixError(interp), (char *) NULL);
return TCL_ERROR;
}
+
+ if (initialCodeSize > MAX_LWZ_BITS) {
+ Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+ return TCL_ERROR;
+ }
+
if (transparent != -1) {
cmap[transparent][CM_RED] = 0;
cmap[transparent][CM_GREEN] = 0;
Index: tests/imgPhoto.test
===================================================================
RCS file: /cvsroot/tktoolkit/tk/tests/imgPhoto.test,v
retrieving revision 1.15.2.5
diff -u -r1.15.2.5 imgPhoto.test
--- tests/imgPhoto.test 11 Sep 2007 18:01:46 -0000 1.15.2.5
+++ tests/imgPhoto.test 25 Jan 2008 19:23:01 -0000
@@ -681,6 +681,35 @@
image delete $i
}
+test imgPhoto-14.4 {GIF buffer overflow} -setup {
+ set i [image create photo]
+} -body {
+ # This crashes Tk up to 8.4.17 and 8.5.0
+ $i configure -data {
+ R0lGODlhCgAKAPcAAAAAAIAAAACAAICAAAAAgIAAgACAgICAgMDAwP8AAAD/
+ AP//AAAA//8A/wD//////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAMwAAZgAAmQAAzAAA/wAzAAAzMwAzZgAzmQAzzAAz/wBmAABmMwBmZgBm
+ mQBmzABm/wCZAACZMwCZZgCZmQCZzACZ/wDMAADMMwDMZgDMmQDMzADM/wD/
+ AAD/MwD/ZgD/mQD/zAD//zMAADMAMzMAZjMAmTMAzDMA/zMzADMzMzMzZjMz
+ mTMzzDMz/zNmADNmMzNmZjNmmTNmzDNm/zOZADOZMzOZZjOZmTOZzDOZ/zPM
+ ADPMMzPMZjPMmTPMzDPM/zP/ADP/MzP/ZjP/mTP/zDP//2YAAGYAM2YAZmYA
+ mWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZmzGZm/2aZ
+ AGaZM2aZZmaZmWaZzGaZ/2bMAGbMM2bMZmbMmWbMzGbM/2b/AGb/M2b/Zmb/
+ mWb/zGb//5kAAJkAM5kAZpkAmZkAzJkA/5kzAJkzM5kzZpkzmZkzzJkz/5lm
+ AJlmM5lmZplmmZlmzJlm/5mZAJmZM5mZZpmZmZmZzJmZ/5nMAJnMM5nMZpnM
+ mZnMzJnM/5n/AJn/M5n/Zpn/mZn/zJn//8wAAMwAM8wAZswAmcwAzMwA/8wz
+ AMwzM8wzZswzmcwzzMwz/8xmAMxmM8xmZsxmmcxmzMxm/8yZAMyZM8yZZsyZ
+ mcyZzMyZ/8zMAMzMM8zMZszMmczMzMzM/8z/AMz/M8z/Zsz/mcz/zMz///8A
+ AP8AM/8AZv8Amf8AzP8A//8zAP8zM/8zZv8zmf8zzP8z//9mAP9mM/9mZv9m
+ mf9mzP9m//+ZAP+ZM/+ZZv+Zmf+ZzP+Z///MAP/MM//MZv/Mmf/MzP/M////
+ AP//M///Zv//mf//zP///yH5BAEAABAALAAAAAAKAAoAABUSAAD/HEiwoMGD
+ CBMqXMiwYcKAADs=
+ }
+} -cleanup {
+ image delete $i
+} -returnCodes error -result {malformed image}
+
test imgPhoto-15.1 {photo images can fail to allocate memory gracefully} \
{nonPortable} {
# This is not portable to very large machines with more around
|
GitWeb
