We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4802 - fix detecting truncated files in IMG_gif.c

Summary: fix detecting truncated files in IMG_gif.c

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL_image
Classification:	Unclassified
Component:	misc (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P2 normal
Assignee:	Sam Lantinga
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-09-11 20:37 UTC by Ozkan Sezer
Modified:	2019-09-16 18:12 UTC (History)
CC List:	0 users

See Also:

Attachments
patch for SDL2_image-2.x (828 bytes, patch) 2019-09-11 20:37 UTC, Ozkan Sezer	Details \| Diff
patch for SDL_image-1.2.x (782 bytes, patch) 2019-09-11 20:38 UTC, Ozkan Sezer	Details \| Diff
updated patch for SDL_image-1.2.x (821 bytes, patch) 2019-09-12 09:03 UTC, Ozkan Sezer	Details \| Diff
updated patch for SDL2_image-2.0.x (856 bytes, patch) 2019-09-12 09:04 UTC, Ozkan Sezer	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ozkan Sezer 2019-09-11 20:37:36 UTC

Created attachment 3966 [details]
patch for SDL2_image-2.x

Commit https://hg.libsdl.org/SDL_image/rev/19beb4a1bb54 by Ryan
(gif: Don't get into infinite loops on truncated files) changes
a zero check to a zero-or-negative check in GetCode().  However,
the checked variable count is an unsigned char and we can never
catch negative returns from GetDataBlock() that way there.

I suggest something like the following (also attached):

diff --git a/IMG_gif.c b/IMG_gif.c
--- a/IMG_gif.c
+++ b/IMG_gif.c
@@ -405,8 +405,10 @@ GetCode(SDL_RWops *src, int code_size, i
         state->buf[0] = state->buf[state->last_byte - 2];
         state->buf[1] = state->buf[state->last_byte - 1];
 
-        if ((count = GetDataBlock(src, &state->buf[2], state)) <= 0)
+        ret = GetDataBlock(src, &state->buf[2], state);
+        if (ret <= 0)
             state->done = TRUE;
+        count = (ret > 0)? (unsigned char)ret : 0;
 
         state->last_byte = 2 + count;
         state->curbit = (state->curbit - state->lastbit) + 16;

We still aren't immediately returning, but at least we shall be
able to catch a truncated file.

OK to push?

Comment 1 Ozkan Sezer 2019-09-11 20:38:10 UTC

Created attachment 3967 [details]
patch for SDL_image-1.2.x

Comment 2 Ozkan Sezer 2019-09-12 09:03:29 UTC

Created attachment 3968 [details]
updated patch for SDL_image-1.2.x

updated patch for SDL_image-1.2.x

Comment 3 Ozkan Sezer 2019-09-12 09:04:14 UTC

Created attachment 3969 [details]
updated patch for SDL2_image-2.0.x

updated patch for SDL2_image-2.0.x

Comment 4 Ozkan Sezer 2019-09-16 18:12:29 UTC

applied the patches
http://hg.libsdl.org/SDL_image/rev/9fdd742bc446
http://hg.libsdl.org/SDL_image/rev/6ee16d592de2

if it can be improved better, please do so.

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.